Compliance warnings

ICSF has support for generating warning events for operations that might need modifications to meet requirements for the request to be compliant. The compliance warning event indicates whether the request was compliant or not.
  • When the request is compliant, the key tokens that are used can be converted to compliant-tagged key tokens and the operation would still be successful.
  • When the request is non-compliant, the key tokens, the service, or the service and rule combination must be updated to be compliant before the key tokens used can be converted to be compliant-tagged.

Warning events are generated for successful requests where at least one of the key tokens used can become compliant-tagged and none of the key tokens are already compliant-tagged. Key tokens that may become compliant-tagged include internal, DES version 00 or version 01 key tokens, internal AES version 04 (DATA), or version 05 key tokens, and internal RSA private key tokens with section identifier X'08', X'30', or X'31'. For services that do not accept compliant-tagged key tokens, only internal key tokens that are used as input to the service are included in the event. For services that accept compliant-tagged key tokens, all key tokens that are used, including output key tokens, are included in the event.

Warning events are in the form of SMF type 82 subtype 48 records. The generation of warning events is controlled by the COMPLIANCEWARN keyword in the ICSF installation options data set.