ICSF_KEY_EXPIRATION

Type: Status

Initial State: Active

Interval: Daily

z/OS and ICSF releases the check applies to: ICSF FMID HCR77B0 and later running on z/OS V1R13 and later.

This is a status check. The check detects records in the active key data sets that have the key material validity end date metadata set and will expire within the specified interval. The active CKDS, PKDS, and TKDS are checked. The label of all records that will expire will be listed along with the expiration date.
Note: The key data sets must use the KDSR format (introduced in ICSF FMID HCR77A1) in order to have key material validity dates. For additional details, see z/OS Cryptographic Services ICSF System Programmer's Guide.

The interval is set by the DAYS(nnn) parameter. The default interval is 60 days.

The check is activated during the initialization of ICSF. The check is performed on a daily basis.

When the ICSF_KEY_EXPIRATION health check is run, the following messages are generated:
  • Message CSFH0030I is an informational message that displays the health check header.
  • Message CSFH0032I indicates that there are no records that are about to expire.
  • Message CSFH0031E indicates that there are records that are about to expire.
For example:
CHECK(ICSF,ICSF_KEY_EXPIRATION)
START TIME: 03/23/2015 08:10:01.603497
CHECK DATE: 20150101 CHECK SEVERITY: MEDIUM

* Medium Severity Exception *

CSFH0030I Cryptographic Keys Expiring in 60 Days
Active CKDS: CSF.CKDS

Records expiring on 20150401
CSF.SPECIAL.KEY.FOR.TESTING.ABCD0001              EXPORTER
CSF.SPECIAL.KEY.FOR.TESTING.ABCD0004              IMPORTER

Records expiring on 20150430
CSF.SPECIAL.KEY.FOR.TESTING.ABCD0002              MAC
     
Active PKDS: CSF.PKDS
Key data set not in KDSR format 

CSFH0032E Check detected KDS record that will expire within the next 60 days. 

Explanation: This check detected keys in the key data sets that will reach their
expiration date within the specified interval. When the keys reach their expiration
date, the keys can no longer be used the applications.

System action: There is no effect on the system.

Operator response: Contact the ICSF administrator.

System Programmer Response: Contact the ICSF administrator.

Problem Determination: n/a

Source: n/a

Reference Documentation: z/OS Cryptographic Services
Integrated Cryptographic Service Facility: Administrator's
Guide

Automation: n/a

Check Reason: Detects operational keys that will expire
within the specified interval.

END TIME: 03/23/2015 08:10:01.643285 STATUS: SUCCESSFUL

Active TKDS: CSF.TKDS

Objects expiring on 20150401
CSF.SPECIAL.TOKEN.FOR.TEST.AD0  0000000AY     

Objects expiring on 20150421
CSF.SPECIAL.TOKEN.FOR.TEST.AD0  0000001AY     

Objects expiring on 20150521
CSF.SPECIAL.TOKEN.FOR.TEST.AD0  0000011AY     

CSFH0033E Check detected KDS record that will expire within
the next 60 days. 

Explanation: This check detected keys in the key data sets
that will reach their expiration date within the specified
interval When the keys reach their expiration date, the
keys can no longer be used the applications. 

System action: There is no effect on the system.

Operator response: Contact the ICSF administrator.

System Programmer Response: Contact the ICSF administrator.

Problem Determination: n/a

Source: n/a

Reference Documentation: z/OS Cryptographic Services
Integrated Cryptographic Service Facility: 
Administrator's Guide

Automation: n/a

Check Reason: Detects operational keys that will expire
within the specified interval.

END TIME: 03/23/2015 08:10:01.643285 STATUS: SUCCESSFUL