OA67072: EP11 CO-PROCESSOR WITHOUT MASTER KEY MAY SET INTO REPEAT FAILURES

APAR status

• Closed as fixed if next.

Error description

• Customer changed crypto cards from 'Accelerator' mode to EP11
  Co-Processor. After a while they observed these messages:
  CSFM111I CRYPTOGRAPHIC FEATURE IS ACTIVE. CRYPTO EXPRESS7
  COPROCESSOR 7P11, SERIAL NUMBER 12345678.
  CSFM137E CRYPTO EXPRESS7 COPROCESSOR 7P01, SN 12345678 *STATUS
  CHANGED FROM Being reconfigured TO Repeat failures.
  CSFM135E CRYPTOGRAPHIC FEATURE IS INACTIVE. CRYPTO EXPRESS7
  COPROCESSOR 7P11, SERIAL NUMBER 12345678 *RSN=Repeat failures.
  
  When set EP11 Co-Processor without master key in these EP11
  Co-Processor, while use a valid TKDS with EP11 MKVP, the cards
  may run into RC0C (RC12) RSN2FC from ICSF callable service like
  CSFTCGSK. A series of RC0C (RC12) RSN2FC will set the cards into
  Repeat failures.
  

Local fix

• When customer set EP11 master keys to the EP11 Co-Processor,
  they do not see the issue again.
  

Problem summary

• ****************************************************************
  * USERS AFFECTED: Users of CSFPGSK when the TKDS is clear-key  *
  *                 only and an EP11 coprocessor is configured   *
  ****************************************************************
  * PROBLEM DESCRIPTION: When the TKDS is clear-key only and an  *
  *                      EP11 coprocessor is configured online,  *
  *                      calling CSFPGSK with rule PARMS and an  *
  *                      attribute list which contains           *
  *                      CKA_PRIME_BITS of 1024 bits or more,    *
  *                      ICSF will attempt to use the            *
  *                      uninitialized EP11 coprocessor and fail *
  *                      due to the wrapping key not being set,  *
  *                      possibly leading to the card being      *
  *                      marked as "Repeat failure".             *
  ****************************************************************
  * RECOMMENDATION: Do not call CSFPGSK with rule PARMS until    *
  *                 all EP11 coprocessors have wrapping keys     *
  *                 loaded.                                      *
  ****************************************************************
  Problem Summary
  ----------------------------------------------------------------
  Calling CSFPGSK with rule PARMS and an attribute list which
  contains CKA_PRIME_BITS of 1024 bits or more can cause EP11
  coprocessors without a wrapping key loaded to enter the
  state of "Repeat failure".
  

Problem conclusion

Temporary fix

Comments

• This APAR is being closed FIN (Fixed If Next) with concurrence
  from the submitting customer. This means that a Solution to this
  APAR is expected to be delivered from IBM in a release (if any)
  to be available within the next 36 Months.
  

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels