Reason codes for return code C (12)
| Reason Code Hex (Decimal) | Description |
|---|---|
| 0 (0) | ICSF is not available.
One of the following situations is possible:
OR CKDS Key Record Create2 or CKDS Key Record Write2 was called to add a variable-length key record to a fixed-length CKDS. A variable-length symmetric key token can only be added to a CKDS that supports variable-length records. User action: Contact the security administrator or system programmer to activate (refresh) a CKDS that supports variable-length records. |
| 4 (4) | The CKDS or PKDS management
service you called is not available because it has been disallowed
by the ICSF User Control Functions panel. User action: Contact the security administrator or system programmer to determine why the CKDS or PKDS management services have been disallowed. |
| 8 (8) | The service or algorithm
is not available on current hardware. Your request cannot be processed. User action: Correct the calling program or run on applicable hardware. |
| C (12) | The service that you
called is unavailable because the installation exit for that service
had previously failed. User action: Contact your ICSF administrator or system programmer. |
| 10 (16) | A requested installation
service routine could not be found. Your request was not processed.
User action: Contact your ICSF administrator or system programmer. |
| 1C (28) | Cryptographic asynchronous
processor failed. User action: Contact your IBM support center. |
| 28 (40) | The callable service that you called is unsupported for AMODE(64) applications. Your request cannot be processed. |
| 2C (44) | The callable service
that you called was linked with the AMODE(64) stub. The application
is not running AMODE(64). Your request cannot be processed. User action: Link your application with the service stub with the appropriate addressing mode. |
| 0C5 (197) | I/O error reading or writing to the DASD copy
of the CKDS or PKDS in use by ICSF. User action: Contact your ICSF security administrator or system programmer. The RPL feedback code will be placed in the high-order halfword of the reason code field. |
| 144 (324) | There was insufficient coprocessor memory available
to process your request. This could include the Flash EPROM used
to store keys, profiles and other application data. User action: Contact your system programmer or the IBM Support Center. |
| 2FC (764) | The master key is not in a valid state. User action: Contact your ICSF administrator. REASONCODES: ICSF 2B08 (11016) |
| 301 (769) | A cryptographic internal device driver component detected data contained in a cryptographic request that is not valid. |
| 7D6 (2006) | TKE: PCB service error. |
| 7D7 (2007) | TKE: Change type in PCB is not recognized. |
| 7DF (2015) | Domain in CPRB not enabled by EMB mask. |
| 7E1 (2017) | MKVP mismatch on Set MK. |
| 7E5 (2021) | Cryptographic coprocessor adapter disabled. |
| 7E9 (2025) | Enforcement mask error. |
| 7F3 (2035) | Intrusion latch has been tripped. Services disabled. |
| 7F5 (2037) | The domain specified is not valid. |
| 7FB (2043) | OA certificate not found. |
| 819 (2073) | The coprocessor has
been disabled on the Support Element. It must be enabled on the Support
Element prior to TKE accessing it. User action: Permit the selected coprocessor for TKE Commands on the Support Element and then re-open the host on TKE. |
| 835 (2101) | AES flags in the function control vector are not valid. |
| 839 (2105) | The processing for high performance
secure keys fails due to a hardware error. User action: Contact your IBM support center. |
| BBD (3005) | The KDS I/O subtask
timed out waiting for an exclusive ENQ on the SYSZxKDS.xKDSdsn resource,
where x indicates the KDS type (C for CKDS, P for PKDS, and
T for TKDS). A timeout will occur if one or more members of the ICSF
sysplex group has not relinquished its ENQ on the resource. The KDS
update operation has failed. User action: Issue D GRS,RES=(nnnnn), where nnnnn is the KDS resource name from message CSFM302A, to determine which system or systems hold the resource. Determine if action should be taken to cause the holding system to release its ENQ on the KDS resource. |
| BBE (3006) | Failure after exhausting
retry attempts. IXCMSGO issued from CSFMIOST. User action: Contact your system programmer or the IBM Support Center. |
| BBF (3007) | The CKDS service failed
due to unexpected termination of the ICSF Cross-System Services environment.
The termination of the ICSF Cross-System Services environment was
caused by a failure when ICSF issued the IXCMSGI macro. Message CSFM603
has been issued. User action: Report the occurrence of this error to your ICSF system programmer. |
| BC6 (3014) | There is an I/O error
reading or writing to the DASD copy of the TKDS in use by ICSF. User action: Report the occurrence of this error to your ICSF system programmer. |
| BC7 (3015) | A bad header record
is detected for the TKDS. User action: Report the occurrence of this error to your ICSF system programmer. |
| BCF (3023) | The PKCS #11 TKDS
is not available for processing. User action: Report the occurrence of this error to your ICSF system programmer. |
| BE6 (3046) | An RSA retained key
can no longer be generated with its key-usage flag set to allow key
unwrapping (KM-ONLY or KEY-MGMT). Key usage must be SIG-ONLY. User action: None required. |
| BE8 (3048) | The services using
encrypted AES keys, encrypted DES, or encrypted ECC keys are
not available because the master key is required but not loaded or
there is no access to any cryptographic processors. Your
request cannot be processed. User action: Check the availability of ICSF with your ICSF administrator |
| C00 (3072) | The serialization subtask terminated for an
unexpected reason prior to completing the request. No dynamic CKDS
or PKDS update services are possible at this point. User action: Contact your system programmer who can investigate the problem and restart the I/O subtask by stopping and restarting ICSF. |
| C01 (3073) | An error occurred attempting to obtain the system
ENQ for a key data set update. User action: If the error is common and persistent, contact your system programmer or the IBM Support Center. |
| C03 (3075) | A symmetric key token was supplied in a key
identifier parameter which is wrapped using the enhanced X9.24 key
wrapping method. The cryptographic coprocessors available to process
the request do not support the enhanced key wrapping. User action: Contact system personnel to get coprocessors installed on your system which will support the enhanced X9.24 key wrapping. |
| C06 (3078) | The CKDS was created with an unsupported LRECL. |
| C09 (3081) | An attempt was made to load a PKDS that only
uses the ECC master key on a pre-HCR7780 release of ICSF. Pre-HCR7780
systems do not support the ECC master key and use of an ECC MK-only
PKDS is not allowed. User Action: Change the PKDS selected. Specify a PKDS that is empty, uses an RSA master key, or uses both RSA and ECC master keys. |
| C0A (3082) | A callable service generated or updated a symmetric
key token and the X9.24 enhanced wrapping method was used to wrap
the key. This key token is not usable on your system and ICSF will
not allow the key to be generated. The key was wrapped with the enhanced
wrapping method because a CCA Cryptographic coprocessor
that is a CEX3C or later has the default wrapping configuration
set to enhanced. This was most likely done by TKE changing the configuration. User Action: Have the ICSF administrator set the default wrapping configuration to original for the LPAR that this system is running in. |
| C17 (3095) | While performing a coordinated KDS change master
key operation, the sysplex KDS cluster members' new AES master key
registers were loaded with different values. All sysplex KDS cluster
members' (same active KDS) new AES master key registers must be loaded
with the same value or all must be empty when performing a coordinated
KDS change master key. User action: Ensure all sysplex KDS cluster members' new AES master key registers are loaded with the same value or all are empty and retry the function. |
| C18 (3096) | One or more sysplex KDS cluster members' new
DES master key registers were loaded and others were empty during
a coordinated KDS change master key. All sysplex KDS cluster members'
(same active KDS) new DES master key registers must be loaded with
the same value or all must be empty when performing a coordinated
KDS change master key. User action: Ensure all sysplex KDS cluster members' new DES master key registers are loaded with the same value or all are empty and retry the function. |
| C19 (3097) | The sysplex KDS cluster members' new DES master
key registers were loaded with different values during a coordinated
KDS change master key. All sysplex KDS cluster members' (same active
KDS) new DES master key registers must be loaded with the same value
or all must be empty when performing a coordinated KDS change master
key. User action: Ensure all sysplex KDS cluster members' new DES master key registers are loaded with the same value or all are empty and retry the function. |
| C1A (3098) | A coordinated KDS change master key was attempted
with empty new master key registers. At least one of the new master
key registers must be loaded with a value to perform a coordinated
KDS change master key. User action: Load at least one of the new master key registers on all sysplex KDS cluster members with the same value and retry the function. |
| C1B (3099) | An ICSF subtask terminated during coordinated KDS refresh or coordinated KDS
change master key processing. User action: Refer to the z/OS Cryptographic Services ICSF Administrator's Guide for information on recovering from a coordinated KDS administration failure. The function can be retried. If the error is common and persistent, contact your system programmer or the IBM Support Center. |
| C1C (3100) | An error occurred attempting to obtain an ENQ
for performing either a coordinated KDS refresh or coordinated KDS
change master key. User action: The function can be retried. If the error is common and persistent, contact your system programmer or the IBM Support Center. |
| C1D (3101) | A target system (member of the sysplex KDS cluster) was unable to open the new
KDS for either a coordinated KDS refresh or coordinated KDS change master key. User action: Refer to the z/OS Cryptographic Services ICSF Administrator's Guide for information on recovering from a coordinated KDS administration failure. The function can be retried. If the error is common and persistent, contact your system programmer or the IBM Support Center. |
| C1E (3102) | One or more sysplex KDS cluster members' new
AES master key registers were loaded and others were empty during
a coordinated KDS change master key. All sysplex KDS cluster members'
(same active KDS) new AES master key registers must be loaded with
the same value or all must be empty when performing a coordinated
KDS change master key. User action: Ensure all sysplex KDS cluster members new AES master key registers are loaded with the same value or all are empty and retry the function. |
| C2B (3115) | Either a coordinated KDS refresh or coordinated KDS change master key was
cancelled. User action: Refer to the z/OS Cryptographic Services ICSF Administrator's Guide for information on recovering from a coordinated KDS administration failure. The function can be retried. If the error is common and persistent, contact your system programmer or the IBM Support Center. |
| C2C (3116) | A catalog problem occurred during either a coordinated
KDS refresh or coordinated KDS change master key. The problem occurred
when looking up either the active KDS or new KDS in the catalog. User action: Ensure both the active KDS and new KDS are cataloged and retry the function. |
| C2D (3117) | A coordinated KDS refresh or coordinated KDS change master key was attempted
on a system with a level of hardware that is not supported by the function. This reason code is also
used if the licensed internal code (LIC) level on the originating system is lower than the licensed
internal code (LIC) level on 1 or more of the other sysplex KDS cluster members. User action: Refer to Coordinated KDS Administration (CSFCRC and CSFCRC6) for a list of supported hardware levels. Perform the coordinated KDS function from the system running the highest level of licensed internal code (LIC). |
| C2E (3118) | A coordinated KDS change master key was attempted
with the DES new master key register loaded but with no current DES
master key set. In order to perform a coordinated KDS change master
key to a new DES master key, a valid DES master key must have previously
been set. User action: Set a valid DES master key and then use the coordinated KDS change master key to change the DES master key. |
| C2F (3119) | A coordinated KDS change master key was attempted
with the AES new master key register loaded but with no current AES
master key set. In order to perform a coordinated KDS change master
key to a new AES master key, a valid AES master key must have previously
been set. User action: Set a valid AES master key and then use the coordinated KDS change master key to change the AES master key. |
| C32 (3122) | A sysplex communication failure occurred during either coordinated KDS refresh
or coordinated KDS change master key. User action: Refer to the z/OS Cryptographic Services ICSF Administrator's Guide for information on recovering from a coordinated CKDS administration failure. The function can be retried. If the error is common and persistent, contact your system programmer or the IBM Support Center. |
| C33 (3123) | A failure occurred processing KDS updates during a coordinated KDS change
master key. User action: Refer to the z/OS Cryptographic Services ICSF Administrator's Guide for information on recovering from a coordinated KDS administration failure. The function can be retried. If the error is common and persistent, contact your system programmer or the IBM Support Center. |
| C34 (3124) | An internal failure occurred in a coordinated KDS subtask while performing
either a coordinated KDS refresh or a coordinated KDS change master key. User action: Refer to the z/OS Cryptographic Services ICSF Administrator's Guide for information on recovering from a coordinated KDS administration failure. The function can be retried. If the error is common and persistent, contact your system programmer or the IBM Support Center. |
| C35 (3125) | An internal failure occurred in a coordinated KDS subtask while performing
either a coordinated KDS refresh or a coordinated KDS change master key. User action: Refer to the z/OS Cryptographic Services ICSF Administrator's Guide for information on recovering from a coordinated KDS administration failure. The function can be retried. If the error is common and persistent, contact your system programmer or the IBM Support Center. |
| C36 (3126) | An internal failure occurred in the sysplex subtask while performing either a
coordinated KDS refresh or coordinated KDS change master key. User action: Refer to the z/OS Cryptographic Services ICSF Administrator's Guide for information on recovering from a coordinated KDS administration failure. The function can be retried. If the error is common and persistent, contact your system programmer or the IBM Support Center. |
| C37 (3127) | An internal failure occurred in the serialization subtask while performing
either a coordinated KDS refresh or coordinated KDS change master key. User action: Refer to the z/OS Cryptographic Services ICSF Administrator's Guide for information on recovering from a coordinated KDS administration failure. The function can be retried. If the error is common and persistent, contact your system programmer or the IBM Support Center. |
| C38 (3128) | An internal failure occurred in the I/O subtask while performing a coordinated
KDS change master key. User action: Refer to the z/OS Cryptographic Services ICSF Administrator's Guide for information on recovering from a coordinated KDS administration failure. The function may be retried. If the error is common and persistent, contact your system programmer or the IBM Support Center. |
| C39 (3129) | A coordinated KDS change master key was attempted
and at least one ICSF instance in the sysplex reported that it was
unable to process the request. The coordinated KDS change master key
functions are only available when all ICSF instances in the sysplex,
regardless of active KDS, are running at a sufficient level to process
the request. One possible reason for this return code would be attempting a coordinated KDS change master key operation that attempted to change the RCS master key. User action: Remove or upgrade all ICSF instances in the sysplex that are running without sufficient support and retry the function. |
| C3A (3130) | A target system (member of the sysplex KDS cluster) is not being responsive to
a system that is originating either a coordinated KDS refresh or coordinated KDS change master key.
User action: Refer to the z/OS Cryptographic Services ICSF Administrator's Guide for information on recovering from a coordinated KDS administration failure. The function can be retried. If the error is common and persistent, contact your system programmer or the IBM Support Center. |
| C3B (3131) | The active KDS could not be reenciphered to the new KDS during a coordinated
KDS change master key. User action: Refer to the z/OS Cryptographic Services ICSF Administrator's Guide for information on recovering from a coordinated KDS administration failure. The function can be retried. If the error is common and persistent, contact your system programmer or the IBM Support Center. |
| C3E (3134) | A failure occurred either renaming the active KDS to the archive KDS or
renaming the new KDS to the active KDS during a coordinated KDS refresh or coordinated KDS change
master key. User action: Refer to the z/OS Cryptographic Services ICSF Administrator's Guide for information on recovering from a coordinated KDS administration failure. The function can be retried. If the error is common and persistent, contact your system programmer or the IBM Support Center. |
| C40 (3136) | A coordinated KDS refresh or coordinated KDS
change master key was originated from a system at a lower ICSF FMID
release level than one or more of the target systems (sysplex KDS
cluster members). The coordinated KDS functions must be originated
from a system running the highest ICSF FMID level. User action: Retry the function from a sysplex KDS cluster member running the highest ICSF FMID level. |
| C41 (3137) | An internal failure occurred during the set master key step of a coordinated
KDS change master key. User action: Refer to the z/OS Cryptographic Services ICSF Administrator's Guide for information on recovering from a coordinated KDS administration failure. The function can be retried. If the error is common and persistent, contact your system programmer or the IBM Support Center. |
| C42 (3138) | A failure occurred trying to back out from a failed rename of the active KDS
to the archive KDS or a failed rename of the new KDS to the active KDS during a coordinated KDS
refresh or coordinated KDS change master key. User action: Refer to the z/OS Cryptographic Services ICSF Administrator's Guide for information on recovering from a coordinated KDS administration failure. The function can be retried. If the error is common and persistent, contact your system programmer or the IBM Support Center. |
| C43 (3139) | A failure occurred switching the new KDS to the active KDS during either a
coordinated KDS refresh or a coordinated KDS change master key. User action: Refer to the z/OS Cryptographic Services ICSF Administrator's Guide for information on recovering from a coordinated KDS administration failure. The function can be retried. If the error is common and persistent, contact your system programmer or the IBM Support Center. |
| C44 (3140) | A coordinated KDS refresh or a coordinated KDS
change master key failed because one of the target systems (sysplex
KDS cluster members) had not finished ICSF initialization. User action: Allow all sysplex KDS cluster members to finish ICSF initialization and retry the function. |
| C45 (3141) | A coordinated KDS change master key was attempted
with the RSA new master key register loaded but with no current RSA
master key set. In order to perform a coordinated KDS change master
key to a new RSA master key, a valid RSA master key must have previously
been set. User action: Set a valid RSA master key and then use the coordinated KDS change master key to change the RSA master key. |
| C46 (3142) | A coordinated KDS change master key was attempted
with the ECC new master key register loaded but with no current ECC
master key set. In order to perform a coordinated KDS change master
key to a new ECC master key, a valid ECC master key must have previously
been set. User action: Set a valid ECC master key and then use the coordinated KDS change master key to change the ECC master key. |
| C47 (3143) | A coordinated KDS change master key was attempted
with the PKCS #11 new master key register loaded but with no current
PKCS #11 master key set. In order to perform a coordinated KDS change
master key to a new PKCS #11 master key, a valid PKCS #11 master
key must have previously been set. User action: Set a valid PKCS #11 master key and then use the coordinated KDS change master key to change the PKCS #11 master key. |
| C48 (3144) | The sysplex KDS cluster members' new RSA master
key registers were loaded with different values during a coordinated
KDS change master key. All sysplex KDS cluster members' (same active
KDS) new RSA master key registers must be loaded with the same value
or all must be empty when performing a coordinated KDS change master
key. User action: Ensure all sysplex KDS cluster members' new RSA master key registers are loaded with the same value or are all empty, and retry the function. |
| C49 (3145) | The sysplex KDS cluster members' new ECC master
key registers were loaded with different values during a coordinated
KDS change master key. All sysplex KDS cluster members' (same active
KDS) new ECC master key registers must be loaded with the same value
or all must be empty when performing a coordinated KDS change master
key. User action: Ensure all sysplex KDS cluster members' new ECC master key registers are loaded with the same value or are all empty, and retry the function. |
| C4A (3146) | One or more sysplex KDS cluster members' new
RSA master key registers were loaded and others were empty during
a coordinated KDS change master key. All sysplex KDS cluster members'
(same active KDS) new RSA master key registers must be loaded with
the same value or all must be empty when performing a coordinated
KDS change master key. User action: Ensure all sysplex KDS cluster members' new RSA master key registers are loaded with the same value or all are empty and retry the function. |
| C4B (3147) | One or more sysplex KDS cluster members' new
ECC master key registers were loaded and others were empty during
a coordinated KDS change master key. All sysplex KDS cluster members'
(same active KDS) new ECC master key registers must be loaded with
the same value or all must be empty when performing a coordinated
KDS change master key. User action: Ensure all sysplex KDS cluster members' new ECC master key registers are loaded with the same value or are all empty and retry the function. |
| C4C (3148) | The sysplex KDS cluster members' new PKCS #11
master key registers were loaded with different values or
missing new PKCS #11 master key values during a coordinated KDS
change master key. All sysplex KDS cluster members' (same active KDS)
new PKCS #11 master key registers must be loaded with the same value
or all must be empty when performing a coordinated KDS change master
key. User action: Ensure all sysplex KDS cluster members' new PKCS #11 master key registers are loaded with the same value or are all empty and retry the function. |
| C4D (3149) | One or more sysplex KDS cluster members' new
P11 master key registers were loaded and others were empty during
a coordinated KDS change master key. All sysplex KDS cluster members'
(same active KDS) new P11 master key registers must be loaded with
the same value or all must be empty when performing a coordinated
KDS change master key. User action: Ensure all sysplex KDS cluster members' new P11 master key registers are loaded with the same value or are all empty and retry the function. |
| C52 (3154) | A coordinated KDS change master key was attempted
with the RCS new master key register loaded, but with no current RCS
master key set. In order to perform a coordinated KDS change master
key to a new RCS master key, a valid RCS master key must have previously
been set. User action: Set a valid RCS master key and then use the coordinated KDS change master key to change the RCS master key. |
| C53 (3155) | The sysplex KDS cluster members' new RCS master key registers were loaded with
different values or missing new RCS master key values during a coordinated KDS
change master key. All sysplex KDS cluster members' (same active KDS) new RCS master key registers
must be loaded with the same value or all must be empty when performing a coordinated KDS change
master key. User action: Ensure all sysplex KDS cluster members' new RCS master key registers are FULL COMMITTED with the same value or all are empty and retry the function. |
| C54 (3156) | One or more sysplex KDS cluster members' new
RCS master key registers were loaded and others were empty during
a coordinated KDS change master key. All sysplex KDS cluster members'
(same active KDS) new RCS master key registers must be loaded with
the same value or all must be empty when performing a coordinated
KDS change master key. User action: Ensure all sysplex KDS cluster members' new RCS master key registers are FULL COMMITTED with the same value or all are empty and retry the function. |
| C56 (3158) | A target system (member of the sysplex) is not being responsive to a system
that is originating a coordinated KDS change master key for the RCS master key. User action: Refer to the z/OS Cryptographic Services ICSF Administrator's Guide for information on recovering from a coordinated KDS administration failure. The function can be retried. If the error is common and persistent, contact your system programmer or the IBM Support Center. |
| C57 (3159) | A coordinated KDS change master key was attempted
with the RCS master key, but one or more of the sysplex members had
a lower generation device level than supported for changing the RCS
master key. User action: Ensure that all RCS devices are running at the minimum supported generation or higher and retry the function. |
| C58 (3160) | A coordinated KDS change master key was attempted
with the RCS master key, but one or more of the sysplex members have
RCS devices which have the same serial number and port. User action: Check the Installation Options Data Set for duplicate remote devices. |
| C59 (3161) | A coordinated KDS change master key was attempted, but one or more of the
sysplex members failed to complete processing in the time allotted. User action: See z/OS Cryptographic Services ICSF Administrator's Guide for information on recovering from a coordinated KDS administration failure. If the error is common and persistent, contact your system programmer or the IBM Support Center. |
| C80 (3200) | Key object’s compliance mode is different
than current setting of the Enterprise PKCS #11 coprocessors User action: Contact your ICSF administrator or system programmer. ICSF administrator action: The compliance mode setting on the Enterprise PKCS #11 coprocessors must be set to a value at least as restrictive as the key object that failed. Using the PKCS #11 Token Browser ISPF panels, examine the IBM CARD COMPLIANCE value for the key that failed. Set each Enterprise PKCS #11 coprocessor to this value using TKE. |
| C82 (3202) | A PKCS #11 Service found an error in DER encoded
data returned from the Enterprise PKCS #11 Coprocessor. User action: Contact your system programmer or the IBM Support Center. |
| D21 (3361) | The subtask for the KDS multi-purpose callable
service is not active. User action: Contact your system operator to stop and then start ICSF. |
| D22 (3362) | The subtask for the KDS multi-purpose callable service is terminating. |
| D23 (3363) | An attempt was made to use a KDS which has a KDS cluster identifier that
matches an active KDS. This reason code is accompanied by message CSFM663I. User action: See the ICSF joblog for message CSFM663I and refer to z/OS Cryptographic Services ICSF Messages for information on how to proceed. |
| D24 (3364) | ICSF encountered continuous ISGQUERY failures while attempting a KDS
operation. This reason code is accompanied by message CSFM664I. User action: See the ICSF joblog for message CSFM664I and refer to z/OS Cryptographic Services ICSF Messages for information on how to proceed. |
| D27 (3367) | There is no cryptographic coprocessor capable of performing the
wrapping operation. User action: Check the required hardware section for the callable service being invoked. |
| D30 (3376) | Regional cryptographic
server is not available. User action: Contact your ICSF administrator or system programmer. ICSF administrator action: Ensure that at least one regional cryptographic server that supports the requested function is configured and active. |
| D31 (3377) | Regional cryptographic
server is not active. User action: Contact your ICSF administrator or system programmer. ICSF administrator action: Ensure that at least one regional cryptographic server is configured and active. |
| D33 (3379) | Regional cryptographic
server had an unexpected error. User action: Contact your system programmer. System programmer action: Look for an X'18F' abend and subsequent dump. Also check the logs on the regional cryptographic server for any indication of an error. Take appropriate action as directed by the vendor documentation or their support personnel. If unable to resolve the issue, contact the IBM Support Center. |
| D34 (3380) | Regional cryptographic
server request failed repeatedly on different sockets. User action: Contact your system programmer. System programmer action: Look for an X'18F' abend and subsequent dump. Also check the logs on the regional cryptographic server for any indication of an error. Take appropriate action as directed by the vendor documentation or their support personnel. If unable to resolve the issue, contact the IBM Support Center. |
| D35 (3381) | z/OS UNIX System Services are not available. User action: Contact your system programmer. System programmer action: z/OS UNIX System Services may be temporarily unavailable. Check for console messages indicating that z/OS UNIX Systems is restarting and is now available. If the problem persists, contact the IBM Support Center. |
| D5D (3421) | A request was made for a function that is not available because ICSF is
running without an active CKDS or PKDS defined in the options data set. User action: If you wish to perform the function, you must restart ICSF with an active CKDS or PKDS defined in the options data set. |
| DB0 (3504) | The Options Data Set Refresh function ended. An error was encountered while reading the options data set. |
| DB3 (3507) | The Options Data Set Refresh function ended abnormally. |
| DC7 (3527) | ICSF is running with the requested KDS in an older format. The CSFKDU service
can only be used when the requested KDS is in KDSR format. User action: Contact your system programmer to migrate the KDS to KDSR format. |
| DD0 (3536) | The operation failed because one or more cryptographic
coprocessors were in a compliance mode that disallows the operation. User action: Change the operation to a compliant one to achieve the wanted results. If the cryptographic coprocessor is in compliance mode in error, configure the cryptographic coprocessor out of the compliance mode. |
| DD1 (3537) | The operation failed because the compliance mode required to
perform the operation (including attempting to use a compliant-tagged token) is
unavailable. User action: If this is an attempt to reencipher a CKDS that once held compliant-tagged key tokens but no longer does, perform a refresh of the CKDS to clear the compliant-tagged indicator and retry the request. Otherwise, configure one or more cryptographic coprocessors in the required compliance mode and retry the request. |
| DD3 (3539) | Unable to export a secure key to a CPACF protected key due to a
problem with the internal transport key. This should be a temporary condition and should resolve on
its own. User action: Retry the request. If the problem persists, contact the IBM Support Center. |
| DD4 (3540) | The operation failed because there is no cryptographic
coprocessor available in migration mode. User action: Configure one or more cryptographic coprocessors in migration mode. |
| 1779 (6009) | One or more target systems (sysplex KDS cluster members) did not successfully
load the new KDS during a coordinated KDS refresh or coordinated KDS change master key. This a
common result of an unresponsive target system. User action: Refer to the z/OS Cryptographic Services ICSF Administrator's Guide for information on recovering from a coordinated CKDS administration failure. If the error is common and persistent, contact your system programmer or the IBM Support Center. |
| 1780 (6016) | A DASD IO error was encountered during access
of the CKDS, PKDS, or TKDS. User action: Contact your ICSF security administrator or system programmer. The SVC 99 error code will be placed in the high-order halfword of the reason code field. |
| 178C (6028) | ESTAE could not be
established in common I/O routines. User action: Contact your system programmer or the IBM Support Center. |
| 1790 (6032) | The dynamic allocation
of the DASD copy of the CKDS, PKDS, or TKDS in use by ICSF failed. User action: Contact your ICSF security administrator or system programmer. The SVC 99 error code will be placed in the high-order halfword of the reason code field. |
| 1794 (6036) | A dynamic deallocation
error occurred when closing and deallocating a CKDS, PKDS, or TKDS. User action: Contact your security administrator or system programmer. The SVC 99 error code will be placed in the high-order halfword of the reason code field. |
| 1795 (6037) | A failure occurred routing KDS updates to the originating system of a
coordinated KDS change master key. User action: Refer to the z/OS Cryptographic Services ICSF Administrator's Guide for information on recovering from a coordinated KDS administration failure. The function can be retried. If the error is common and persistent, contact your system programmer or the IBM Support Center. |
| 1796 (6038) | The I/O subtask became out of sync with the sysplex KDS cluster during a
coordinated KDS change master key. The I/O subtask will be restarted to get back in sync with the
sysplex KDS cluster. User action: Refer to the z/OS Cryptographic Services ICSF Administrator's Guide for information on recovering from a coordinated KDS administration failure. The function can be retried. If the error is common and persistent, contact your system programmer or the IBM Support Center. |
| 1797 (6039) | ICSF was unable to attach a coordinated KDS subtask for either a coordinated
KDS refresh or coordinated KDS change master key. User action: Refer to the z/OS Cryptographic Services ICSF Administrator's Guide for information on recovering from a coordinated KDS administration failure. The function can be retried. If the error is common and persistent, contact your system programmer or the IBM Support Center. |
| 2724 (10020) | A key retrieved from
the in-storage CKDS failed the MAC verification (MACVER) check and
is unusable. User action: Contact your ICSF administrator. |
| 2728 (10024) | A key retrieved from
the in-storage CKDS or a key to be written to the PKDS was rejected
for use by the installation exit. User action: Contact your ICSF administrator or system programmer. |
| 272C (10028) | You cannot use the
secure key import or multiple secure key import callable services
because the cryptographic processor is not enabled for processing.
The cryptographic coprocessor is not in special secure mode. User action: Contact your ICSF administrator (your administrator can enable the processing mode). |
| 2734 (10036) | More than one key
with the same label was found in the CKDS or PKDS. This function requires
a unique key per label. The probable cause may be the use of an incorrect
label pointing to a key type that allows multiple keys per label. User action: Make sure the application specifies the correct label. If the label is correct, contact your ICSF security administrator or system programmer to verify the contents of the CKDS or PKDS. |
| 273C (10044) | OPEN of the PKDS in
use by ICSF failed. User action: Contact your ICSF security administrator or system programmer. |
| 2740 (10048) | I/O error reading
or writing to the DASD copy of the CKDS or PKDS in use by ICSF. User action: Contact your ICSF security administrator or system programmer. The RPL feedback code will be placed in the high-order halfword of the reason code field. REASONCODES: TSS 0C5 (197) |
| 274C (10060) | The I/O subtask terminated for an unexpected reason
prior to completing the request. No dynamic CKDS, PKDS, or TKDS update services
are possible at this point. User action: Contact your system programmer who can investigate the problem and restart the I/O subtask by stopping and restarting ICSF. |
| 2B08 (11016) | The master key is
not in a valid state. User action: Contact your ICSF administrator. REASONCODES: TSS 2FC (764) |
| 2B0C (11020) | The modulus of the
public or private key is larger than allowed and configured in the
CCC or FCV. You cannot use this key on this system. User action: Regenerate the key with a smaller modulus size. |
| 2B10 (11024) | The RSA master key is not active.
Possible reasons for this include:
User action: Contact the ICSF administrator to determine the problem and to make the RSA master key active. |
| 2B1C (11036) | A PKDS is not available
for processing. User action: Contact your ICSF administrator. |
| 2B20 (11040) | The PKDS Control Record
hash pattern is not valid. User action: Contact your ICSF administrator. |
| 2B24 (11044) | The PKDS could not
be accessed. User action: Contact your ICSF administrator. |
| 2B28 (11048) | The coprocessor failed. User action: Contact your IBM support center. |
| 2B2C (11052) | The specific coprocessor
requested for service is temporarily unavailable. PKDS could not be
accessed. The specific coprocessor may be attempting some recovery
action. If recovery action is successful, the coprocessor will be
made available. If the recovery action fails, the coprocessor will
be made permanently unavailable. User action: Retry the function. |
| 2B30 (11056) | The coprocessor failed.
The response from the processor was incomplete. User action: Contact your IBM support center. |
| 2B34 (11060) | The service could
not be performed because the required coprocessor was not active or
did not have a master key set, or the coprocessor
did not have the required firmware update. User action: If the service required a specific coprocessor, verify that the value specified is correct. Reissue the request when the required coprocessor is available and has the master key set and the required firmware is present. |
| 2B38 (11064) | Service could not be performed because of a hardware error on the coprocessor. |
| 2B40 (11072) | Coprocessor configuration change. A CCA or EP11 coprocessor has been configured as an accelerator. TKE does not recognize coprocessors configured as accelerators. |
| 2B41 (11073) | Coprocessor configuration change. Either a CCA coprocessor has been reconfigured to be a EP11 coprocessor, or a PKCS #11 coprocessor has been reconfigured to be a CCA coprocessor. |
| 8CA2 (36002) | CSFPCI was called to set the RSA master key in any CCA cryptographic coprocessor. This function is disabled because dynamic RSA master key change is enabled and the RSA master key can only be changed from the ICSF TSO Change asymmetric master key utility. |
| 8CB4 (36020) | A refresh of the CKDS
failed because the DASD copy of the CKDS is enciphered under the wrong
master key. This may have resulted from an automatic refresh during
processing of the CKDS key record create callable service. User action: Contact your ICSF administrator. |
| 8CE4 (36068) | A failure occurred during a coordinated
KDS change master key operation because the DASD copy of the CKDS
is enciphered under the wrong master key. User action: Contact your ICSF administrator. |
| 8CE5 (36069) | A failure occurred
during a coordinated KDS change master key operation because the DASD
copy of the TKDS is enciphered under the wrong master key. User action: Contact your ICSF administrator. |
| 8CF4 (36084) | The master keys cannot be changed because ICSF is running in
compatibility mode. User action: See 'Migration from PCF to z/OS ICSF' in z/OS Cryptographic Services ICSF System Programmer's Guide for an explanation of compatibility mode and how to change the master keys. Note that the coordinated change master key utility cannot be used to change master keys when running in compatibility mode. |
| 8D14 (36116) | The PKDS specified for refresh, reencipher or
activate has an incorrect dataset attribute. User action: Create a larger PKDS. See z/OS Cryptographic Services ICSF System Programmer's Guide. |
| 8D3C (36156) | A PKCS #11 service is being requested. The service
is disabled due to an ICSF FIPS self test failure. The request is
not processed. User action: Report the problem to your IBM support center |
| 8D40 (36160) | The attempt to reencipher the CKDS failed because
there is an enhanced wrapped token in the CKDS. User Action: Reencipher the CKDS on a system that supports the enhanced wrapping method. |
| 8D48 (36168) | A key data set has an LRECL attribute that is
not valid. This could be because your release of ICSF does not support
the KDS with that LRECL or a supplied KDS does not have the same LRECL
as another KDS required for the utility being invoked. User Action: Use a KDS with an LRECL supported by the release of ICSF that you are using or supply a KDS with the same LRECL. |
| 8D4D (36173) | A failure occurred during a coordinated KDS
change master key operation because the DASD copy of the PKDS is enciphered
under the wrong master key. User Action: Contact your ICSF administrator. |
| 8D4E (36174) | A failure occurred during a coordinated KDS
change master key operation because the DASD copy of the PKDS is enciphered
under the wrong master key. User Action: Contact your ICSF administrator. |
| 8D56 (36182) | A coprocessor failure was detected during initialization. User action: The error is accompanied by the CSFM540I message. Follow instructions associated with that message. |
| 8D5A (36186) | A request was made to reencipher a CKDS. The
CKDS specified cannot be reenciphered on this release of ICSF because
the CKDS contains Variable-length Symmetric key tokens with an unrecognized
algorithm or key type in the associated data section. Only key tokens
with a recognized algorithm or key type can be managed on this release
of ICSF. User action: Perform the reencipher operation on a release of ICSF which recognizes the algorithm and key type of all tokens in the specified CKDS. |
| 8D5D (36189) | The TKDS has an incorrect dataset attribute. User action: Create a TKDS with valid dataset attributes. See z/OS Cryptographic Services ICSF System Programmer's Guide |
| 8D73 (36211) | A request was made to load a key data set (CKDS,
PKDS or TKDS) which has records which are in KDSR format. This level
of ICSF does not support KDSR format records. User Action: Contact your ICSF administrator. |