Display ICSF
On systems running ICSF FMID HCR77B1 or later, and running z/OS
V1R13 (with the PTF for APAR OA47380 installed) or later, use the
Display ICSF command to:
- Display the status for available cryptographic devices.
- Display certain ICSF options.
- Display key lifecycle auditing options.
- Display key usage auditing options.
- Display information about regional cryptographic servers (remote devices).
- Display information pertaining to active key data sets (KDS).
- Display the status of the master key registers for the available cryptographic devices.
- List the systems that are available to participate in commands with a SYSPLEX scope.
Syntax
Parameters
- CARDS
- The system displays the following (message CSFM668I) information
about the cryptographic devices available on the system or sysplex:
- The active domain.
- For each available device:
- The device type (for example, CRYPTO EXPRESS5 COPROCESSOR).
- The device index (for example, 5C36).
- The device status (for example, Active).
- The device serial number (for example, 99EA6059).
- The firmware level of the device (for example, 5.0.45).
- The number of requests both active and in the work queue for the device.
D ICSF,CARDS CSFM668I 09.35.33 ICSF CARDS 292 ACTIVE DOMAIN = 003 CRYPTO EXPRESS5 COPROCESSOR 5C36 STATUS=Active SERIAL#=99EA6059 LEVEL=5.0.45 REQUESTS ACTIVE=0002 CRYPTO EXPRESS5 COPROCESSOR 5P40 STATUS=Active SERIAL#=97006099 LEVEL=02.09 CLiC=0742 REQUESTS ACTIVE=0001 CRYPTO EXPRESS5 ACCELERATOR 5A42 STATUS=Active REQUESTS ACTIVE=0000 - KDS
- The system displays (message CSFM668I) information about the active
key data sets (KDS) on the system or sysplex:
- The dataset name for each active KDS (CKDS, PKDS, and TKDS).
- The format of the KDS (for example, KDSR):
- Possible values are KDSR, FIXED, and VARIABLE.
- The communication level in place for the KDS (for example, 3). This is only displayed is a sysplex environment.
- Whether the KDS is being shared in a sysplex group (for example, Y).
- The MKVPs initialized in the KDS (for example, DES AES).
- The possible values are:
- DES, AES, or both for CKDS.
- RSA, ECC, or both for PKDS.
- P11, RCS, or both for TKDS.
- The possible values are:
SYSA D ICSF,KDS SYSA CSFM668I 14.38.31 ICSF KDS 040 CKDS RACFDRVR.SHERID.CKDSPLX FORMAT=KDSR COMM LVL=3 SYSPLEX=Y MKVPs=DES AES PKDS RACFDRVR.SHERID.PKDSPLX FORMAT=KDSR COMM LVL=3 SYSPLEX=Y MKVPs=RSA ECC TKDS RACFDRVR.SHERID.TKDSPLX FORMAT=KDSR COMM LVL=3 SYSPLEX=Y MKVPs=P11 RCS - MKS
- The system displays (message CSFM668I) master key information:
- The name of the system (for example, SYSA).
- The active domain (for example, 003).
- For each device on the system:
- The device index (for example, 5C38).
- The device serial number (for example, 99EA6059).
- The status of the device.
- A status indicator for each possible master key.
For example:SYSA D ICSF,MKS SYSA CSFM668I 09.45.18 ICSF MKS 852 SYSNAME: SYSA DOMAIN: 003 CPC Name: PR2827A FEATURE SERIAL# STATUS AES DES ECC RSA P11 5C38 99EA6059 Active A A A A 5P39 97006054 Active A - LIST
- The system displays (message CSFM668I) members of a sysplex who
are eligible to participate in Display ICSF and SETICSF commands.
LIST is the default option.For example:
SYSA D ICSF,LIST SYSA CSFM668I 14.57.29 ICSF LIST 984 Systems supporting SETICSF and Display ICSF commands: SYSA HCR77B1 DOMAIN = 003 SYSB HCR77B1 DOMAIN = 003 - OPTions
- The system displays (message CSFM668I information):
- The name of the system (for example, SYSA).
- The ICSF release that is active (for example, HCR77B1).
- The most recent build date of ICSF executable code (for example, 01/09/16 or the latest ICSF code change).
- How much time must elapse between key references before a refdate change is recorded in the KDS record (refdate update interval).
- How often KDS refdate updates are hardened to the KDS dataset (refdate update period).
- The number of master key verification pattern digits.
For example:SYSA D ICSF,OPTIONS SYSA CSFM668I 10.23.21 ICSF OPTIONS 833 SYSNAME = SYSA ICSF LEVEL = HCR77C0 LATEST ICSF CODE CHANGE = 08/22/16 Refdate update interval in Days/HH.MM.SS = 030/00.00.00 Refdate update period in Days/HH.MM.SS = 000/01.00.00 MASTERKCVLEN = display 3 digits AUDITKEYLIFECKDS: Audit CCA symmetric key lifecycle events SYSNAME LABEL TOKEN SYSA Yes Yes AUDITKEYLIFEPKDS: Audit CCA asymmetric key lifecycle events SYSNAME LABEL TOKEN SYSA Yes Yes AUDITKEYLIFETKDS: Audit PKCS #11 key lifecycle events SYSNAME TOKOBJ SESSOBJ SYSA Yes Yes AUDITKEYUSGCKDS: Audit CCA symmetric key usage events SYSNAME LABEL TOKEN Interval Days/HH.MM.SS SYSA Yes Yes 000/01.00.00 AUDITKEYUSGPKDS: Audit CCA asymmetric key usage events SYSNAME LABEL TOKEN Interval Days/HH.MM.SS SYSA Yes Yes 000/01.00.00 AUDITPKCS11USG: Audit PKCS #11 usage events SYSNAME TOKOBJ SESSOBJ NOKEY Interval Days/HH.MM.SS SYSA Yes Yes Yes 000/01.00.00 - REMOTEdevice|RD
- Displays information about regional cryptographic
servers (remote devices) on either the local system or if SYSPLEX=YES,
all systems in the sysplex.Notes:
- At least one REMOTEDEVICE option must have been specified in the ICSF installation options data set prior to ICSF being started in order for the Display ICSF,REMOTEDEVICE command to be operational.
- In addition, the current machine type must be an IBM zEnterprise EC12 or later machine.
- If ICSF is started without any REMOTEDEVICE entries specified in the ICSF installation options data set or while running on a machine type other than an IBM zEnterprise EC12 or later machine, the Display ICSF,REMOTEdevice command fails, and ICSF issues message CSFM669I.
The results of the command are displayed through message CSFM668I:- The dataset name for the active TKDS (for example, CSF.TKDS2).
- The first three hexadecimal bytes of the regional cryptographic server master key verification pattern from the TKDS (for example, AB1122).
- For each device on the system:
- The device serial number (for example, 87651130).
- The device port number (for example, 8001).
- The level indicating the generation of card code (for example, LEVEL=01.00).
- The HOST/IP of the device (for example, HOST/IP@=123.45.34.100).
- The remote device identifier (REGIONAL CRYPTO SRV);
for example, 1R09, where:
- 1 = Generation of the device.
- R = Remote regional cryptographic server.
- 09 = Index as defined in the options dataset.
- The status of the device (for example, Active).
- The current number of socket connections / the maximum number of socket connections as defined
in the options dataset (for example, 7/8). Note: If the current number of sockets = the maximum number of sockets defined, only one number is displayed (as with the second example showing Sockets=8).
- The current number of active cryptographic requests on the device (In this example, 5 for the first remote device (serial number 87651130) and 6 for the second remote device (serial number 87661276).
- Optional new master key information: The first three hexadecimal bytes of the
regional cryptographic server new master key verification pattern and the state of the new master
key (for example, FULL COMMITTED).Note: During heavy workloads or when SYSPLEX=YES is specified, the display command may be unable to retrieve a recently updated new master key value. If the new master key verification pattern that is displayed does not match the new master key loaded from the RCS utility, wait 10 minutes for an implicit RCS check and then reissue the display command. Otherwise, issue the SETICSF RESTART command for each RCS device.
- Optional diagnostic information: Displays the device MKVP when the regional cryptographic server master key does not match that in the TKDS.
SYSA D ICSF,RD SYSA CSFM668I 04.47.06 ICSF RD 424 TKDS = CSF.TKDS2 RCS MKVP FROM TKDS = AB1122 ... SERIAL NUMBER=87651130 PORT=8001 LEVEL=01.00 HOST/IP@=123.45.34.100 REGIONAL CRYPTO SRV 1R06 SYSA Active Sockets=7/8 REQUESTS ACTIVE=0005 SERIAL NUMBER=87661276 PORT=8001 LEVEL=01.00 HOST/IP@=123.45.34.101 REGIONAL CRYPTO SRV 1R09 SYSA Active Sockets=8 REQUESTS ACTIVE=0006When SYSPLEX=YES is specified, ICSF collects the remote device information from all the systems in the sysplex for display through message CSFM668I. The output of message CSFM668I is sorted and grouped using the sort keys:- TKDS
- SERIAL NUMBER
- PORT
SYSA D ICSF,RD,SYSPLEX=Y SYSA CSFM668I 05.54.31 ICSF RD 502 TKDS = CSF.TKDS2 RCS MKVP FROM TKDS = AB1122 ... SERIAL NUMBER=87651130 PORT=8001 LEVEL=01.00 HOST/IP@=123.45.34.100 REGIONAL CRYPTO SRV 1R06 SYSA Active Sockets=8 REQUESTS ACTIVE=0000 SERIAL NUMBER=87651130 PORT=8002 LEVEL=01.00 HOST/IP@=123.45.34.100 REGIONAL CRYPTO SRV 1R06 SYSB Active Sockets=8 REQUESTS ACTIVE=0000 SERIAL NUMBER=87651130 PORT=8003 LEVEL=01.00 HOST/IP@=123.45.34.100 REGIONAL CRYPTO SRV 1R06 SYSC Active Sockets=8 REQUESTS ACTIVE=0000 SERIAL NUMBER=87661062 PORT=8003 LEVEL=01.00 HOST/IP@=123.45.34.103 REGIONAL CRYPTO SRV 1R16 SYSC Active Sockets=8 REQUESTS ACTIVE=0000 SERIAL NUMBER=87661276 PORT=8001 LEVEL=01.00 HOST/IP@=123.45.34.101 REGIONAL CRYPTO SRV 1R09 SYSA Active Sockets=8 REQUESTS ACTIVE=0000 SERIAL NUMBER=87661276 PORT=8002 LEVEL=01.00 HOST/IP@=123.45.34.101 REGIONAL CRYPTO SRV 1R09 SYSB Active Sockets=8 REQUESTS ACTIVE=0000 SERIAL NUMBER=87661276 PORT=8003 LEVEL=01.00 HOST/IP@=123.45.34.101 REGIONAL CRYPTO SRV 1R09 SYSC Active Sockets=8 REQUESTS ACTIVE=0000 SERIAL NUMBER=87671176 PORT=8003 LEVEL=01.00 HOST/IP@=123.45.34.102 REGIONAL CRYPTO SRV 1R13 SYSC Active Sockets=8 REQUESTS ACTIVE=0000 - SYSPLEX(YES or NO)
- The SYSPLEX keyword increases the scope of the Display ICSF command
to all participating members of the sysplex. The Display ICSF output
is grouped according to CPC Name and shows the results of the Display
ICSF command as it was executed on each member. Specify SYSPLEX=Yes
to execute the command on all systems. Otherwise, specify SYSPLEX=No
to execute the command only on the local (initiating) system. SYSPLEX=No
is the default.For example:
D ICSF,CARDS,SYSPLEX=Y CSFM668I 11.49.49 ICSF CARDS 919 CPC Name = R01 CPC Sequence# = 0000000000042E08 CRYPTO EXPRESS5 COPROCESSOR 5C57 SERIAL#=99EA6003 LEVEL=5.1.4 SYSA DOMAIN=000 Active REQUESTS=0000 SYSB DOMAIN=002 Active REQUESTS=0000 SYSC DOMAIN=008 Active REQUESTS=0000 CRYPTO EXPRESS5 COPROCESSOR 5P58 SERIAL#=97006035 LEVEL=02.09 SYSA DOMAIN=000 Active REQUESTS=0000 SYSB DOMAIN=002 Active REQUESTS=0000 SYSC DOMAIN=008 Active REQUESTS=0000 CPC Name = R02 CPC Sequence# = 0000000000042E09 CRYPTO EXPRESS5 COPROCESSOR 5P59 SERIAL#=97006102 LEVEL=02.09 SYSA DOMAIN=000 Active REQUESTS=0000 CRYPTO EXPRESS5 ACCELERATOR 5P60 SYSC DOMAIN=008 Active REQUESTS=0000SYSA D ICSF,OPT,SYSPLEX=Y SYSA CSFM668I 11.36.35 ICSF OPTIONS 995 SYSNAME = SYSA ICSF LEVEL = HCR77B1 LATEST ICSF CODE CHANGE = 01/09/15 Refdate update interval in Days/HH.MM.SS = 030/00.00.00 Refdate update period in Days/HH.MM.SS = 000/01.00.00 MASTERKCVLEN = display 3 digits SYSNAME = SYSB ICSF LEVEL = HCR77B1 LATEST ICSF CODE CHANGE = 01/09/15 Refdate update interval in Days/HH.MM.SS = 005/00.00.00 Refdate update period in Days/HH.MM.SS = 000/01.00.00 MASTERKCVLEN = display 3 digits
Usage Notes
For information on how to limit the use of MVS console commands to a specific set of users, see the System Operations topic in z/OS MVS System Commands.