OCSF: Migrate the directory structure
Description
Table 1 provides more details about this migration action. Use this information to plan your changes to the system.
Element or feature: | Cryptographic Services. |
---|---|
When change was introduced: | General migration action not tied to a specific release. |
Applies to migration from: | z/OS V2R1 and z/OS V1R13. |
Timing: | Before the first IPL of z/OS V2R2. |
Is the migration action required? | Yes, if you currently use OCSF or if new products or functions on your new z/OS system require OCSF to be active. However, if you installed your new z/OS® system with ServerPac or SystemPac, the OCSF installation script has been run and you do not have to perform this migration action for that system. |
Target system hardware requirements: | None. |
Target system software requirements: | None. |
Other system (coexistence or fallback) requirements: | None. |
Restrictions: | None. |
System impacts: | None. |
Related IBM® Health Checker for z/OS check: | None. |
Steps to take
Migrate the OCSF /var directory structure to the target system. If you installed z/OS with CBPDO or by cloning an already-installed z/OS system, you can either copy the /var/ocsf directory from your old system or rerun the installation script. If you installed z/OS with ServerPac, the OCSF installation script has been run and you have no migration actions for that target system (although you still have to migrate the directory structure to any cloned systems, as already described).
If you installed z/OS V1R13 with CBPDO or by cloning an already-installed V1R13 system, you can either copy the /var/ocsf directory from your old system or rerun the installation script. If you installed z/OS V1R13 with ServerPac or SystemPac, the OCSF installation script has been run and you have no migration actions for that target system (although you still have to migrate the directory structure to any cloned systems, as already described).
If you copy /var/ocsf, verify that the OCSF /var directory structure has been migrated to the target system as described in Migrate /etc and /var system control files. The OCSF registry (the /var/ocsf files) contains the directory path names to the code libraries. If the registry files are copied, the CSSM DLL and the add-ins must be in the same location on the target system as on the prior release. The normal locations are /usr/lpp/ocsf/lib for the CSSM and supporting DLLs and /usr/lpp/ocsf/addins for the add-in libraries.
If you copied /var/ocsf, do the following:
- Verify that the following four files exist in that directory:
- CDSA_Registry.dir with permissions (-rw-r--r--)
- CDSA_Registry.pag with permissions ( -rw-r--r--)
- CDSA_Sections.dir with permissions (-rw-r--r-- )
- CDSA_Sections.pag with permissions (-rw-r--r--)
- Verify that the required RACF® FACILITY
class profiles are defined and set up:
- CDS.CSSM — authorizes the daemon to call OCSF services
- CDS.CSSM.CRYPTO — authorizes the daemon to call a cryptographic service provider (CSP)
- CDS.CSSM.DATALIB — authorizes the daemon to call a data storage library (DL) service provider
- Ensure that the necessary libraries are program controlled:
- XL C/C++ runtime libraries
- Language Environment® libraries
- SYS1.LINKLIB
- SYS1.SIEALNKE
If you did not copy /var/ocsf, rerun the installation script:
- Set up the RACF FACILITY
class profiles required by OCSF and authorize the appropriate
user IDs to those profiles:
- CDS.CSSM — authorizes the daemon to call OCSF services
- CDS.CSSM.CRYPTO — authorizes the daemon to call a cryptographic service provider (CSP)
- CDS.CSSM.DATALIB — authorizes the daemon to call a data storage library (DL) service provider
- Ensure that the following libraries are defined as program controlled:
- XL C/C++ runtime libraries
- Language Environment libraries
- SYS1.LINKLIB
- SYS1.SIEALNKE
- Run the ocsf_install_crypto script from the OMVS shell.
This must be run from the target system.
- Verify and update $LIBPATH.
- Change directory to the location of the script (/usr/lpp/ocsf/bin).
- Run the script.
Whether you reinstalled or migrated, it is strongly recommended that you rerun IVP ocsf_baseivp from the OMVS shell. This IVP verifies that OCSF is installed and configured correctly. To run the IVP:
- Mount /usr/lpp/ocsf/ivp.
- Read the README file and follow the instructions.
- Run the IVP.
If you were using other IBM or non-IBM services to supplement the functions in OCSF, such as the Open Cryptographic Enhanced Plug-ins (OCEP) component of base element Integrated Security Services, or the PKI Services component of base element Cryptographic Services, you must ensure that these are migrated or reinstalled.
Reference information
For more information, seeIntegrated Security Services Open Cryptographic Enhanced Plug-ins Application Programming.