Type: Migration
Initial State: Inactive
Interval: One Time
This is a migration check. The check detects the presence of retained keys on the cryptographic coprocessors. Retained keys will not be supported in subsequent releases of ICSF. Existing retained keys will become unusable.
Retained keys are listed by coprocessor. The generated Health Checker report lists the coprocessor serial number and the retained key label. Existing retained keys must be replaced with RSA keys stored in the PKDS rather than retained on the coprocessor.
CHECK(IBMICSF,ICSFMIG7731_ICSF_RETAINED_RSAKEY)
START TIME: 05/20/2011 08:16:29.689677
CHECK DATE: 20071201 CHECK SEVERITY: LOW
Coprocessor
Serial Retained key label
----------------------------------------------------------------------
93X06020 HCR7750.RKEY.RSA.CRT.1024MOD
93X06020 HCR7750.RKEY.RSA.CRT.1024MOD.SIGONLY
* Low Severity Exception *
CSFH0003E Cryptographic coprocessors were examined and found to
possess retained RSA Keys.
Explanation: Coprocessors online to this system were found to possess
one or more retained RSA keys, implying retained RSA keys are
potentially being used on this system. ICSF is deprecating its
retained RSA key support.
System Action: There is no effect on the system.
Operator Response: Report this exception to the System Programmer.
System Programmer Response: Alert the installation security
Administrator and application and middleware administrators for this
system.
Problem Determination: Investigate the cryptographic services
utilized by the workload executed on this system and determine which
application and middleware products use retained RSA key services
for key management use that would depend upon the key labels in the
report. Develop an immediate strategy to remove any dependencies on
creating new ICSF-supported retained RSA keys prior to migration to
ICSF release level HCR7750, and an eventual strategy to remove any
dependencies on ICSF-supported retained key interfaces.
Source: Integrated Cryptographic Service Facility (ICSF)
Reference Documentation: z/OS Cryptographic Services Integrated
Cryptographic Service Facility: Systems Programmers Guide (HCR7750
and later).
Automation: n/a
Check Reason: Detects use of retained RSA private keys.