Type: Migration
Initial State: Inactive
Interval: One Time
This is a migration check. If you are migrating to ICSF FMID HCR77A1 or a later release, you should run this check on your system before installing the new release of ICSF.
The method to decide which coprocessors become active has changed for HCR77A1 and later releases. The master key verification pattern (MKVP) of the current master key register will be compared against the MKVPs in the header record of the CKDS and PKDS. If the MKVP is in the header record, the current master key must match that MKVP in order for the coprocessor to become active. This applies to all master keys that the coprocessor supports. When there is a MKVP in a key store and the coprocessor doesn't support that master key, it is ignored. When a MKVP is not in a key store, the master key is ignored. Note that if there are no MKVPs in any key store, the coprocessor will be active. Note that an initialized CKDS that has no MKVPs in the header record cannot be used on a system that has online coprocessors.
The check output is obtained by selecting (s) on the Health Checker menu:
CHECK(IBMICSF,ICSFMIG77A1_COPROCESSOR_ACTIVE)
START TIME: 09/23/2013 14:32:34.584930
CHECK DATE: 20120101 CHECK SEVERITY: MEDIUM
* Medium Severity Exception *
CSFH0018I: Active key stores: CKDS CSF.CKDS and PKDS CSF.PKDS.
CSFH0019E Coprocessor 01 serial number ssssssss has mismatched AES master keys.
Explanation: The coprocessor installed with index nn will not become active when
ICSF FMID HCR77A1 or later is installed. The current type master key(s) loaded on
the coprocessor do not have the same value (as indicated by the master key
verification pattern (MKVP)) as stored in the CKDS or PKDS.
System action: There is no effect on the system.
Operator response: Contact the ICSF administrator.
ICSF Administrator response: The administrator should load the correct master
keys as indicated in the message using the ICSF master key entry panels or TKE.
The master keys are set using the SETMK panel utility on the Master Key Management
panel. Rerun this migration check after all master keys have been processed.