Starting and stopping ICSF

To start ICSF, issue the operator START command. You must issue the START command after each IPL. When you issue the START command, verification tests check that the master key in each coprocessor is the same as the master key that enciphered the cryptographic key data set (CKDS) and that the hash patterns in each coprocessor is the same as the hash pattern of the master key that enciphered the PKA key data set (PKDS).

There are four CCA master keys: DES, RSA, AES and ECC. The DES and RSA master keys are available on all coprocessors. The availability of the AES and ECC master keys depends on your server and the CCA licenced internal code loaded in the coprocessors.

The coprocessor activation procedure will use the master key verification patterns (MKVP) in the header record of the CKDS and PKDS to determine which coprocessors become active. If the MKVP of a master key is in the CKDS or PKDS, that master key must be loaded and the verification pattern of the current master key register must match the MKVP in the CKDS or PKDS. If all of the MKVPs in the CKDS and PKDS match the current master key registers, the coprocessor will become active. Otherwise, the status of the coprocessor is 'Master key incorrect'.

This applies to all master keys that the coprocessor supports. When there is a MKVP in the CKDS or PKDS and the coprocessor doesn't support that master key, it is ignored. When a MKVP is not in the CKDS or PKDS, the master key is ignored.

A migration health check is available to find any coprocessors that will not become active when starting HCR77A1. The ICSFMIG77A1_COPROCESSOR_ACTIVE migration check is available for HCR7770, HR7780, HCR7790, and HCR77A0.

For Enterprise PKCS #11 (EP11) coprocessor, ICSF uses the master key validation pattern (MKVP) in the header record of the TKDS to determine which EP11 coprocessors to make active. An EP11 coprocessor is active if the MKVP in the current master key register matched the MKVP in the header record of the TKDS or the TKDS has not been initialized.

When ICSF successfully starts, a message that indicates that initialization is complete appears on the console.

This example shows the format of the START command to start ICSF, assuming that CSF is the name of the start procedure:
   START CSF
Note: To reuse ASIDs the REUSASID parameter can be added to the START comment:
START CSF,REUSASID=YES

You can start ICSF only as a started task.

To stop ICSF, issue the operator STOP command. After you issue the command, all ICSF processing stops. If ICSF stops successfully, a message that states that ICSF is stopped appears on the console.

This example shows the format of the STOP command to stop ICSF, assuming that CSF is the name of the started procedure:
   STOP CSF
Note:
  1. If a problem is detected with a cryptographic coprocessor or with an accelerator during initialization, then a CSFM540I message is generated and the device is bypassed.
  2. A Health Check, ICSF_COPROCESSOR_STATE_NEGCHANGE, monitors the state of the coprocessors and accelerators on a daily basis to detect a negative change in state.
  3. If ICSF is unresponsive to the STOP command, be aware that you will not be able to use the CANCEL command to stop ICSF processing. Instead, use the force command:
    FORCE csfproc,arm
  4. The ICSF_MASTER_KEY_CONSISTENCY health check evaluates the master key states of the coprocessors to detect potential master key problems. For more information about this health check, see z/OS Cryptographic Services ICSF Administrator's Guide.