Starting and stopping ICSF

To start ICSF, issue the operator START command. You must issue the START command after each IPL. You can start ICSF only as a started task.

ICSF should be started as early in initialization as possible as one of first commands in COMMNDxx, rather than later automation. ICSF should be started with SUB=MSTR to eliminate any need to wait for JES. This also allows ICSF to be shut down after JES.

This example shows the format of the START command to start ICSF, assuming that CSF is the name of the start procedure:
START CSF,SUB=MSTR
To reuse ASIDs, the REUSASID parameter can be added to the START comment:
START CSF,SUB=MSTR,REUSASID=YES

To stop ICSF, issue the operator STOP command. After you issue the STOP command, all ICSF processing stops. If ICSF stops successfully, a message that states that ICSF is stopped appears on the console.

During shutdown, ideally ICSF is shut down after OMVS and JES are taken down. This allows any final updates to encrypted file systems to be successfully processed. By shutting down ICSF gracefully, it allows ICSF to complete all processing for updates to the key data sets.

This example shows the format of the STOP command to stop ICSF, assuming that CSF is the name of the started procedure:
STOP CSF
If ICSF is unresponsive to the STOP command, be aware that you are not able to use the CANCEL command to stop ICSF processing. Instead, use the force command:
FORCE csfproc,arm

Master key validation

When ICSF is started, the master keys are checked against the key data sets.

For CCA, master key verification patterns (MKVP) stored in the cryptographic key data set (CKDS) and the public key data set (PKDS) are compared to the current master keys. A CCA coprocessor becomes active if the current master keys match the MKVPs found in the CKDS and PKDS. If there is any mismatch, the coprocessor does not become active. When an MKVP is not in the CKDS or PKDS, the master key is ignored.

For an Enterprise PKCS #11 (EP11) coprocessor, ICSF uses the master key validation pattern (MKVP) in the header record of the TKDS to determine which EP11 coprocessors to make active. An EP11 coprocessor is active if the MKVP in the current master key register matched the MKVP in the header record of the TKDS or the TKDS has not been initialized.

When ICSF successfully starts, a message indicating that initialization is complete appears on the console.

Note:
  1. If a problem is detected with a cryptographic coprocessor or with an accelerator during initialization, message CSFM540I is generated and the device is bypassed.
  2. The ICSF_COPROCESSOR_STATE_NEGCHANGE health check monitors the state of the coprocessors and accelerators daily to detect a negative change in state. For more information about this health check, see z/OS Cryptographic Services ICSF Administrator's Guide.
  3. The ICSF_MASTER_KEY_CONSISTENCY health check evaluates the master key states of the coprocessors to detect potential master key problems. For more information about this health check, see z/OS Cryptographic Services ICSF Administrator's Guide.