ICSFMIG77A1_TKDS_OBJECT

Type: Migration

Initial State: Inactive

Interval: One Time

This is a migration check. If you are migrating to ICSF FMID HCR77A1 or a later release, you should run this check on your system before installing the new release of ICSF.

Note: If you do not have a Token Data Set (TKDS) with PKDS #11 objects in it, there is no need to run this check.

In the HCR77A1 release, ICSF is introducing a common key data set record format for CCA key tokens and PKCS #11 tokens and objects. This new format of the record adds new fields for key utilization and metadata. Because of the size of the new fields, some exisitng PKCS #11 objects in the TKDS may cause ICSF to fail to start.

The problem exists for TKDS object records with large objects. The 'User data' field in the existing record cannot be stored in the new record format if the object size is greater that 32,520 bytes. The TKDSREC_LEN field in the record has the size of the object. If the 'User data' field is not empty and the size of the object is greater than 32,520 bytes, the TKDS cannot be loaded.

This migration check will detect any TKDS object that is too large to allow the TKDS to be loaded when ICSF is started.

The problem can be corrected by:
Note: ICSF does not provide any interface to modify the 'User data' field in the TKDS object record. The field can only be modified by editing the record.

The TKDS object record is documented in the ICSF System Programmer's Guide.

When the Health Check is run, the following messages are generated: For example:
CHECK(IBMICSF,ICSFMIG77A1_TKDS_OBJECT) 
START TIME: 04/18/2013 08:54:38.293403
CHECK DATE: 20130301  CHECK SEVERITY: MEDIUM

CSFH0023I Active Token Data Set: CSF.TKDS 

The following TKDS objects will lose information: 
SAMPLE.TOKEN                    00000006T 
SAMPLE.TOKEN                    00000005T

* Medium Severity Exception *

CSFH0025E TKDS objects were found that have too much data.

Explanation: This message indicates which objects failed this check.         
    The handle of each object is listed.

System action:  There is no effect on the system.

Operator response:  Contact the ICSF administrator.

System Programmer Response:  Contact the ICSF administrator.

Problem Determination:  n/a                                                   
                                                                                
Source:  n/a                                                                  
                                                                                
Reference Documentation:  z/OS Cryptographic Services Integrated              
  Cryptographic Service Facility: Writing PKCS #11 Applications.              
                                                                                
Automation:  n/a

Check Reason:  Detects objects in the TKDS that will prevent
ICSF from loading the TKDS during initialization.