Type: Status
Initial State: Active
Interval: Daily
This is a master key health check. The check detects inconsistencies in the states of the coprocessor master keys. The check is activated when the ICSF task is started and runs on a periodic (daily) basis. The check determines when the state of a master key on at least one coprocessor is not in accord with the state on the other coprocessors.
The master key states for the coprocessors are displayed on the ICSF Coprocessor Management panel. The states can be available ("A"), correct ("C"), error ("E"), uninitialized ("U") or not supported ( - ). Available indicates that the master key loaded on the Coprocessor matches the master key used in the CKDS/PKDS/TKDS and is available for use. Correct indicates that the key matches the key used in the CKDS/PKDS/TKDS but is not available for use. Error indicates that the key does not match the key used in the CKDS/PKDS/TKDS. Uninitialized indicates that the key has not been set. Master keys are identified by Master Key Verification Pattern (MKVP).
The check is instituted to assist the user in maintaining master key functionality. The coprocessor activation algorithm maximizes the number of active cryptographic coprocessors. For non-CCF systems any valid master key is acceptable for coprocessor activation. To activate the maximum number of coprocessors the number of available master keys may be restricted.
Cop \ MK | AES | DES | ECC | RSA | P11 |
---|---|---|---|---|---|
G00 | A | U | A | C | |
G01 | A | C | A | C | |
G02 | A | U | A | U | |
SP04 | A | ||||
SP05 | A |
CHECK(IBMICSF, ICSF_MASTER_KEY_CONSISTENCY)
START TIME: 09/23/2012 14:32:34.584930
CHECK DATE: 20120101 CHECK SEVERITY: MEDIUM
* Medium Severity Exception *
CSFH0015E The state of the AES master key is not consistent across all
coprocessors.
Explanation: The current value for the specified master key is not consistent
across the coprocessors. At least one coprocessor has the specified master
key in a state that is not in agreement with the other coprocessors.
System action: Alert the ICSF Administrator to determine the impact of the
current coprocessor states.
User response: Report this exception to the ICSF Administrator.
Administrator response: Refer to the ICSF Coprocessor Management and hardware
status panels. The state of the specified master key should match for all
Active or Online coprocessors. If problem is not resolved, contact the IBM
Support Center.