Abstract for z/OS Cryptographic Services Integrated Cryptographic Service Facility Administrator's Guide

Purpose of this information

This information describes how to manage cryptographic keys by using the z/OS Cryptographic Services Integrated Cryptographic Service Facility (ICSF), which is part of z/OS Cryptographic Services. The z/OS Cryptographic Services include these components:
  • z/OS Integrated Cryptographic Service Facility (ICSF)
  • z/OS Open Cryptographic Services Facility (OCSF)
  • z/OS System Secure Socket Level Programming (SSL)
  • z/OS Public Key Infrastructure Services (PKI)

ICSF is a software element of z/OS that works with hardware cryptographic features and Security Server (RACF) to provide secure, high-speed cryptographic services in the z/OS environment. ICSF provides the application programming interfaces by which applications request the cryptographic services. The cryptographic feature is secure, high-speed hardware that performs the actual cryptographic functions.

The cryptographic hardware features available to your applications depend on the server.

ICSF features

ICSF enhances z/OS security as follows:
  • It ensures data privacy by encrypting and decrypting the data.
  • It manages personal identification numbers (PINs).
  • It ensures the integrity of data through the use of modification detection codes (MDCs), hash functions, or digital signatures.
  • It ensures the privacy of cryptographic keys themselves by encrypting them under a master key or another key-encrypting key.
  • It enforces DES key separation, which ensures that cryptographic keys are used only for their intended purposes.
  • It enhances system availability by providing continuous operation.
  • It enables the use of Rivest-Shamir-Adelman (RSA), Digital Signature Standard (DSS), and Elliptic Curve Cryptography (ECC) public and private keys on a multi-user, multi-application platform.
  • It provides the ability to generate RSA and ECC key pairs within the secure hardware boundary of the cryptographic hardware features.

Who should read this information

This information is intended for anyone who manages cryptographic keys. Usually, this person is the ICSF administrator.

The ICSF administrator performs these major tasks:
  • Entering and changing master keys.
  • Generating, entering, and updating cryptographic keys.
  • Viewing system status, which includes hardware status, installation options, installation exits, and installation services.