Table 1 lists reason codes returned from callable services that give return code 12. These reason codes indicate that the call to the callable service was not successful. Either cryptographic processing did not take place, or the last cryptographic processor was switched offline. Therefore, no output parameters were filled.
| Reason Code Hex (Decimal) | Description |
|---|---|
| 0 (0) | ICSF is not available.
One of the following situations is possible:
OR CKDS Key Record Create2 or CKDS Key Record Write2 was called to add a variable-length key record to a fixed-length CKDS. A variable-length symmetric key token can only be added to a CKDS that supports variable-length records. User action: Contact the security administrator or system programmer to activate (refresh) a CKDS that supports variable-length records. |
| 4 (4) | The CKDS or PKDS management
service you called is not available because it has been disallowed
by the ICSF User Control Functions panel. User action: Contact the security administrator or system programmer to determine why the CKDS or PKDS management services have been disallowed. |
| 8 (8) | The service or algorithm
is not available on current hardware. Your request cannot be processed. User action: Correct the calling program or run on applicable hardware. |
| C (12) | The service that you
called is unavailable because the installation exit for that service
had previously failed. User action: Contact your ICSF administrator or system programmer. |
| 10 (16) | A requested installation
service routine could not be found. Your request was not processed.
User action: Contact your ICSF administrator or system programmer. |
| 1C (28) | Cryptographic asynchronous
processor failed. User action: Contact your IBM support center. |
| 28 (40) | The callable service that you called is unsupported for AMODE(64) applications. Your request cannot be processed. |
| 2C (44) | The callable service
that you called was linked with the AMODE(64) stub. The application
is not running AMODE(64). Your request cannot be processed. User action: Link your application with the service stub with the appropriate addressing mode. |
| 0C5 (197) | I/O error reading or writing to the DASD copy
of the CKDS or PKDS in use by ICSF. User action: Contact your ICSF security administrator or system programmer. The RPL feedback code will be placed in the high-order halfword of the reason code field. |
| 144 (324) | There was insufficient coprocessor memory available
to process your request. This could include the Flash EPROM used
to store keys, profiles and other application data. User action: Contact your system programmer or the IBM Support Center. |
| 2FC (764) | The master key is not in a valid state. User action: Contact your ICSF administrator. REASONCODES: ICSF 2B08 (11016) |
| 301 (769) | A cryptographic internal device driver component detected data contained in a cryptographic request that is not valid. |
| 7D6 (2006) | TKE: PCB service error. |
| 7D7 (2007) | TKE: Change type in PCB is not recognized. |
| 7DF (2015) | Domain in CPRB not enabled by EMB mask. |
| 7E1 (2017) | MKVP mismatch on Set MK. |
| 7E5 (2021) | Cryptographic coprocessor adapter disabled. |
| 7E9 (2025) | Enforcement mask error. |
| 7F3 (2035) | Intrusion latch has been tripped. Services disabled. |
| 7F5 (2037) | The domain specified is not valid. |
| 7FB (2043) | OA certificate not found. |
| 819 (2073) | The coprocessor has
been disabled on the Support Element. It must be enabled on the Support
Element prior to TKE accessing it. User action: Permit the selected coprocessor for TKE Commands on the Support Element and then re-open the Host on TKE. |
| 835 (2101) | AES flags in the function control vector are not valid. |
| 839 (2105) | The processing for high performance
secure keys fails due to a hardware error. User action: Contact your IBM support center. |
| BBD (3005) | The KDS I/O subtask
timed out waiting for an exclusive ENQ on the SYSZxKDS.xKDSdsn resource,
where x indicates the KDS type (C for CKDS, P for PKDS, and
T for TKDS). A timeout will occur if one or more members of the ICSF
sysplex group has not relinquished its ENQ on the resource. The KDS
update operation has failed. User action: Issue D GRS,RES=(nnnnn), where nnnnn is the KDS resource name from message CSFM302A, to determine which system or systems hold the resource. Determine if action should be taken to cause the holding system to release its ENQ on the KDS resource. |
| BBE (3006) | Failure after exhausting
retry attempts. IXCMSGO issued from CSFMIOST. User action: Contact your system programmer or the IBM Support Center. |
| BBF (3007) | The CKDS service failed
due to unexpected termination of the ICSF Cross-System Services environment.
The termination of the ICSF Cross-System Services environment was
caused by a failure when ICSF issued the IXCMSGI macro. Message CSFM603
has been issued. User action: Report the occurrence of this error to your ICSF system programmer. |
| BC6 (3014) | There is an I/O error
reading or writing to the DASD copy of the TKDS in use by ICSF. User action: Report the occurrence of this error to your ICSF system programmer. |
| BC7 (3015) | A bad header record
is detected for the TKDS. User action: Report the occurrence of this error to your ICSF system programmer. |
| BCF (3023) | The PKCS #11 TKDS
is not available for processing. User action: Report the occurrence of this error to your ICSF system programmer. |
| BE6 (3046) | An RSA retained key
can no longer be generated with its key-usage flag set to allow key
unwrapping (KM-ONLY or KEY-MGMT). Key usage must be SIG-ONLY. User action: None required. |
| BE8 (3048) | The services using
encrypted AES keys, encrypted DES, or encrypted ECC keys are
not available because the master key is required but not loaded or
there is no access to any cryptographic processors. Your
request cannot be processed. User action: Check the availability of ICSF with your ICSF administrator |
| C00 (3072) | The serialization subtask terminated for an
unexpected reason prior to completing the request. No dynamic CKDS
or PKDS update services are possible at this point. User action: Contact your system programmer who can investigate the problem and restart the I/O subtask by stopping and restarting ICSF. |
| C01 (3073) | An error occurred attempting to obtain the system
ENQ for a key data set update. User action: If the error is common and persistent, contact your system programmer or the IBM Support Center. |
| C03 (3075) | A symmetric key token was supplied in a key
identifier parameter which is wrapped using the enhanced X9.24 key
wrapping method. The cryptographic coprocessors available to process
the request don't support the enhanced key wrapping. User action: Contact system personnel to get coprocessors installed on your system which will support the enhanced X9.24 key wrapping. |
| C06 (3078) | The CKDS was created with an unsupported LRECL. |
| C09 (3081) | An attempt was made to load a PKDS that only
uses the ECC master key on a pre-HCR7780 release of ICSF. Pre-HCR7780
systems do not support the ECC master key and use of an ECC MK-only
PKDS is not allowed. User Action: Change the PKDS selected. Specify a PKDS that is empty, uses an RSA master key, or uses both RSA and ECC master keys. |
| C0A (3082) | A callable service generated or updated a symmetric
key token and the X9.24 enhanced wrapping method was used to wrap
the key. This key token is not usable on your system and ICSF will
not allow the key to be generated. The key was wrapped with the enhanced
wrapping method because a CCA Cryptographic coprocessor
that is a CEX3C or later has the default wrapping configuration
set to enhanced. This was most likely done by TKE changing the configuration. User Action: Have the ICSF administrator set the default wrapping configuration to original for the LPAR that this system is running in. |
| C17 (3095) | The sysplex KDS cluster members' new AES master
key registers were loaded with different values during a coordinated
KDS change master key. All sysplex KDS cluster members' (same active
KDS) new AES master key registers must be loaded with the same value
or all must be empty when performing a coordinated KDS change master
key. User action: Ensure all sysplex KDS cluster members' new AES master key registers are loaded with the same value or all are empty and retry the function. |
| C18 (3096) | One or more sysplex KDS cluster members' new
DES master key registers were loaded and others were empty during
a coordinated KDS change master key. All sysplex KDS cluster members'
(same active KDS) new DES master key registers must be loaded with
the same value or all must be empty when performing a coordinated
KDS change master key. User action: Ensure all sysplex KDS cluster members' new DES master key registers are loaded with the same value or all are empty and retry the function. |
| C19 (3097) | The sysplex KDS cluster members' new DES master
key registers were loaded with different values during a coordinated
KDS change master key. All sysplex KDS cluster members' (same active
KDS) new DES master key registers must be loaded with the same value
or all must be empty when performing a coordinated KDS change master
key. User action: Ensure all sysplex KDS cluster members' new DES master key registers are loaded with the same value or all are empty and retry the function. |
| C1A (3098) | A coordinated KDS change master key was attempted
with empty new master key registers. At least one of the new master
key registers must be loaded with a value to perform a coordinated
KDS change master key. User action: Load at least one of the new master key registers on all sysplex KDS cluster members with the same value and retry the function. |
| C1B (3099) | An ICSF subtask terminated during coordinated
KDS refresh or coordinated KDS change master key processing. User action: Refer to the z/OS Cryptographic Services ICSF Administrator's Guide for information on recovering from a coordinated KDS administration failure. The function can be retried. If the error is common and persistent, contact your system programmer or the IBM Support Center. |
| C1C (3100) | An error occurred attempting to obtain an ENQ
for performing either a coordinated KDS refresh or coordinated KDS
change master key. User action: The function can be retried. If the error is common and persistent, contact your system programmer or the IBM Support Center. |
| C1D (3101) | A target system (member of the sysplex KDS cluster)
was unable to open the new KDS for either a coordinated KDS refresh
or coordinated KDS change master key. User action: Refer to the z/OS Cryptographic Services ICSF Administrator's Guide for information on recovering from a coordinated KDS administration failure. The function can be retried. If the error is common and persistent, contact your system programmer or the IBM Support Center. |
| C1E (3102) | One or more sysplex KDS cluster members' new
AES master key registers were loaded and others were empty during
a coordinated KDS change master key. All sysplex KDS cluster members'
(same active KDS) new AES master key registers must be loaded with
the same value or all must be empty when performing a coordinated
KDS change master key. User action: Ensure all sysplex KDS cluster members new AES master key registers are loaded with the same value or all are empty and retry the function. |
| C2B (3115) | Either a coordinated KDS refresh or coordinated
KDS change master key was cancelled. User action: Refer to the z/OS Cryptographic Services ICSF Administrator's Guide for information on recovering from a coordinated KDS administration failure. The function can be retried. If the error is common and persistent, contact your system programmer or the IBM Support Center. |
| C2C (3116) | A catalog problem occurred during either a coordinated
KDS refresh or coordinated KDS change master key. The problem occurred
when looking up either the active KDS or new KDS in the catalog. User action: Ensure both the active KDS and new KDS are cataloged and retry the function. |
| C2D (3117) | A coordinated KDS refresh or coordinated KDS
change master key was attempted on a system with a level of hardware
that is not supported by the function. This reason code is also used
if the licensed internal code (LIC) level on the originating system
is lower then the licensed internal code (LIC) level on 1 or more
of the other sysplex KDS cluster members. User action: Refer to Coordinated KDS Administration (CSFCRC and CSFCRC6) for a list of supported hardware levels. Perform the coordinated KDS function from the system running the highest level of licensed internal code (LIC). |
| C2E (3118) | A coordinated KDS change master key was attempted
with the DES new master key register loaded but with no current DES
master key set. In order to perform a coordinated KDS change master
key to a new DES master key, a valid DES master key must have previously
been set. User action: Set a valid DES master key and then use the coordinated KDS change master key to change the DES master key. |
| C2F (3119) | A coordinated KDS change master key was attempted
with the AES new master key register loaded but with no current AES
master key set. In order to perform a coordinated KDS change master
key to a new AES master key, a valid AES master key must have previously
been set. User action: Set a valid AES master key and then use the coordinated KDS change master key to change the AES master key. |
| C32 (3122) | A sysplex communication failure occurred during
either coordinated KDS refresh or coordinated KDS change master key. User action: Refer to the z/OS Cryptographic Services ICSF Administrator's Guide for information on recovering from a coordinated CKDS administration failure. The function can be retried. If the error is common and persistent, contact your system programmer or the IBM Support Center. |
| C33 (3123) | A failure occurred processing KDS updates during
a coordinated KDS change master key. User action: Refer to the z/OS Cryptographic Services ICSF Administrator's Guide for information on recovering from a coordinated KDS administration failure. The function can be retried. If the error is common and persistent, contact your system programmer or the IBM Support Center. |
| C34 (3124) | An internal failure occurred in a coordinated
KDS subtask while performing either a coordinated KDS refresh or a
coordinated KDS change master key. User action: Refer to the z/OS Cryptographic Services ICSF Administrator's Guide for information on recovering from a coordinated KDS administration failure. The function can be retried. If the error is common and persistent, contact your system programmer or the IBM Support Center. |
| C35 (3125) | An internal failure occurred in a coordinated
KDS subtask while performing either a coordinated KDS refresh or a
coordinated KDS change master key. User action: Refer to the z/OS Cryptographic Services ICSF Administrator's Guide for information on recovering from a coordinated KDS administration failure. The function can be retried. If the error is common and persistent, contact your system programmer or the IBM Support Center. |
| C36 (3126) | An internal failure occurred in the sysplex
subtask while performing either a coordinated KDS refresh or coordinated
KDS change master key. User action: Refer to the z/OS Cryptographic Services ICSF Administrator's Guide for information on recovering from a coordinated KDS administration failure. The function can be retried. If the error is common and persistent, contact your system programmer or the IBM Support Center. |
| C37 (3127) | An internal failure occurred in the serialization
subtask while performing either a coordinated KDS refresh or coordinated
KDS change master key. User action: Refer to the z/OS Cryptographic Services ICSF Administrator's Guide for information on recovering from a coordinated KDS administration failure. The function can be retried. If the error is common and persistent, contact your system programmer or the IBM Support Center. |
| C38 (3128) | An internal failure occurred in the I/O subtask
while performing a coordinated KDS change master key. User action: Refer to the z/OS Cryptographic Services ICSF Administrator's Guide for information on recovering from a coordinated KDS administration failure. The function may be retried. If the error is common and persistent, contact your system programmer or the IBM Support Center. |
| C3A (3130) | A target system (member of the sysplex KDS cluster)
is not being responsive to a system that is originating either a coordinated
KDS refresh or coordinated KDS change master key. User action: Refer to the z/OS Cryptographic Services ICSF Administrator's Guide for information on recovering from a coordinated KDS administration failure. The function can be retried. If the error is common and persistent, contact your system programmer or the IBM Support Center. |
| C3B (3131) | The active KDS could not be reenciphered to
the new KDS during a coordinated KDS change master key. User action: Refer to the z/OS Cryptographic Services ICSF Administrator's Guide for information on recovering from a coordinated KDS administration failure. The function can be retried. If the error is common and persistent, contact your system programmer or the IBM Support Center. |
| C3E (3134) | A failure occurred either renaming the active
KDS to the archive KDS or renaming the new KDS to the active KDS during
a coordinated KDS refresh or coordinated KDS change master key. User action: Refer to the z/OS Cryptographic Services ICSF Administrator's Guide for information on recovering from a coordinated KDS administration failure. The function can be retried. If the error is common and persistent, contact your system programmer or the IBM Support Center. |
| C40 (3136) | A coordinated KDS refresh or coordinated KDS
change master key was originated from a system at a lower ICSF FMID
release level than one or more of the target systems (sysplex KDS
cluster members). The coordinated KDS functions must be originated
from a system running the highest ICSF FMID level. User action: Retry the function from a sysplex KDS cluster member running the highest ICSF FMID level. |
| C41 (3137) | An internal failure occurred during the set
master key step of a coordinated KDS change master key. User action: Refer to the z/OS Cryptographic Services ICSF Administrator's Guide for information on recovering from a coordinated KDS administration failure. The function can be retried. If the error is common and persistent, contact your system programmer or the IBM Support Center. |
| C42 (3138) | A failure occurred trying to back out from a
failed rename of the active KDS to the archive KDS or a failed rename
of the new KDS to the active KDS during a coordinated KDS refresh
or coordinated KDS change master key. User action: Refer to the z/OS Cryptographic Services ICSF Administrator's Guide for information on recovering from a coordinated KDS administration failure. The function can be retried. If the error is common and persistent, contact your system programmer or the IBM Support Center. |
| C43 (3139) | A failure occurred switching the new KDS to
the active KDS during either a coordinated KDS refresh or a coordinated
KDS change master key. User action: Refer to the z/OS Cryptographic Services ICSF Administrator's Guide for information on recovering from a coordinated KDS administration failure. The function can be retried. If the error is common and persistent, contact your system programmer or the IBM Support Center. |
| C44 (3140) | A coordinated KDS refresh or a coordinated KDS
change master key failed because one of the target systems (sysplex
KDS cluster members) had not finished ICSF initialization. User action: Allow all sysplex KDS cluster members to finish ICSF initialization and retry the function. |
| C45 (3141) | A coordinated KDS change master key was attempted
with the RSA new master key register loaded but with no current RSA
master key set. In order to perform a coordinated KDS change master
key to a new RSA master key, a valid RSA master key must have previously
been set. User action: Set a valid RSA master key and then use the coordinated KDS change master key to change the RSA master key. |
| C46 (3142) | A coordinated KDS change master key was attempted
with the ECC new master key register loaded but with no current ECC
master key set. In order to perform a coordinated KDS change master
key to a new ECC master key, a valid ECC master key must have previously
been set. User action: Set a valid ECC master key and then use the coordinated KDS change master key to change the ECC master key. |
| C47 (3143) | A coordinated KDS change master key was attempted
with the PKCS #11 new master key register loaded but with no current
PKCS #11 master key set. In order to perform a coordinated KDS change
master key to a new PKCS #11 master key, a valid PKCS #11 master
key must have previously been set. User action: Set a valid PKCS #11 master key and then use the coordinated KDS change master key to change the PKCS #11 master key. |
| C48 (3144) | The sysplex KDS cluster members' new RSA master
key registers were loaded with different values during a coordinated
KDS change master key. All sysplex KDS cluster members' (same active
KDS) new RSA master key registers must be loaded with the same value
or all must be empty when performing a coordinated KDS change master
key. User action: Ensure all sysplex KDS cluster members' new RSA master key registers are loaded with the same value or are all empty, and retry the function. |
| C49 (3145) | The sysplex KDS cluster members' new ECC master
key registers were loaded with different values during a coordinated
KDS change master key. All sysplex KDS cluster members' (same active
KDS) new ECC master key registers must be loaded with the same value
or all must be empty when performing a coordinated KDS change master
key. User action: Ensure all sysplex KDS cluster members' new ECC master key registers are loaded with the same value or are all empty, and retry the function. |
| C4A (3146) | One or more sysplex KDS cluster members' new
RSA master key registers were loaded and others were empty during
a coordinated KDS change master key. All sysplex KDS cluster members'
(same active KDS) new RSA master key registers must be loaded with
the same value or all must be empty when performing a coordinated
KDS change master key. User action: Ensure all sysplex KDS cluster members' new RSA master key registers are loaded with the same value or all are empty and retry the function. |
| C4B (3147) | One or more sysplex KDS cluster members' new
ECC master key registers were loaded and others were empty during
a coordinated KDS change master key. All sysplex KDS cluster members'
(same active KDS) new ECC master key registers must be loaded with
the same value or all must be empty when performing a coordinated
KDS change master key. User action: Ensure all sysplex KDS cluster members' new ECC master key registers are loaded with the same value or are all empty and retry the function. |
| C4C (3148) | The sysplex KDS cluster members' new PKCS #11
master key registers were loaded with different values during a coordinated
KDS change master key. All sysplex KDS cluster members' (same active
KDS) new PKCS #11 master key registers must be loaded with the same
value or all must be empty when performing a coordinated KDS change
master key. User action: Ensure all sysplex KDS cluster members' new PKCS #11 master key registers are loaded with the same value or are all empty and retry the function. |
| C4D (3149) | One or more sysplex KDS cluster members' new
P11 master key registers were loaded and others were empty during
a coordinated KDS change master key. All sysplex KDS cluster members'
(same active KDS) new P11 master key registers must be loaded with
the same value or all must be empty when performing a coordinated
KDS change master key. User action: Ensure all sysplex KDS cluster members' new P11 master key registers are loaded with the same value or are all empty and retry the function. |
| C80 (3200) | Key object’s compliance mode is different
than current setting of the Enterprise PKCS #11 coprocessors User action: Contact your ICSF administrator or system programmer. ICSF administrator action: The compliance mode setting on the Enterprise PKCS #11 coprocessors must be set to a value at least as restrictive as the key object that failed. Using the PKCS #11 Token Browser ISPF panels, examine the IBM CARD COMPLIANCE value for the key that failed. Set each Enterprise PKCS #11 coprocessor to this value using TKE. |
| C82 (3202) | A PKCS #11 Service found an error in DER encoded
data returned from the Enterprise PKCS #11 Coprocessor. User action: Contact your system programmer or the IBM Support Center. |
| D21 (3361) | The subtask for the KDS multi-purpose callable
service is not active. User action: Contact your system operator to stop and then start ICSF. |
| D22 (3362) | The subtask for the KDS multi-purpose callable service is terminating. |
| D23 (3363) | An attempt was made to use a KDS which has a
KDS cluster identifier that matches an active KDS. This reason code
is accompanied by message CSFM663I. User action: See the ICSF joblog for message CSFM663I and refer to z/OS Cryptographic Services ICSF Messages for information on how to proceed. |
| D24 (3364) | ICSF encountered continuous ISGQUERY failures
while attempting a KDS operation. This reason code is accompanied
by message CSFM664I. User action: See the ICSF joblog for message CSFM664I and refer to z/OS Cryptographic Services ICSF Messages for information on how to proceed. |
| 1779 (6009) | One or more target systems (sysplex KDS cluster
members) did not successfully load the new KDS during a coordinated
KDS refresh or coordinated KDS change master key. This a common result
of an unresponsive target system. User action: Refer to the z/OS Cryptographic Services ICSF Administrator's Guide for information on recovering from a coordinated CKDS administration failure. If the error is common and persistent, contact your system programmer or the IBM Support Center. |
| 1780 (6016) | A DASD IO error was encountered during access
of the CKDS, PKDS, or TKDS. User action: Contact your ICSF security administrator or system programmer. The SVC 99 error code will be placed in the high-order halfword of the reason code field. |
| 178C (6028) | ESTAE could not be
established in common I/O routines. User action: Contact your system programmer or the IBM Support Center. |
| 1790 (6032) | The dynamic allocation
of the DASD copy of the CKDS, PKDS, or TKDS in use by ICSF failed. User action: Contact your ICSF security administrator or system programmer. The SVC 99 error code will be placed in the high-order halfword of the reason code field. |
| 1794 (6036) | A dynamic deallocation
error occurred when closing and deallocating a CKDS, PKDS, or
TKDS. User action: Contact your security administrator or system programmer. The SVC 99 error code will be placed in the high-order halfword of the reason code field. |
| 1795 (6037) | A failure occurred routing KDS updates to the
originating system of a coordinated KDS change master key. User action: Refer to the z/OS Cryptographic Services ICSF Administrator's Guide for information on recovering from a coordinated KDS administration failure. The function can be retried. If the error is common and persistent, contact your system programmer or the IBM Support Center. |
| 1796 (6038) | The I/O subtask became out of sync with the
sysplex KDS cluster during a coordinated KDS change master key. The
I/O subtask will be restarted to get back in sync with the sysplex
KDS cluster. User action: Refer to the z/OS Cryptographic Services ICSF Administrator's Guide for information on recovering from a coordinated KDS administration failure. The function can be retried. If the error is common and persistent, contact your system programmer or the IBM Support Center. |
| 1797 (6039) | ICSF was unable to attach a coordinated KDS
subtask for either a coordinated KDS refresh or coordinated KDS change
master key. User action: Refer to the z/OS Cryptographic Services ICSF Administrator's Guide for information on recovering from a coordinated KDS administration failure. The function can be retried. If the error is common and persistent, contact your system programmer or the IBM Support Center. |
| 2724 (10020) | A key retrieved from
the in-storage CKDS failed the MAC verification (MACVER) check and
is unusable. User action: Contact your ICSF administrator. |
| 2728 (10024) | A key retrieved from
the in-storage CKDS or a key to be written to the PKDS was rejected
for use by the installation exit. User action: Contact your ICSF administrator or system programmer. |
| 272C (10028) | You cannot use the
secure key import or multiple secure key import callable
services because the cryptographic processor is not enabled for processing.
The cryptographic coprocessor is not in special secure mode. User action: Contact your ICSF administrator (your administrator can enable the processing mode). |
| 2734 (10036) | More than one key
with the same label was found in the CKDS or PKDS. This function requires
a unique key per label. The probable cause may be the use of an incorrect
label pointing to a key type that allows multiple keys per label. User action: Make sure the application specifies the correct label. If the label is correct, contact your ICSF security administrator or system programmer to verify the contents of the CKDS or PKDS. |
| 273C (10044) | OPEN of the PKDS in
use by ICSF failed. User action: Contact your ICSF security administrator or system programmer. |
| 2740 (10048) | I/O error reading
or writing to the DASD copy of the CKDS or PKDS in use by ICSF. User action: Contact your ICSF security administrator or system programmer. The RPL feedback code will be placed in the high-order halfword of the reason code field. REASONCODES: TSS 0C5 (197) |
| 274C (10060) | The I/O subtask terminated
for an unexpected reason prior to completing the request. No dynamic
CKDS or PKDS update services are possible at this point. User action: Contact your system programmer who can investigate the problem and restart the I/O subtask by stopping and restarting ICSF. |
| 2B08 (11016) | The master key is
not in a valid state. User action: Contact your ICSF administrator. REASONCODES: TSS 2FC (764) |
| 2B0C (11020) | The modulus of the
public or private key is larger than allowed and configured in the
CCC or FCV. You cannot use this key on this system. User action: Regenerate the key with a smaller modulus size. |
| 2B10 (11024) | The system administrator
has used the ICSF User
Control Functions panel to disable the RSA functions. User action: Wait until administrator functions are complete and the RSA functions are again enabled. |
| 2B1C (11036) | A PKDS is not available
for processing. User action: Contact your ICSF administrator. |
| 2B20 (11040) | The PKDS Control Record
hash pattern is not valid. User action: Contact your ICSF administrator. |
| 2B24 (11044) | The PKDS could not
be accessed. User action: Contact your ICSF administrator. |
| 2B28 (11048) | The coprocessor failed. User action: Contact your IBM support center. |
| 2B2C (11052) | The specific coprocessor
requested for service is temporarily unavailable. PKDS could not be
accessed. The specific coprocessor may be attempting some recovery
action. If recovery action is successful, the coprocessor will be
made available. If the recovery action fails, the coprocessor will
be made permanently unavailable. User action: Retry the function. |
| 2B30 (11056) | The coprocessor failed.
The response from the processor was incomplete. User action: Contact your IBM support center. |
| 2B34 (11060) | The service could
not be performed because the required coprocessor was not active or
did not have a master key set, or the coprocessor
did not have the required firmware update. User action: If the service required a specific coprocessor, verify that the value specified is correct. Reissue the request when the required coprocessor is available and has the master key set and the required firmware is present. |
| 2B38 (11064) | Service could not be performed because of a hardware error on the coprocessor. |
| 2B40 (11072) | Coprocessor configuration change. A CCA or EP11 coprocessor has been configured as an accelerator. TKE does not recognize coprocessors configured as accelerators. |
| 2B41 (11073) | Coprocessor configuration change. Either a CCA coprocessor has been reconfigured to be a EP11 coprocessor, or a PKCS #11 coprocessor has been reconfigured to be a CCA coprocessor. |
| 8CA2 (36002) | CSFPCI was called to set the RSA master key in any CCA cryptographic coprocessor. This function is disabled because dynamic RSA master key change is enabled and the RSA master key can only be changed from the ICSF TSO Change asymmetric master key utility. |
| 8CB4 (36020) | A refresh of the CKDS
failed because the DASD copy of the CKDS is enciphered under the wrong
master key. This may have resulted from an automatic refresh during
processing of the CKDS key record create callable service. User action: Contact your ICSF administrator. |
| 8CE4 (36068) | A failure occurred during a coordinated
KDS change master key operation because the DASD copy of the CKDS
is enciphered under the wrong master key. User action: Contact your ICSF administrator. |
| 8CE5 (36069) | A failure occurred
during a coordinated KDS change master key operation because the DASD
copy of the TKDS is enciphered under the wrong master key. User action: Contact your ICSF administrator. |
| 8CF4 (36084) | The master keys cannot be changed
because ICSF is running in compatibility mode. User action: See 'Migration from PCF to z/OS ICSF' in z/OS Cryptographic Services ICSF System Programmer's Guide for an explanation of compatibility mode and how to change the master keys. Note that the coordinated change master key utility cannot be used to change master keys when running in compatibility mode. |
| 8D14 (36116) | The PKDS specified
for refresh, reencipher or activate has an incorrect dataset attribute. User action: Create a larger PKDS. See z/OS Cryptographic Services ICSF System Programmer's Guide. |
| 8D3C (36156) | A PKCS #11 service is being requested. The service
is disabled due to an ICSF FIPS self test failure. The request is
not processed. User action: Report the problem to your IBM support center |
| 8D40 (36160) | The attempt to reencipher the CKDS failed because
there is an enhanced wrapped token in the CKDS. User Action: Reencipher the CKDS on a system that supports the enhanced wrapping method. |
| 8D48 (36168) | A key data set has an LRECL attribute that is
not valid. This could be because your release of ICSF does not support
the KDS with that LRECL or a supplied KDS does not have the same LRECL
as another KDS required for the utility being invoked. User Action: Use a KDS with an LRECL supported by the release of ICSF that you are using or supply a KDS with the same LRECL. |
| 8D4D (36173) | A failure occurred during a coordinated KDS
change master key operation because the DASD copy of the PKDS is enciphered
under the wrong master key. User Action: Contact your ICSF administrator. |
| 8D4E (36174) | A failure occurred during a coordinated KDS
change master key operation because the DASD copy of the PKDS is enciphered
under the wrong master key. User Action: Contact your ICSF administrator. |
| 8D56 (36182) | A coprocessor failure was detected during initialization. User action: The error is accompanied by the CSFM540I message. Follow instructions associated with that message. |
| 8D5A (36186) | A request was made to reencipher a CKDS. The
CKDS specified cannot be reenciphered on this release of ICSF because
the CKDS contains Variable-length Symmetric key tokens with an unrecognized
algorithm or key type in the associated data section. Only key tokens
with a recognized algorithm or key type can be managed on this release
of ICSF. User action: Perform the reencipher operation on a release of ICSF which recognizes the algorithm and key type of all tokens in the specified CKDS. |
| 8D5D (36189) | The TKDS has an incorrect dataset attribute.
User action: Create a TKDS with valid dataset attributes. See z/OS Cryptographic Services ICSF System Programmer's Guide |
| 8D73 (36211) | A request was made to load a key data set (CKDS,
PKDS or TKDS) which has records which are in KDSR format. This level
of ICSF does not support KDSR format records. User Action: Contact your ICSF administrator. |