Integrated Cryptographic Services Facilities Subsystems (ICSF) attributes
One row emitted per cryptographic agent to display subsystem and coprocessor status.
ICSF is a z/OS subsystem that provides cryptographic services to system functions and application servers. It provides publicly-documented service call exits that you may use. You can specify exits for each callable cryptographic service and other administrative function of ICSF. The following table lists the entry points.
Note: If you need to define your own exits, use the ICSF security exits as alternatives to the two service call exits, CSFEXIT3 and CSFEXIT4. If the monitoring agent discovers a user-defined exit that conflicts with an IBM performance-monitoring exit, it replaces the user-defined exit, issues a warning message, and proceeds with data collection.
| Cryptographic Service or Function | Entry Point |
|---|---|
| CSFCKI | Clear Key Import |
| CSFCKM | Multiple Clear Key Import |
| CSFCPA | Clear PIN Generate Alternate |
| CSFCPE | Clear PIN Encrypt |
| CSFCSG | VISA CVV Service Generate |
| CSFCSV | VISA CVV Service Verify |
| CSFCVE | Cryptographic Variable Encipher |
| CSFCVT | Control Vector Translate |
| CSFDCO | Decode |
| CSFDEC | Decipher |
| CSFDEC1 | Decipher with ALET |
| CSFDKG | Diversified Key Generate |
| CSFDKM | Data Key Import |
| CSFDKX | Data Key Export |
| CSFDSG | Digital Signature Generate |
| CSFDSV | Digital Signature Verify |
| CSFECO | Encode |
| CSFEDC | Cipher/Decipher |
| CSFEMK | Encipher under Master Key |
| CSFENC | Encipher |
| CSFENC1 | Encipher with ALET |
| CSFEPG | Encrypted PIN Generate |
| CSFGKC | Generate a key |
| CSFKEX | Key Export |
| CSFKGN | Key Generate |
| CSFKIM | Key Import |
| CSFKPI | Key Part Import |
| CSFKRC | CKDS Key Record Create |
| CSFKRD | CKDS Key Record Delete |
| CSFKRR | CKDS Key Record Read |
| CSFKRW | CKDS Key Record Write |
| CSFKTR | Key Translate |
| CSFKYT | Key Test |
| CSFKYTX | Key Test Extended |
| CSFMDG | MDC Generate |
| CSFMDG1 | MDC Generate with ALET |
| CSFMGN | MAC Generate |
| CSFMGN1 | MAC Generate with ALET |
| CSFMVR | MAC Verify |
| CSFMVR1 | MAC Verify with ALET |
| CSFOWH | One-Way Hash Generate |
| CSFOWH1 | One-Way Hash Generate with ALET |
| CSFPCI | PCI Interface |
| CSFPEX | Prohibit Export |
| CSFPEXX | Prohibit Export Extended |
| CSFPGN | Clear PIN Generate |
| CSFPKD | PKA Decrypt |
| CSFPKE | PKA Encrypt |
| CSFPKG | PKA Key Generate |
| CSFPKI | PKA Key Import |
| CSFPKRC | PKDS Key Record Create |
| CSFPKRD | PKDS Key Record Delete |
| CSFPKRR | PKDS Key Record Read |
| CSFPKRW | PKDS Key Record Write |
| CSFPKX | PKA Public Key Extract |
| CSFPTR | Encrypted PIN Translate |
| CSFPVR | Encrypted PIN Verify |
| CSFRKD | Retained Key Delete |
| CSFRKL | Retained Key List |
| CSFRNG | Random Number Generate |
| CSFRTC | Import a key |
| CSFSBC | SET Block Compose |
| CSFSBD | SET Block Decompose |
| CSFSKI | Secure Key Import |
| CSFSKM | Multiple Secure Key Import |
| CSFSYG | Symmetric Key Generate |
| CSFSYI | Symmetric Key Import |
| CSFSYX | Symmetric Key Export |
| CSFIQA | ICSF Query Algorithm |
| CSFIQF | ICSF Query Facility |
| CSFIQF2 | ICSF Query Facility2 |
| CSFSAD | Symmetric Algorithm Decipher |
| CSFSAD1 | Symmetric Algorithm Decipher with ALET |
| CSFSAE | Symmetric Algorithm Encipher |
| CSFSAE1 | Symmetric Algorithm Encipher with ALET |
| CSFSMG | Symmetric MAC Generate |
| CSFSMG1 | Symmetric MAC Generate with ALET |
| CSFSMV | Symmetric MAC Verify |
| CSFSMV1 | Symmetric MAC Verify with ALET |
| CSFRKX | Remote Key Export |
| CSFTBC | Trusted Block Create |
| CSFT31P | TR-31 Parse |
| CSFT31R | TR-31 Optional Data Read |
| CSFT31O | TR-31 Optional Data Build |
| CSFT31X | TR-31 Export |
| CSFT31I | TR-31 Import |
| CSFCKC | CVV Key Combine |
| CSFCRC | Coordinated KDS Administration |
| CSFEDH | ECC Diffie-Hellman |
| CSFKGN2 | Key Generate2 |
| CSFKRC2 | CKDS Key Record Create2 |
| CSFKRR2 | CKDS Key Record Read2 |
| CSFKRW2 | CKDS Key Record Write2 |
| CSFKYT2 | Key Test2 |
| CSFRKA | Restrict Key Attribute |
| CSFSKI2 | Secure Key Import2 |
| CSFHMG | HMAC Generate |
| CSFKTB2 | Key Token Build2 |
| CSFKPI2 | Key Part Import2 |
| CSFSYI2 | Symmetric Key Import2 |
| CSFHMG1 | HMAC Generate with ALET |
| CSF1HMG | PKCS #11 Generate Keyed MAC |
| CSF1HMV | PKCS #11 Verify Keyed MAC |
| CSFHMV | HMAC Verify |
| CSFHMV1 | HMAC Verify with ALET |
| CSFPKT | PKA Key Translate |
| CSF1DVK | PKCS #11 Derive Key |
| CSF1DMK | PKCS #11 Derive Multiple Keys |
| CSF1GKP | PKCS #11 Generate Key Pair |
| CSF1GSK | PKCS #11 Generate Secret Key |
| CSF1SKD | PKCS #11 Secret Key Decrypt |
| CSF1SKE | PKCS #11 Secret Key Encrypt |
| CSF1PKS | PKCS #11 Private Key Sign |
| CSF1PKV | PKCS #11 Public Key Verify |
| CSF1WPK | PKCS #11 Wrap Key |
| CSF1UWK | PKCS #11 Unwrap Key |
| CSF1OWH | PKCS #11 One-Way Hash/Sign/Verify |
| CSF1PRF | PKCS #11 Pseudo-Random Function |
| CSFCTT2 | Ciphertext Translate2 |
| CSFCTT3 | Ciphertext Translate2 |
| CSFUKD | Unique Key Derive |
| CSFCONV | PCF CKDS Conversion |
| CSFSMK | Set master key |
| CSFCMK | Change master key |
| CSFRENC | Reencipher CKDS |
| CSFMKVR | Master key verification |
| CSFREFR | Refresh CKDS or PKDS |
| CSFSSWS | Administrative control functions DISABLE |
| CSFRSWS | Administrative control functions ENABLE |
| CSFKTB | Key Token Build |
| CSFACEE | SAF ACEE Selection |
| CSFKDSL | Key Data Set List |
| CSFPFO | Recover PIN from Offset |
| CSFAPG | Authentication Parameter Generate |
| CSFSXD | Symmetric Key Export with Data |
| CSFKTR2 | Key Translate2 |
| CSFKDMR | Key Data Set Metadata Read |
| CSFKDMW | Key Data Set Metadata Write |
| CSFPMCI | Pass phrase master key/KDS initialization |
| CSFDKCS | Master key entry |
| CSFUDM | User Defined Extensions |
| CSFPKTC | PKA Key Token Change |
| CSFSKY | Secure Messaging for Keys |
| CSFSPN | Secure Messaging for PINs |
| CSFSYD | Symmetric Key Decipher |
| CSFSYE | Symmetric Key Encipher |
| CSFSYE1 | Symmetric Key Encipher with ALET |
| CSFSYD1 | Symmetric Key Decipher with ALET |
| CSFTRV | Transaction Validation |
| CSFPCU | PIN Change/Unblock |
| CSFPCAD | Cryptographic processors management |
| CSF1TRC | Token or object creation |
| CSF1TRD | Token or object deletion |
| CSF1TRL | Token or object find |
| CSF1GAV | PKCS #11 Get Attribute Value |
| CSF1SAV | Update object attributes |
| CSFRNGL | Random Number Generate VL |
| CSFRWP | CKDS Conversion2 - rewrap |
| CSFOPKL | Operational key load |
| CSFPKB | PKA Key Token Build |
| CSFCVG | Control Vector Generate |
| CSFDPC | DK PIN Change |
| CSFDPV | DK PIN Verify |
| CSFDPMT | DK PAN Modify in Transaction |
| CSFDKG2 | Diversified Key Generate2 |
| CSFDRPG | DK Random PIN Generate |
| CSFMGN2 | MAC Generate2 |
| CSFMGN3 | MAC Generate2 with ALET |
| CSFMVR2 | MAC Verify2 |
| CSFMVR3 | MAC Verify2 with ALET |
| CSFDDPG | DK Deterministic PIN Generate |
| CSFDPT | DK PAN Translate |
| CSFDRP | DK Regenerate PRW |
| CSFDPCG | DK PRW CMAC Generate |
| CSFDPNU | DK PRW Card Number Update |
| CSFDMP | DK Migrate PIN |
| CSFFLE | Field Level Encipher |
| CSFFLD | Field Level Decipher |
| CSFFPEE | FPE Encipher |
| CSFFPED | FPE Decipher |
| CSFFPET | FPE Translate |
| CSFDCM | Derive ICC MK |
| CSFDSK | Derive Session Key |
| CSFEAC | EMV Transaction (ARQC/ARPC) Service |
| CSFESC | EMV Scripting Service |
| CSFEVF | EMV Verification Functions |
| CSFGIM | Generate Issuer MK |
| CSFMPS | ICSF Multi-Purpose Service |
| CSFBRCK | CKDS KEYS |
| CSFBRPK | PKDS KEYS |
| CSFBRTK | PKCS11 TOKEN |
| CSFPTRE | Encrypted PIN Translate Enhanced |
| CSFKET | Key Encryption Translate |
| CSFPRR2 | PKDS Key Record Read2 |
| CSFWRP | Key Token Wrap |
| CSFKDU | Key Data Set Update |
| CSFRRT | Key Data Set Record Retrieve |
| CSFSTAT | Cryptographic Usage Statistic |
| CSFPIC | Public Infrastructure Certificate |
| CSFDDK | Diversify Directed Key |
| CSFPTR2 | Encrypted PIN Translate2 |
| CSFDRG2 | DK Random PIN Generate2 |
| CSFDCU2 | DK PRW Card Number Update2 |
| CSFT34B | TR-34 Bind-Begin |
| CSFT34C | TR-34 Bind-Complete |
| CSFT34D | TR-34 Key Distribution |
| CSFT34R | TR-34 Key Receive |
1_CC Cryptographic Coprocessor Available Indicates whether at least one cryptographic coprocessor is available. The values are Yes, No, or Unknown.
1_CMOS Indicates whether at least one CMOS cryptographic coprocessor is available. The values are: The values are Yes, No, or Unknown.
1_PCI Indicates whether at least one PCI coprocessor is available. The values are: The values are Yes, No, or Unknown.
ASID The address space ID of the ICSF subsystem.
AvgWait The average internal wait time in seconds per sample.
CCC A cryptographic configuration control bit hexadecimal string.
CCMKeyOK Indicates whether a valid Primary Key has been loaded into a coprocessor. The values are Yes, No, or Unknown.
CDMF Indicates whether Commercial Data Masking Facility is enabled. The values are Enabled, Disabled, or Unknown.
CICSWAITL Indicates the address of the CICS wait list represented as a hexadecimal string. A value of 0 indicates the wait list is not configured.
CKDS_80Full Indicates 80% or more utilization of the Cryptographic Key Dataset space. The values are Yes, No, or Unknown.
CKDSAccess Indicates whether dynamic Cryptographic Key Dataset access is enabled. The values are Enabled, Disabled, or Unknown.
CKDSname The name of the Cryptographic Key Data set.
CryptoSvcs Indicates the status of the cryptographic services. The possible values are Active or Inactive.
DES Indicates whether DES is enabled. The possible values are Enabled, Disabled, or Unknown.
DomainIdx The Domain Index used to access coprocessors from an LPAR. An LPAR is a Logical Partition in a PR/SM environment. See PR/SM for more information.
KMMK_CMOS0 Indicates the state of the Public Key Algorithm, Key Management Primary Key in CMOS coprocessor C0. The values are Valid, Reset, and Unknown.
KMMK_CMOS1 Indicates the state of the Public Key Algorithm, Key Management Primary Key in CMOS coprocessor C1. The values are Valid, Reset, and Unknown.
KMMKey The Public Key Algorithm Key Management Primary Key hash pattern.
MKey The Primary Key verification pattern and authentication pattern.
MKVer The current Primary Key version.
MonStatus Indicates the internal monitor state. The values are Enabled or Disabled, or Unknown.
Note: You can correct the Overrun condition by recycling the ICSF subsystem.
ORIGINNODE The z/OS operating system in your enterprise monitored by an IBM® Z OMEGAMON AI for z/OS agent from which the data is derived.
PCIStatus Indicates the status of PCI coprocessors. The possible values are Active, Online, Present, or None.
PKACall Indicates whether Public Key Algorithm callable services are enabled. The possible values are Enabled, Disabled, Unknown.
PKAMKeys Indicates whether the Public Key Algorithm Primary Keys are valid. The possible values are Valid, Invalid, Unknown.
PKDSname The Public Key Dataset name.
PKDSRead Indicates whether Public Key Dataset read access is enabled. The possible values are Enabled, Disabled, or Unknown.
PKDSWrite Indicates whether Public Key Dataset write access is enabled. The possible values are Enabled, Disabled, or Unknown.
PRSM Indicates whether the coprocessors are operating in a PR/SM configuration. The values are Yes, No, or Unknown. PR/SM stands for Processor Resource/System Manager and is a function that allows the processor unit to operate several system control programs simultaneously in LPAR mode.
SCEDisabled The number of service call exits disabled due to a KCGSEXIT ABEND. If this value is 0, all collector exits are operational.
SMFID The z/OS system associated with the ICSF subsystem executing.
SMK_CMOS0 Indicates the state of the Public Key Algorithm, Signature Primary Key in CMOS coprocessor C0. The possible values are Valid, Reset, or Unknown.
SMK_CMOS1 Indicates the state of the Public Key Algorithm, Signature Primary Key in CMOS coprocessor C1. The possible values are Valid, Reset, or Unknown.
SMKey The Public Key Authentication Signature Primary Key hash pattern.
SSMODE Indicates whether Special Secure Mode is enabled. The values are Enabled, Disabled, or Unknown.
Status Indicates the status of the ICSF subsystem. The possible values are Active, Inactive, Not_Found, Initializing, or Terminating.
Version The ICSF subsystem version and release level.
WLDSname The CICS wait list dataset name.