Type: Migration
Initial State: Inactive
Interval: One Time
This is a migration check. If you are migrating to ICSF FMID HCR77A1 or a later release, you should run this check on your system before installing the new release of ICSF.
In the HCR77A1 release, ICSF is introducing a common key data set record format for CCA key tokens and PKCS #11 tokens and objects. This new format of the record adds new fields for key utilization and metadata. Because of the size of the new fields, some exisitng PKCS #11 objects in the TKDS may cause ICSF to fail to start.
The problem exists for TKDS object records with large objects. The 'User data' field in the existing record cannot be stored in the new record format if the object size is greater that 32,520 bytes. The TKDSREC_LEN field in the record has the size of the object. If the 'User data' field is not empty and the size of the object is greater than 32,520 bytes, the TKDS cannot be loaded.
This migration check will detect any TKDS object that is too large to allow the TKDS to be loaded when ICSF is started.
The TKDS object record is documented in the ICSF System Programmer's Guide.
CHECK(IBMICSF,ICSFMIG77A1_TKDS_OBJECT)
START TIME: 04/18/2013 08:54:38.293403
CHECK DATE: 20130301 CHECK SEVERITY: MEDIUM
CSFH0023I Active Token Data Set: CSF.TKDS
The following TKDS objects will lose information:
SAMPLE.TOKEN 00000006T
SAMPLE.TOKEN 00000005T
* Medium Severity Exception *
CSFH0025E TKDS objects were found that have too much data.
Explanation: This message indicates which objects failed this check.
The handle of each object is listed.
System action: There is no effect on the system.
Operator response: Contact the ICSF administrator.
System Programmer Response: Contact the ICSF administrator.
Problem Determination: n/a
Source: n/a
Reference Documentation: z/OS Cryptographic Services Integrated
Cryptographic Service Facility: Writing PKCS #11 Applications.
Automation: n/a
Check Reason: Detects objects in the TKDS that will prevent
ICSF from loading the TKDS during initialization.