Display ICSF
Use the Display ICSF command to:
- Display the status for available cryptographic devices.
- Display certain ICSF options.
- Display cryptographic usage tracking options.
- Display key lifecycle auditing options.
- Display key usage auditing options.
- Display information about regional cryptographic servers (remote devices).
- Display information about the data set that is currently in use and what is set for a dynamic service update.
- Display information pertaining to active key data sets (KDS).
- Display the status of the master key registers for the available cryptographic devices.
- Display the master key verification pattern information from the KDS and cryptographic devices.
- List the systems that are available to participate in commands with a SYSPLEX scope.
Syntax
Parameters
- CARDS
- The system displays the following (message CSFM668I) information about the cryptographic devices
available on the system or sysplex:
- The active domain.
- For each available device:
- The device type (for example, CRYPTO EXPRESS5 COPROCESSOR).
- The device index (for example, 5C36).
- The device status (for example, Active).
- The device serial number (for example, 99EA6059; not applicable for accelerators).
- The firmware level of the device (for example, 6.0.5z).
- The total number of requests since ICSF initialization. This field supports up to 10 digits where the maximum value is 232 - 1. If the number of requests exceeds the maximum, ICSF wraps the count and displays a “+” in the high order digit to indicate wrapping (for example, +000000000).
- The number of requests both active and in the work queue for the device.
- The compliance mode of the CCA coprocessor, where applicable (for example, PCI-HSM 2016).
D ICSF,CARDS CSFM668I 16.36.34 ICSF CARDS 259 ACTIVE DOMAIN = 044 CRYPTO EXPRESS5 COPROCESSOR 5C00 STATUS=Active SERIAL#=DV4CK428 LEVEL=5.3.13z REQUESTS=0122008567 ACTIVE=0000 CRYPTO EXPRESS5 ACCELERATOR 5A02 STATUS=Active REQUESTS=0615576059 ACTIVE=0000 CRYPTO EXPRESS5 COPROCESSOR 5P03 STATUS=Active SERIAL#=DV4CB353 LEVEL=05.03 CLiC=040D REQUESTS=0000000070 ACTIVE=0000 CRYPTO EXPRESS6 COPROCESSOR 6C05 STATUS=Active SERIAL#=DV777392 LEVEL=6.0.5z REQUESTS=0158807665 ACTIVE=0000
If you are running on a lower release of ICSF, where the highest adapter supported by ICSF is the CEX5S, the display shows the Crypto Express6 coprocessor as 5C05 and the firmware level is 6.0.5.D ICSF,CARDS CSFM668I 16.42.34 ICSF CARDS 259 ACTIVE DOMAIN = 044 CRYPTO EXPRESS6 COPROCESSOR 5C05 STATUS=Active SERIAL#=DV777392 LEVEL=6.0.5 REQUESTS=0158807003 ACTIVE=0000
- KDS
- The system displays (message CSFM668I) information about the active
key data sets (KDS) on the system or sysplex:
- The dataset name for each active KDS (CKDS, PKDS, and TKDS).
- The format of the KDS (for example, KDSR):
- Possible values are KDSR, FIXED, and VARIABLE.
- The communication level in place for the KDS (for example, 3). This is only displayed is a sysplex environment.
- Whether the KDS is being shared in a sysplex group (for example, Y).
- The MKVPs initialized in the KDS (for example, DES AES).
- The possible values are:
- DES, AES, or both for CKDS.
- RSA, ECC, or both for PKDS.
- P11, RCS, or both for TKDS.
- The possible values are:
SYSA D ICSF,KDS SYSA CSFM668I 14.38.31 ICSF KDS 040 CKDS RACFDRVR.SHERID.CKDSPLX FORMAT=KDSR COMM LVL=3 SYSPLEX=Y MKVPs=DES AES PKDS RACFDRVR.SHERID.PKDSPLX FORMAT=KDSR COMM LVL=3 SYSPLEX=Y MKVPs=RSA ECC TKDS RACFDRVR.SHERID.TKDSPLX FORMAT=KDSR COMM LVL=3 SYSPLEX=Y MKVPs=P11 RCS
- MKS
- The system displays (message CSFM668I) master key information:
- The name of the system (for example, SYSA).
- The active domain (for example, 003).
- For each device on the system:
- The device index (for example, 5C38).
- The device serial number (for example, 99EA6059).
- The status of the device.
- A status indicator for each possible master key.
For example:SYSA D ICSF,MKS SYSA CSFM668I 09.45.18 ICSF MKS 852 SYSNAME: SYSA DOMAIN: 003 CPC Name: PR2827A FEATURE SERIAL# STATUS AES DES ECC RSA P11 5C38 99EA6059 Active A A A A 5P39 97006054 Active A
- MKVPS
- The system displays the following (message CSFM668I) master key verification pattern information
from the KDS and cryptographic devices:
- The dataset name for each active KDS. If there is no active KDS for a particular type of KDS (for example, CKDS), no data set name or device information is displayed for that KDS type.
- Up to six hexadecimal digits of the MKVP information from the header record of the KDS.
- The system name, coprocessor ID, and up to six hexadecimal digits of the current MKVP for each
cryptographic device associated with the KDS.
- A 'KDS/adapter mismatch’ indicator ('*') is displayed if the MKVP of the KDS does not match the MKVP of the cryptographic device or the MKVP of the cryptographic device was ‘Empty’.
- ‘NotSet’ is displayed when the KDS in not initialized with the MKVP.
- ‘Ignored’ is displayed for an MKVP in a cryptographic device if the MKVP in the KDS was not initialized. The MKVP in the cryptographic device is not checked. This is not considered an error when processing the ERRORS option. If the D ICSF,MKVPS,ERR command does not list any errors, issue the D ICSF,MKVPS command to confirm that the KDS MKVPS are set.
- ‘Empty’ is displayed when the MKVP in the cryptographic device is empty.
- ‘N/A’ is displayed for the ECC MKVP value in the cryptographic device when the cryptographic device is a CEX3C and the ECC value is not set in the cryptographic device.
- The number of hexadecimal digits of the MKVP information displayed is truncated to the valued specified on the ICSF options parameter MASTERKCVLEN when that parameter value is less than six. The MASTERKCVLEN value used is the value set on the system issuing the command.
The Display ICSF,MKVPS command collects and displays information from systems at ICSF FMID HCR77B1 and later. Information for regional cryptographic servers is not displayed.
Although unlikely, the output from the D ICSF,MKVPS command could show a KDS and coprocessor MKVP value that is the same, but flagged as a mismatch. If this happens:- Set MASTERKCVLEN to ALL to make sure the command is displaying the maximum of six hexadecimal digits of the MKVP value.
- If the MKVPs of the coprocessor and KDS still appear to match, use the ICSF Coprocessor Hardware Status panel (CSFCMP40) to see all the hexadecimal digits of MKVP in the coprocessor. Next, create a flat file of the KDS using IDCAMS to see the complete MKVP in the KDS header record. Compare the two values. To see the format of the KDS header records, see Diagnosis reference information.
- ERRors
- The display is limited to cryptographic devices whose current MKVP is set or empty and does not match the set MKVP in the KDS. If no KDS MKVPS are set, no errors are flagged. See the explanation of ‘ignored’ above. Use the D ICSF,MKVPS command to ensure that the KDS MKVPS are set.
Example showing that mismatches are found:D ICSF,MKVPS,SYSPLEX=Y SYS1 D ICSF,MKVPS,SYSPLEX=Y SYS1 CSFM668I 15.01.17 ICSF MKVPS CKDS ICSFTSTV.VARREC1.CKDS ID AES DES KDSMKVPS .... 2058C8 CA6B40 S0C 3C04 2058C8 CA6B40 S0C 3C05 2058C8 CA6B40 S0C 3C08 2058C8 CA6B40 S0C 3C09 *Empty *Empty - S0D 3C07 2058C8 CA6B40 S0D 3C08 2058C8 CA6B40 CKDS ICSFTSTV.VARREC1.KDSR.CKDS ID AES DES KDSMKVPS .... 2058C8 CA6B40 S20 5C00 2058C8 CA6B40 S20 5C01 2058C8 CA6B40 S20 6C05 2058C8 CA6B40 - S22 5C00 2058C8 CA6B40 S22 5C01 2058C8 CA6B40 PKDS ICSFTSTV.KDSR1.PKDS ID ECC RSA KDSMKVPS .... 78D81A E83F15 S20 5C00 78D81A E83F15 S20 5C01 78D81A E83F15 S20 6C05 78D81A E83F15 - S22 5C00 78D81A E83F15 S22 5C01 78D81A E83F15 S22 5C05 78D81A E83F15 TKDS ICSFTSTV.GLGSML.EP11.TKDS ID P11 KDSMKVPS .... 5B083D S0C 4P13 *Empty S0C 4P15 5B083D *KDS/adapter MKVP mismatch
Example showing that no errors are found:SY1 d icsf,mkvps SY1 CSFM668I 15.40.14 ICSF MKVPS CKDS ICSFTSTV.VARREC1.CKDS ID AES DES KDSMKVPS .... 2058C8 CA6B40 S0C 3C04 2058C8 CA6B40 PKDS ICSFTSTV.KDSR1.PKDS ID ECC RSA KDSMKVPS .... 78D81A E83F15 S20 5C00 78D81A E83F15 TKDS ICSFTSTV.GLGSML.EP11.TKDS ID P11 KDSMKVPS .... 5B083D S0C 4P15 5B083D
Example showing that the Errors keyword is specified and no errors are found:SY1 d icsf,mkvps,err SY1 CSFM668I 15.41.14 ICSF MKVPS No KDS/adapter MKVP mismatches found or KDS MKVPs not set
Example showing that either no KDS is defined or no cryptographic adapters are online:SY1 d icsf,mkvps CSFM668I 08.49.49 ICSF MKVPS No KDS defined or no cryptographic adapters online
Example showing that when an MKVP is not set in the KDS, the cryptographic device MKVP value is ‘Ignored’. If the MKVP value is set in the KDS, the cryptographic device MKVP is ‘Empty’:SY1 d icsf,mkvps SY1 CSFM668I 16.38.00 ICSF MKVPS CKDS ISFTEST.CLC.CKDSVAR ID AES DES KDSMKVPS .... 2058C8 NotSet SY1 5C38 2058C8 Ignored PKDS ISFTEST.CLC.PKDSNEW ID ECC RSA KDSMKVPS .... 78D81A E83F15 SY1 5C39 78D81A *Empty *KDS/adapter MKVP mismatch No TKDS defined or no EP11 adapters online
Example showing how the use of the Errors keyword alters the output from the Display ICSF,MKVPS command so that only the line flagged with ‘*’ is displayed:SY1 d icsf,mkvps,err SY1 CSFM668I 16.41.34 ICSF MKVPS PKDS ISFTEST.CLC.PKDSNEW ID ECC RSA MKVP 78D81A E83F15 SY1 5C39 78D81A *Empty *KDS/adapter MKVP mismatch
Example showing CEX3C with ECC and MKVP is not set in the cryptographic device:SY1 d icsf,mkvps PKDS ENG.BOTHMK.PKDS ID ECC RSA MKVP 78D81A E83F15 SY1 3C03 N/A E83F15
For information to help resolve KDS/adapter mismatch problems, see ‘Managing CCA Master Keys’ and ‘Managing PKCS #11 master keys’ in z/OS Cryptographic Services ICSF Administrator's Guide.
- LIST
- The system displays (message CSFM668I) members of a sysplex who
are eligible to participate in Display ICSF and SETICSF commands.
LIST is the default option.For example:
SY1 D ICSF,LIST SY1 CSFM668I 08.08.57 ICSF LIST 742 Systems supporting SETICSF and DISPLAY ICSF commands: SYSNAME RELEASE DOM CHG_DATE SY1 HCR77D0 000 06/18/19
- OPTions
- The system displays (message CSFM668I information):
- The name of the system (for example, SYSA).
- The ICSF release that is active (for example, HCR77B1).
- The most recent build date of ICSF executable code (for example, 01/09/16 or the latest ICSF code change).
- How much time must elapse between key references before a refdate change is recorded in the KDS record (refdate update interval).
- How often KDS refdate updates are hardened to the KDS dataset (refdate update period).
- The number of master key verification pattern digits.
- The cryptographic usage statistics that are being tracked.
- The COMPLIANCEWARN and AUDIT information.
For example:SYSA D ICSF,OPTIONS SYSA CSFM668I 10.23.21 ICSF OPTIONS 833 SYSNAME = SYSA ICSF LEVEL = HCR77C1 LATEST ICSF CODE CHANGE = 08/22/17 Refdate update interval in Days/HH.MM.SS = 030/00.00.00 Refdate update period in Days/HH.MM.SS = 000/01.00.00 MASTERKCVLEN = display 3 digits AUDITKEYLIFECKDS: Audit CCA symmetric key lifecycle events SYSNAME LABEL TOKEN SYSA Yes Yes AUDITKEYLIFEPKDS: Audit CCA asymmetric key lifecycle events SYSNAME LABEL TOKEN SYSA Yes Yes AUDITKEYLIFETKDS: Audit PKCS #11 key lifecycle events SYSNAME TOKOBJ SESSOBJ SYSA Yes Yes AUDITKEYUSGCKDS: Audit CCA symmetric key usage events SYSNAME LABEL TOKEN Interval Days/HH.MM.SS SYSA Yes Yes 000/01.00.00 AUDITKEYUSGPKDS: Audit CCA asymmetric key usage events SYSNAME LABEL TOKEN Interval Days/HH.MM.SS SYSA Yes Yes 000/01.00.00 AUDITPKCS11USG: Audit PKCS #11 usage events SYSNAME TOKOBJ SESSOBJ NOKEY Interval Days/HH.MM.SS SYSA Yes Yes Yes 000/01.00.00 STATS: SYSA ENG, SRV, ALG COMPLIANCEWARN: Compliance warning events SYSA PCI-HSM 2016 Yes
- REMOTEdevice|RD
- Displays information about regional cryptographic
servers (remote devices) on either the local system or if SYSPLEX=YES,
all systems in the sysplex.Notes:
- At least one REMOTEDEVICE option must have been specified in the ICSF installation options data set prior to ICSF being started in order for the Display ICSF,REMOTEDEVICE command to be operational.
- In addition, the current machine type must be an IBM zEnterprise EC12 or later machine.
- If ICSF is started without any REMOTEDEVICE entries specified in the ICSF installation options data set or while running on a machine type other than an IBM zEnterprise EC12 or later machine, the Display ICSF,REMOTEdevice command fails, and ICSF issues message CSFM669I.
The results of the command are displayed through message CSFM668I:- The dataset name for the active TKDS (for example, CSF.TKDS2).
- The first three hexadecimal bytes of the regional cryptographic server master key verification pattern from the TKDS (for example, AB1122).
- For each device on the system:
- The device serial number (for example, 87651130).
- The device port number (for example, 8001).
- The level indicating the generation of card code (for example, LEVEL=01.00).
- The HOST/IP of the device (for example, HOST/IP@=123.45.34.100).
- The remote device identifier (REGIONAL CRYPTO SRV);
for example, 1R09, where:
- 1 = Generation of the device.
- R = Remote regional cryptographic server.
- 09 = Index as defined in the options dataset.
- The status of the device (for example, Active).
- The current number of socket connections / the maximum number of socket connections as defined
in the options dataset (for example, 7/8). Note: If the current number of sockets = the maximum number of sockets defined, only one number is displayed (as with the second example showing Sockets=8).
- The current number of active cryptographic requests on the device (In this example, 5 for the first remote device (serial number 87651130) and 6 for the second remote device (serial number 87661276).
- The total number of cryptographic requests on the device since ICSF initialization. This field supports up to 10 digits where the maximum value is 232 - 1. If the number of requests exceeds the maximum, ICSF wraps the count and displays a “+” in the high order digit to indicate wrapping (for example, +000000000).
- Optional new master key information: The first three hexadecimal bytes of the
regional cryptographic server new master key verification pattern and the state of the new master
key (for example, FULL COMMITTED).Note: During heavy workloads or when SYSPLEX=YES is specified, the display command may be unable to retrieve a recently updated new master key value. If the new master key verification pattern that is displayed does not match the new master key loaded from the RCS utility, wait 10 minutes for an implicit RCS check and then reissue the display command. Otherwise, issue the SETICSF RESTART command for each RCS device.
- Optional diagnostic information: Displays the device MKVP when the regional cryptographic server master key does not match that in the TKDS.
SYSA D ICSF,RD SYSA CSFM668I 04.47.06 ICSF RD 424 TKDS = CSF.TKDS2 RCS MKVP FROM TKDS = AB1122 ... SERIAL NUMBER=87651130 PORT=8001 LEVEL=01.00 HOST/IP@=123.45.34.100 REGIONAL CRYPTO SRV 1R06 SYSA Active Sockets=7/8 REQUESTS ACTIVE=0005 SERIAL NUMBER=87661276 PORT=8001 LEVEL=01.00 HOST/IP@=123.45.34.101 REGIONAL CRYPTO SRV 1R09 SYSA Active Sockets=8 REQUESTS ACTIVE=0006
When SYSPLEX=YES is specified, ICSF collects the remote device information from all the systems in the sysplex for display through message CSFM668I. The output of message CSFM668I is sorted and grouped using the sort keys:- TKDS
- SERIAL NUMBER
- PORT
SYSA D ICSF,RD,SYSPLEX=Y SYSA CSFM668I 05.54.31 ICSF RD 502 TKDS = CSF.TKDS2 RCS MKVP FROM TKDS = AB1122 ... SERIAL NUMBER=87651130 PORT=8001 LEVEL=01.00 HOST/IP@=123.45.34.100 REGIONAL CRYPTO SRV 1R06 SYSA Active Sockets=8 REQUESTS ACTIVE=0000 SERIAL NUMBER=87651130 PORT=8002 LEVEL=01.00 HOST/IP@=123.45.34.100 REGIONAL CRYPTO SRV 1R06 SYSB Active Sockets=8 REQUESTS ACTIVE=0000 SERIAL NUMBER=87651130 PORT=8003 LEVEL=01.00 HOST/IP@=123.45.34.100 REGIONAL CRYPTO SRV 1R06 SYSC Active Sockets=8 REQUESTS ACTIVE=0000 SERIAL NUMBER=87661062 PORT=8003 LEVEL=01.00 HOST/IP@=123.45.34.103 REGIONAL CRYPTO SRV 1R16 SYSC Active Sockets=8 REQUESTS ACTIVE=0000 SERIAL NUMBER=87661276 PORT=8001 LEVEL=01.00 HOST/IP@=123.45.34.101 REGIONAL CRYPTO SRV 1R09 SYSA Active Sockets=8 REQUESTS ACTIVE=0000 SERIAL NUMBER=87661276 PORT=8002 LEVEL=01.00 HOST/IP@=123.45.34.101 REGIONAL CRYPTO SRV 1R09 SYSB Active Sockets=8 REQUESTS ACTIVE=0000 SERIAL NUMBER=87661276 PORT=8003 LEVEL=01.00 HOST/IP@=123.45.34.101 REGIONAL CRYPTO SRV 1R09 SYSC Active Sockets=8 REQUESTS ACTIVE=0000 SERIAL NUMBER=87671176 PORT=8003 LEVEL=01.00 HOST/IP@=123.45.34.102 REGIONAL CRYPTO SRV 1R13 SYSC Active Sockets=8 REQUESTS ACTIVE=0000
- SERVICELIBS | SRVL
- The SERVICELIBS keyword displays the following information (message CSFM668I) about the data
sets being used for active ICSF and what would be used in the event of a dynamic service update or
after a restart of ICSF.
- SCSFMOD0
- The information listed shows the data set locations for SCSFMOD0. The data set listed under CURRENT is what the active instance of ICSF is using. The data set listed under NEXT is what is specified for the option SERVSCFMOD0 in the options dataset. NEXT will always be LNKLST unless SERVICELIBS(YES) has been specified.
- SIEALNKE
- The information listed shows the data set locations for SIEALNKE. The data set listed under CURRENT is what the active instance of ICSF is using. The data set listed under NEXT is what is specified for the option SERVSIEALNKE in the options dataset. NEXT will always be LNKLST unless SERVICELIBS(YES) has been specified.
- CURRENT
- Refers to the current code running for the instance of ICSF. It is either LNKLST or a data set that was loaded via a service option.
- NEXT
- Refers to the data set that would be used after the next SETICSF PAUSE command is run or what would be used after a manual start and restart of ICSF. If this information differs from what is in the options data set, either the options data set should be updated to match it, or a SETICSF OPT,REFRESH command should be run to pick up the new service option values. NEXT will always be LNKLST unless SERVICELIBS(YES) has been specified.
D ICSF,SERVICELIBS,SYSPLEX=Y HCR77D0 SCSFMOD0 CURRENT VOLSER SYS1 LNKLST SYS2 LNKLST SYS3 SERV1.SCSFMOD0 CSFVO1 HCR77D0 SCSFMOD0 NEXT SYS1 SYS1.SRV1 SRVDR1 SYS2 SYS1.SRV1 SRVDR1 SYS3 SERV1.SCSFMOD0 SRVDR1 HCR77D0 SIEALNKE CURRENT VOLSER SYS1 LNKLST SYS2 LNKLST SYS3 SERV1.SIEALNKE CSFVO1 HCR77D0 SIEALNKE NEXT SYS1 SYS1.SRV1 SRVDR1 SYS2 SYS1.SRV1 SRVDR1 SYS3 SERV1.SIEALNKE CSFVO1
- SYSPLEX(YES or NO)
- The SYSPLEX keyword increases the scope of the Display ICSF command
to all participating members of the sysplex. The Display ICSF output
is grouped according to CPC Name and shows the results of the Display
ICSF command as it was executed on each member. Specify SYSPLEX=Yes
to execute the command on all systems. Otherwise, specify SYSPLEX=No
to execute the command only on the local (initiating) system. SYSPLEX=No
is the default.For example:
D ICSF,CARDS,SYSPLEX=Y CSFM668I 11.49.49 ICSF CARDS 919 CPC Name = R01 CPC Sequence# = 0000000000042E08 CRYPTO EXPRESS6 COPROCESSOR 6C57 SERIAL#=99EA6003 LEVEL=6.0.00z SYSA DOMAIN=000 Active REQUESTS=0000 PCI-HSM=2016 MIGRATION SYSB DOMAIN=002 Active REQ=4294967295 ACT=0008 SYSC DOMAIN=008 Active REQ=N/A ACT=0001 CRYPTO EXPRESS5 COPROCESSOR 5P58 SERIAL#=97006035 LEVEL=02.09 SYSA DOMAIN=000 Active REQ=0000000100 ACT=0005 SYSB DOMAIN=002 Active REQ=0000000010 ACT=0003 SYSC DOMAIN=008 Active REQ=N/A ACT=0007 CPC Name = R02 CPC Sequence# = 0000000000042E09 CRYPTO EXPRESS5 COPROCESSOR 5P59 SERIAL#=97006102 LEVEL=02.09 SYSA DOMAIN=000 Active REQ=0000000030 ACT=0006 CRYPTO EXPRESS5 ACCELERATOR 5P60 SYSC DOMAIN=008 Active REQ=+000085315 ACT=0004
SYSA D ICSF,OPT,SYSPLEX=Y SYSA CSFM668I 11.36.35 ICSF OPTIONS 995 SYSNAME = SYSA ICSF LEVEL = HCR77B1 LATEST ICSF CODE CHANGE = 01/09/15 Refdate update interval in Days/HH.MM.SS = 030/00.00.00 Refdate update period in Days/HH.MM.SS = 000/01.00.00 MASTERKCVLEN = display 3 digits SYSNAME = SYSB ICSF LEVEL = HCR77B1 LATEST ICSF CODE CHANGE = 01/09/15 Refdate update interval in Days/HH.MM.SS = 005/00.00.00 Refdate update period in Days/HH.MM.SS = 000/01.00.00 MASTERKCVLEN = display 3 digits
Usage Notes
For information on how to limit the use of MVS console commands to a specific set of users, see the System Operations topic in z/OS MVS System Commands.