ICSF_MASTER_KEY_CONSISTENCY

Type: Status

Initial State: Active

Interval: Daily

This is a master key health check. The check detects inconsistencies in the states of the coprocessor master keys. The check is activated when the ICSF task is started and runs on a periodic (daily) basis. The check determines when the state of a master key on at least one coprocessor is not in accord with the state on the other coprocessors.

The master key states for the coprocessors are displayed on the ICSF Coprocessor Management panel. The states can be available ("A"), correct ("C"), error ("E"), uninitialized ("U") or not supported ( - ). Available indicates that the master key loaded on the Coprocessor matches the master key used in the CKDS/PKDS/TKDS and is available for use. Correct indicates that the key matches the key used in the CKDS/PKDS/TKDS but is not available for use. Error indicates that the key does not match the key used in the CKDS/PKDS/TKDS. Uninitialized indicates that the key has not been set. Master keys are identified by Master Key Verification Pattern (MKVP).

The check is instituted to assist the user in maintaining master key functionality. The coprocessor activation algorithm maximizes the number of active cryptographic coprocessors. For non-CCF systems any valid master key is acceptable for coprocessor activation. To activate the maximum number of coprocessors the number of available master keys may be restricted.

The following table illustrates a configuration which would generate an inconsistency message by the check. In this scenario all 5 coprocessors are active. The AES, ECC and P11 master keys are available for use. The DES and RSA master keys are unavailable since they are not set on the relevant coprocessors. The DES master key is set on coprocessor G01 but not G00 and G02. The RSA master key is set on coprocessor G00 and G01 but not G02.

Table 1. CoProcessor/Master Key scenario
Cop \ MK	AES	DES	ECC	RSA	P11
G00	A	U	A	C
G01	A	C	A	C
G02	A	U	A	U
SP04					A
SP05					A

The ICSF_MASTER_KEY_CONSISTENCY health check detects the inconsistency in master key states and generates a health check exception messages indicating that the states of the DES and RSA master keys are not consistent across the coprocessors. If the DES and RSA master keys were set on all three coprocessors then both master keys would be available for use.

When the Health Check is run, one of the following messages is generated:

The CSFH0014I message is generated if there are no problems.
The CSFH0015E message is generated if there is a master key inconsistency.
The CSFH0016E unable to process request. For example, an inconsistency in the AES master key would generate the following exception:¹

CHECK(IBMICSF, ICSF_MASTER_KEY_CONSISTENCY)
START TIME: 09/23/2012 14:32:34.584930
CHECK DATE: 20120101 CHECK SEVERITY: MEDIUM 

* Medium Severity Exception *

CSFH0015E The state of the AES master key is not consistent across all 
coprocessors.

Explanation: The current value for the specified master key is not consistent 
across the coprocessors. At least one coprocessor has the specified master 
key in a state that is not in agreement with the other coprocessors.

System action: Alert the ICSF Administrator to determine the impact of the 
current coprocessor states.

User response: Report this exception to the ICSF Administrator.

Administrator response: Refer to the ICSF Coprocessor Management and hardware 
status panels. The state of the specified master key should match for all 
Active or Online coprocessors. If problem is not resolved, contact the IBM 
Support Center.