Displaying cryptographic coprocessor status
Use the ICSF panels to view the status of the coprocessors. To
display coprocessor status:
- Select option 1, COPROCESSOR MGMT, on the ICSF Primary Menu panel.
- The CSFCMP00 — Coprocessor Management panel appears.
On this panel, you can view these options and their values:
- Crypto Feature
- The prefix indicates the type of cryptographic coprocessor or
accelerator.
- The prefix
- Represents a
- A
- PCI Cryptographic Accelerator
- 2C
- Crypto Express2 Coprocessor
- 2A
- Crypto Express2 Accelerator
- 3C
- Crypto Express3 Coprocessor
- 3A
- Crypto Express3 Accelerator
- 4A
- Crypto Express4 Accelerator
- 4C
- Crypto Express4 CCA Coprocessor
- 4P
- Crypto Express4 PKCS #11 Coprocessor
- 5A
- Crypto Express5 Accelerator
- 5C
- Crypto Express5 CCA Coprocessor
- 5P
- Crypto Express5 PKCS #11 Coprocessor
- X
- PCI X Cryptographic Coprocessor
- Serial Number
- The serial number is a number assigned to the Crypto Express coprocessors during manufacture. It is displayed for coprocessors configured for CCA or PKCS #11. It is not displayed for accelerators.
- Status
- This field displays the status of the coprocessor.
- State
- Indication
- Active (Coprocessors)
- All of the MKVPs in the CKDS, PKDS, and TKDS match the current master key registers making the coprocessor available for work.
- Active (Accelerators)
- The accelerator is available for work.
- Master key incorrect (Coprocessors)
- The coprocessor has been configured online. However, at least one master key does not match the MKVP in the CKDS, PKDS, or TKDS. All of the MKVPs in the CKDS, PKDS, and TKDS must match the current master key registers for the coprocessor to become active.
- Offline (All)
- The feature may be physically present but it is not available
to the operating system. Either it has never been configured online
or it has been configured offline by an operator command from the
hardware support element.Note: If a feature is configured offline from the Support Element, this status display will not be updated automatically. Users will need to pressENTER on this panel to get the latest status.
- Disabled by TKE (Coprocessors)
- The feature has been removed from service by the TKE workstation.
- Deactivated (All)
- The feature has been deactivated from the Coprocessor Management panel or system console.
- Busy (All)
- An unexpected error has been returned from the card. The system goes into recovery to try to reset the card. If the reset is successful, the card is usable again. The user will have to press ENTER to refresh the status on the panel.
- Being reconfigured (All)
- An error has been detected and the ICSF configuration task has been invoked to check the feature. The feature may become active if the error is resolved.
- Initializing stage 1 (All)
- A newly online feature has been detected by ICSF and ICSF is starting the initialization process. No status is available.
- Initializing stage 2 (All)
- A newly online feature or active feature is being reset by ICSF as part of the initialization process or recovery process. No status is available.
- Initializing stage 3 (All)
- A newly online feature or inactive feature is being readied to process requests. No status is available.
- Hung User on latch (All)
- A feature is not responding and the configuration task is attempting to obtain the feature latch so the feature can be reset. One or more users hold the latch.
- Bad feature response (All)
- An unexpected response was received from a feature. The feature is unusable.
- Retry limit reached (All)
- While initializing a feature, the limit of attempts to gather status/information was reached. The feature is unusable. ICSF will try again to acquire status.
- Unknown response (Coprocessors)
- The coprocessor has returned an unrecognizable code in response to an attempt to determine its status.
- Unknown feature type (All)
- A feature has a type that is not recognized by ICSF. The feature is unusable.
- AES DES ECC RSA P11
- The state of the master keys in the coprocessor. The state can be U (uninitialized - the current master key register is empty), C (correct - the current master key matches the MKVP in the key data set but the master key is not active), A (active – the master key is active and requests using this master key will be processed by the coprocessor), E (error - the current master key do not match the MKVP in the key data set), or I (ignored – the MKVP is not in the key data set). A hyphen (-) in the state area indicates the key type is not supported.
Note: If your system is running ICSF FMID HCR77B1 or later, the DISPLAY ICSF,CARDS
operator command can also be used to show the state of cryptographic coprocessors and accelerators.
For additional information on ICSF operator commands, see z/OS Cryptographic Services ICSF System Programmer's Guide.