Type: Migration
Initial State: Inactive
Interval: One Time
This is a migration check introduced in APAR OA39489. The check
detects inconsistencies in the states of the cryptographic coprocessor
master keys. The check is intended to warn the user of potential problems
when migrating from pre-HCR7780 releases of ICSF to the HCR7780, HCR7790,
or HCR77A0 releases of ICSF. The check is inactive when ICSF is started.
When activated, it performs a one time check on the states of the
coprocessor master keys. If a master key is not consistent across
the available coprocessors, a problem condition is assumed and a health
checker exception message is generated for the administrator's attention.
The following master key states are defined for use in describing
this migration health check: available ('A'), correct ('C'), error
('E'), uninitialized ('U'), or not supported ( - ).
- Available
- Indicates that the master key matches the key used in the CKDS/PKDS
and is available for use.
- Correct
- Indicates that the key matches the key used in the CKDS/PKDS,
but is not available for use.
- Error
- Indicates that the key does not match the key used in the CKDS/PKDS.
- Uninitialized
- Indicates that the key has not been set.
Table 1 and
Table 2 illustrate a
problem scenario. The pre-HCR7780 releases of ICSF require a DES master
key. For these releases, the G01 coprocessor is active since it has
the DES master key set, but the G00 and G02 coprocessors are not active
because they do not have the DES master key set. Because all four
master keys are valid for the G01 coprocessor, all four master keys
are available.
Table 1. Coprocessor/Master
Key configuration on a pre-HCR7780 system| Coprocessor \ Master Key |
Coprocessor State |
AES |
DES |
ECC |
RSA |
|---|
| G00 |
Online |
C |
U |
C |
C |
|---|
| G01 |
Active |
A |
A |
A |
A |
|---|
| G02 |
Online |
C |
U |
C |
U |
|---|
When a non-CCF system is migrated to the HCR7780, HCR7790, or HCR77A0
releases of ICSF, the master states change. The migrated system will
have all three coprocessors active; however, all master keys will
not be available. The DES and RSA master keys will not be available.
These keys are unavailable because they are not set on all active
coprocessors.
Table 2. Coprocessor/Master
Key configuration on a HCR7780, HCR7790, or HCR77A0 release of ICSF| Coprocessor \ Master Key |
Coprocessor State |
AES |
DES |
ECC |
RSA |
|---|
| G00 |
Active |
A |
U |
A |
C |
|---|
| G01 |
Active |
A |
C |
A |
C |
|---|
| G02 |
Active |
A |
U |
A |
U |
|---|
The ICSFMIG_MASTER_KEY_CONSISTENCY health check detects problem
states and generates health check exception messages indicating a
problem with the DES and RSA master keys because these keys are not
consistent across the coprocessors.
When the Health Check is run, one of the following messages is
generated:
- The CSFH0014I message is generated if there are no problems.
- The CSFH0015E message is generated if there is a potential master
key problem.
- The CSFH0016E message is generated if the system is unable to
process the requested check.