ICSFMIG77A1_COPROCESSOR_ACTIVE

Type: Migration

Initial State: Inactive

Interval: One Time

This is a migration check. If you are migrating to ICSF FMID HCR77A1 or a later release, you should run this check on your system before installing the new release of ICSF.

The migration check detects CCA cryptographic coprocessors with master keys that don't match the CKDS and PKDS. A coprocessor that has master keys that do not match the CKDS and PKDS will not become active when ICSF FMID HCR77A1 or later is started. This will affect the availability of coprocessors for cryptographic work.
Note: Coprocessors that have been deactivated from the ICSF Coprocessor Management panel will not be checked.

The method to decide which coprocessors become active has changed for HCR77A1 and later releases. The master key verification pattern (MKVP) of the current master key register will be compared against the MKVPs in the header record of the CKDS and PKDS. If the MKVP is in the header record, the current master key must match that MKVP in order for the coprocessor to become active. This applies to all master keys that the coprocessor supports. When there is a MKVP in a key store and the coprocessor doesn't support that master key, it is ignored. When a MKVP is not in a key store, the master key is ignored. Note that if there are no MKVPs in any key store, the coprocessor will be active. Note that an initialized CKDS that has no MKVPs in the header record cannot be used on a system that has online coprocessors.

The check output is obtained by selecting (s) on the Health Checker menu:

When the Health Check is run, the following messages are generated:
For example, the coprocessor installed at index 01 doesn't have the correct AES master key, the health check will generate the following exception:
CHECK(IBMICSF,ICSFMIG77A1_COPROCESSOR_ACTIVE)
START TIME: 09/23/2013 14:32:34.584930
CHECK DATE: 20120101 CHECK SEVERITY: MEDIUM

* Medium Severity Exception *

CSFH0018I: Active key stores: CKDS CSF.CKDS and PKDS CSF.PKDS. 

CSFH0019E Coprocessor 01 serial number ssssssss has mismatched AES master keys.

Explanation: The coprocessor installed with index  nn will not become active when
ICSF FMID HCR77A1 or later is installed. The current type master key(s) loaded on
the coprocessor do not have the same value (as indicated by the master key 
verification pattern (MKVP)) as stored in the CKDS or PKDS. 

System action:  There is no effect on the system.

Operator response:  Contact the ICSF administrator.

ICSF Administrator response: The administrator should load the correct master 
keys as indicated in the message using the ICSF master key entry panels or TKE. 
The master keys are set using the SETMK panel utility on the Master Key Management
panel. Rerun this migration check after all master keys have been processed.