Table of Contents (exploded view)
- Cryptographic Services ICSF: System Programmer's Guide
- Summary of changes
- Changes made in Cryptographic Support for z/OS V2R1 - z/OS V2R2 (FMID HCR77C0) as updated October 2017
- Changes made in Cryptographic Support for z/OS V2R1 - z/OS V2R2 (FMID HCR77C0)
- Changes made in Cryptographic Support for z/OS V1R13 - z/OS V2R2 (FMID HCR77B1) as updated April 2016
- Changes made in Cryptographic Support for z/OS V1R13 - z/OS V2R2 (FMID HCR77B1)
- Changes made in Enhanced Cryptographic Support for z/OS V1R13 - z/OS V2R1 (FMID HCR77B0)
- Changes made in Cryptographic Support for z/OS V1R13 - z/OS V2R1 (FMID HCR77A1) as updated June 2014
- Changes made in Cryptographic Support for z/OS V1R13 - z/OS V2R1 (FMID HCR77A1)
- Changes made in Cryptographic Support for z/OS V1R12-R13 (FMID HCR77A0)
- Introduction to z/OS ICSF
- Features
- ICSF features
- The Cryptographic Key Data Set (CKDS)
- The Public Key Data Set (PKDS)
- The Token Data Set (TKDS)
- Additional background information
- Running PCF applications on z/OS ICSF
- Using RMF and SMF to monitor z/OS ICSF events
- Controlling access to ICSF
- Steps prior to starting installation
- Installation, initialization, and customization
- Steps for installation and initialization
- Steps to customize SYS1.PARMLIB
- Creating the CKDS
- Creating the PKDS
- Creating the TKDS
- ICSF system resource planning for random number generation
- Steps to create the installation options data set
- Creating an ICSF CTRACE configuration data set
- Steps to create the ICSF startup procedure
- Steps to provide access to the ICSF panels
- Requiring signature verification for ICSF module CSFINPV2
- Steps to start ICSF for the first time
- Customizing ICSF after the first start
- Migration
- Terminology
- Migrating from earlier software releases
- Actions to perform before installing ICSF FMID HCR77C0
- ICSF: Detect any coprocessor that will not become active when ICSF FMID HCR77A1 or later is started
- ICSF: Detect TKDS objects that are too large for the new KDSR record format in ICSF FMID HCR77A1 or later
- Actions to perform before the first start of ICSF FMID HCR77C0
- ICSF: Deprecated parameters in installation options data set
- ICSF: Determine if applications using hash services have archived hashes of long data
- Actions to perform after the first start of ICSF FMID HCR77C0
- Callable services
- Identification of cryptographic features
- Ensure the expected P11 master key support is available
- Key store policy
- ICSF key data sets
- Changing the RSA master key
- Migrating to 24-byte DES master key
- Installation options data set
- Function restrictions
- CICS attachment facility
- Dynamic LPA load
- Special secure mode
- Resource Manager Interface (RMF)
- System abend codes
- SMF records
- TKE workstation
- Migrating from the IBM eServer zSeries 900
- Operating ICSF
- Starting and stopping ICSF
- Modifying ICSF
- Command syntax notation
- ICSF operator commands
- Using different configurations
- Adding and removing cryptographic coprocessors
- Adding cryptographic coprocessors
- Steps for activating/deactivating cryptographic coprocessors
- Steps to configure on/off cryptographic coprocessors
- Steps for enabling/disabling cryptographic coprocessors
- Adding and removing regional cryptographic servers
- Steps to add a regional cryptographic server
- Steps to remove a regional cryptographic server
- Configuring ICSF to use TCP/IP for communications with regional cryptographic servers
- Displaying cryptographic coprocessor status using the DISPLAY ICSF operator command
- Adding a regional cryptographic server using the SETICSF operator command
- Changing regional cryptographic server status using the SETICSF operator command
- Performance considerations for using installation options
- Dispatching priority of ICSF
- VTAM session-level encryption
- System SSL encryption
- Access method services cryptographic option
- Remote key loading
- Event recording
- System Management Facilities (SMF) recording
- ICSF Initialization (Subtype 1)
- Operational Key Part Entry (Subtype 7)
- CKDS Refresh (Subtype 8)
- Dynamic CKDS Update (Subtype 9)
- Dynamic PKDS Update (Subtype 13)
- Cryptographic Coprocessor Clear Master Key Entry (Subtype 14)
- Cryptographic Coprocessor Retained Key Create or Delete (Subtype 15)
- Cryptographic Coprocessor TKE Command Request or Reply (Subtype 16)
- Cryptographic Coprocessor Configuration (Subtype 18)
- PCI X Cryptographic Coprocessor Timing (Subtype 19)
- Cryptographic Coprocessor Timing (Subtype 20)
- ICSF Sysplex Group (Subtype 21)
- Trusted Block Create (Subtype 22)
- Token Data Set (TKDS) (Subtype 23)
- Duplicate Key Tokens (Subtype 24)
- Key Store Policy Key Token Authorization Checking (Subtype 25)
- PKDS Refresh (Subtype 26)
- Key Store Policy PKA Key Management Extensions (Subtype 27)
- High Performance Encrypted Key (Subtype 28)
- TKE Workstation Audit Record (Subtype 29)
- Key Store Policy Archived and Inactive Checking (Subtype 30)
- CCA symmetric key lifecycle event (Subtype 40)
- CCA asymmetric key lifecycle event (Subtype 41)
- PKCS #11 key lifecycle event (Subtype 42)
- Regional cryptographic server configuration (Subtype 43)
- CCA symmetric key usage event (Subtype 44)
- CCA asymmetric key usage event (Subtype 45)
- PKCS #11 key usage event (Subtype 46)
- PKCS #11 no key usage event (Subtype 47)
- Message recording
- Security considerations
- Controlling the program environment
- Controlling access to KGUP
- Controlling access to CSFDUTIL
- Controlling access to the callable services
- Controlling access to cryptographic keys
- Controlling access to secure key tokens
- Scheduling changes for cryptographic keys
- Controlling access to administrative panel functions
- Obtaining RACF SMF log records
- Debugging aids
- Component trace
- Abnormal endings
- IPCS formatting routine
- Detecting ICSF serialization contention conditions
- ENF signals
- Installation exits
- Types of exits
- Mainline exits
- Exits for the services
- The PCF CKDS conversion program exit
- The single-record, read-write exit
- The cryptographic key data set entry retrieval exit
- Security exits
- The KGUP exit
- Entry and return specifications
- Exits environment
- Mainline exits
- Service exits
- CKDS entry retrieval exit
- KGUP, Conversion Programs, and Single-record, Read-write exits
- Security exits
- Exit recovery
- Mainline installation exits
- Services installation exits
- Purpose and use of the exits
- Environment of the exits
- Installing the exits
- Input
- Return Codes
- CSF_SERVICE_EXIT - ICSF callable services exit
- Cryptographic key data set entry retrieval installation exit
- PCF conversion program installation exit
- Single-record, Read-write installation exit
- Exit points for security installation exits
- Security installation exits
- Key generator utility program installation exit
- Installation-defined Callable Services
- Writing a callable service
- Contents of registers
- Security access control checking
- Checking the parameters
- Link-editing the callable service
- Defining a callable service
- Writing a service stub
- Converting a CKDS from fixed length to variable length record format
- Migration from PCF to z/OS ICSF
- Running PCF and z/OS ICSF on the same system
- Running in compatibility mode
- Running in coexistence mode
- Changing the DES master key in compatibility or coexistence mode
- Running in noncompatibility mode
- Specifying compatibility modes during migration
- Converting a PCF CKDS to ICSF format
- Diagnosis reference information
- Cryptographic Key Data Set (CKDS) formats
- Public Key Data Set (PKDS) format
- Token data set (TKDS) format
- Common record format (KDSR)
- AES key token format
- DES key token formats
- Variable-length symmetric key token formats
- PKA key token formats
- Data areas
- The Cryptographic Communication Vector Table (CCVT)
- The Cryptographic Communication Vector Table Extension (CCVE)
- Generic Service Table (CSFMGST)
- RMF measurements table
- ICSF SMF records
- Record type 82 (52) — ICSF record
- Record environment
- Record mapping
- SMF header
- ICSF header (for all subtypes 40 or greater)
- Main section (subtype information)
- Audit header and audit section
- Tag-Length-Value (TLV) triplets
- Subtype 1
- Subtype 7
- Subtype 8
- Subtype 9
- Subtype 13
- Subtype 14
- Subtype 15
- Subtype 16
- Subtype 18
- Subtype 19
- Subtype 20
- Subtype 21
- Subtype 22
- Subtype 23
- Subtype 24
- Subtype 25
- Subtype 26
- Subtype 27
- Subtype 28
- Subtype 29
- Subtype 30
- Subtype 40
- Subtype 41
- Subtype 42
- Subtype 43
- Subtype 44
- Subtype 45
- Subtype 46
- Subtype 47
- CICS-ICSF Attachment Facility
- Helpful hints for ICSF first time startup
- Checklist for first-time startup of ICSF
- Step 1. Hardware setup
- Step 2. LPAR activation profiles
- Step 3. ICSF setup
- Step 4. TKE setup
- Step 5. ICSF startup
- Step 6. Loading master keys and initializing the CKDS through ICSF panels
- Step 7. Customizing TKE and loading master keys
- Step 8. CICS-ICSF Attachment Facility setup
- Step 9. Complete ICSF initialization
- Commonly encountered ICSF first time setup/initialization messages
- Using AMS REPRO encryption
- Systems without Cryptographic features