|
The installation options data set is an intended programming interface.
When specifying parameter values within parentheses, leading and
trailing blanks are ignored. Embedded blanks may cause unpredictable
results.
Support is provided for the use of system symbols in the installation
options data set. System symbols can be used as values for any of
the parameters. System symbols are specified in the IEASYMxx member
of SYS1.PARMLIB; the IEASYM statement of the LOADxx member of SYS1.PARMLIB
specifies the IEASYMxx member(s) to be used for the resolution of
system symbols. This example shows the use of a system symbol for
specifying the domain to be used for the start of ICSF:
DOMAIN(&PARDOM.)
When
the Installation Options Data Set is processed during the start of
ICSF, the value of the system symbol PARDOM will be substituted as
the value of the DOMAIN parameter.
For the first start, you specified an empty VSAM data set name
for the CKDS in the CKDSN option, an empty VSAM data set name for
the PKDS in the PKDSN option, and SSM(YES). You may want to change
these and other options for subsequent starts. Here is a complete
list of installation options:
- BEGIN(fmid)
- Specifies that keywords following this BEGIN keyword are supported
in release fmid and later. There must be an
END statement to complete the current section. If not, an error message
will be issued and ICSF will terminate.
There may be any number
of BEGIN/END pairs in the data set, but they can't be nested within
each other. A BEGIN must have a matching END before another BEGIN
can be specified.
If the release of ICSF you’re running
is at this release or later, the keywords will be parsed and processed.
If release of ICSF you’re running is an earlier release, the
keywords will be ignored.
It recommended that when your systems
are all running releases that support newer keywords that the BEGIN/END
pair be removed.
The following FMIDs are supported:
HCR7740, HCR7750, HCR7751, HCR7770, HCR7780, and HCR7790.
Here
is an example of the usage of the BEGIN/END keywords.
keyword4 /* keyword4 is supported by all releases */
BEGIN(HCR7751)
keyword1 /* keyword1 added in HCR7751 */
keyword3 /* keyword3 added in HCR7751 */
END
BEGIN(HCR7770)
keyword2 /* keyword2 added in HCR7770 */
END
keyword5 /* keyword5 is supported by all releases */
- CHECKAUTH(YES or NO)
- Indicates whether ICSF performs security access control checking
of Supervisor State or System Key callers. If
you specify CHECKAUTH(YES), ICSF issues RACROUTE calls to perform
the security access control checking and the results are logged in
RACF SMF records that are cut by RACF. If you specify CHECKAUTH(NO),
the authorization checks against resources in the CSFSERV class are
not performed resulting in a significant performance enhancement for
supervisor state and system key callers. However, the authorization
checks are not logged in the RACF SMF records.
If you do not
specify the CHECKAUTH option, the default is CHECKAUTH(NO).
If
you configure CHECKAUTH(YES) in the ICSF options dataset, the Health
Checker address space user identity must be authorized to the CSFRKL
profile in class CSFSERV for the ICSFMIG7731_ICSF_RETAINED_RSAKEY
migration check to successfully execute. However, you have no action
to take if you choose not to run the migration check. If you configure
CHECKAUTH(NO), there is no requirement to authorize the Health Checker
user identity for any ICSF profiles or classes, since the check routine
executes in supervisor state. This is not an implementation consideration,
but rather a check deployment or activation time customer administration
consideration.
- CKDSN(data-set-name)
- Specifies the CKDS name the system uses to start ICSF. Whenever
you restart ICSF, the CKDS named in the CKDSN option becomes the
active in-storage CKDS. (At first-time startup, you should specify
the name of an empty VSAM data set you created to use as the CKDS.)
If
you do not specify this keyword, ICSF does not become active. There
is no default for this option, so you must specify a value.
- CKTAUTH(YES or NO)
- Decides if authentication will be performed for every CKDS record
read from DASD.
Note:
If the active CKDS is a
variable-length record format CKDS or a fixed-length record format
CKDS that does not use record level authentication, the CKTAUTH option
will be ignored. It will be displayed as DISABLED on the Installation
Options Display panel.
- YES
- Indicates authentication will be performed.
- NO
- Indicates no authentication will be performed.
- COMPAT(YES, NO, or COEXIST)
- Indicates whether ICSF runs in compatibility mode, non-compatibility
mode, or coexistence mode with PCF.
- YES
- Indicates compatibility mode.
In compatibility
mode, you can run a PCF application on ICSF, because ICSF supports
the PCF macros. You do not have to reassemble PCF applications to
do this. You cannot start PCF at the same time as ICSF on the same
operating system.
- NO
- Indicates non-compatibility mode. In noncompatibility
mode, you run PCF applications on PCF and ICSF applications on ICSF.
You cannot run PCF applications on ICSF, because ICSF does not
support the PCF macros in this mode. PCF can be started at the same
time as ICSF on the same operating system. You can start ICSF and
then start PCF, or you can start PCF and then start ICSF.
You
should use noncompatibility mode unless you are migrating from PCF
to ICSF.
- COEXIST
- Indicates coexistence mode.
In coexistence
mode, you can run a PCF application on PCF, or you can reassemble
the PCF application to run on ICSF. To do this, you reassemble the
application against coexistence macros that are shipped with ICSF.
You can start PCF at the same time as ICSF on the same operating
system.
If you do not specify the COMPAT option, the default value
is COMPAT(NO). See Running PCF and z/OS ICSF on the same system for a complete description
of the COMPAT options.
When you initialize ICSF for the first
time, noncompatibility mode must be active. Therefore, at first-time
startup, you must specify COMPAT(NO) or allow the default to be
used.
- COMPENC(DES or CDMF)
- This keyword is no longer supported but is tolerated.
- DEFAULTWRAP(internal_wrapping_method,external_wrapping_method)
- Specifies the default key wrapping for DES keys. Any token generated
or updated by a service will be wrapped using the specified method
unless overridden by rule array keyword or a skeleton token. The default
wrapping method for internal and external tokens is specified independently.
Valid
values for internal_wrapping_method and external_wrapping_method are:
- ORIGINAL
- Specifies the original CCA token wrapping be used: ECB wrapping
for DES.
- ENHANCED
- Specifies the new X9.24 compliant CBC wrapping used. Note that
the enhanced wrapping method is available only on the z196 with
a CEX3C.
If the DEFAULTWRAP keyword is not specified, the default wrapping
method will be ORIGINAL for both internal and external tokens.
- DOMAIN(n)
- Specifies the number of the domain that you want to use for
this start of ICSF. You can specify only one domain in the options
data set. Valid values are between 0 and 15 inclusive.
DOMAIN
is an optional parameter. The DOMAIN parameter is only required if
more than one domain is specified as the usage domain on the PR/SM
panels or if running in native mode. If specified in the options data
set, it will be used and it must be one of the usage domains for the
LPAR.
If DOMAIN is not specified in the options data set, ICSF
determines which domains are available in this LPAR. If only one domain
is defined for the LPAR, ICSF will use it. If more than one is available,
ICSF will issue error message CSFM409E.
The cryptographic processors
support multiple sets of master key registers, which the specific
domain values identify.
- The Cryptographic Coprocessor Feature has a master key register for the DES master key, the
auxiliary DES master key, the signature master key and the key management
master key. The auxiliary DES master key register may contain either
the new or old DES master key. On the PCI Cryptographic Coprocessor, each domain has a master
key register for the current, new, and old SYM-MK and RSA-MK.
- The PCIXCC/CEX2C has master key registers for the DES-MK,
AES-MK and RSA-MK master keys. Each domain has a master
key register for the current, new, and old DES-MK, AES-MK and RSA-MK.
- The CEX3C has master key registers for the DES-MK, AES-MK,
RSA-MK, and ECC-MK master keys. Each domain has a master key
for the current, new, and old DES-MK, AES-MK, RSA-MK,
and ECC-MK.
For more information about partitions and running different
configurations, see z/OS Cryptographic Services ICSF Overview.
If you run ICSF in
compatibility or coexistence mode, you cannot change the domain number
without re-IPLing the system. A re-IPL ensures that a program does
not access a cryptographic service with a key that is encrypted under
a different master key. If you are certain that no cryptographic applications
are still running, you can:
- Stop CSF
- Start CSF in COMPAT(NO) mode with a different domain number
- Stop CSF
- Start CSF in compatibility or coexistence mode with a different
domain number.
- END
- Specifies the end of a section of keywords for the fmid from the BEGIN(fmid).
There must be a BEGIN(fmid) prior to the END.
There must be an END for each BEGIN(fmid).
See the description for BEGIN for an example of the usage of the BEGIN
and END keywords.
- EXIT(ICSF-name,load-module-name,FAIL(fail-option))
- Indicates information about an installation exit.
The ICSF-name is
the identifier for each exit. Table 3 lists all the ICSF exit
names and explains when ICSF calls each exit. The load module name
is the name of the module that contains the exit. The name can be
any valid name your installation chooses.
Using the FAIL keyword
of the EXIT statement, you specify the action ICSF, the KGUP, or
the PCF conversion program takes if the exit ends abnormally. The
fail action that you specify applies to subsequent calls of the exit.
If an exit ends abnormally, ICSF takes a system dump. The exit is
protected with an ESTAE or the ICSF service functional recovery
routine (FRR).
In general, you can specify one of these values
for a fail option:
- NONE
- No action is taken. The exit can be called again and will end
abnormally again.
- EXIT
- The exit is no longer available to be called again.
- SERVICE
- The service or program that called the exit is no longer available
to be called again.
- ICSF
- ICSF or the key generator utility program or the PCF conversion
program is ended, depending on the exit.
Some fail options are not valid for a specific exit.
If you specify a fail option that is not valid, ICSF uses the next
valid fail option. For example, if SERVICE is not a valid fail option
for an exit, ICSF uses the EXIT option. EXIT is responsible
for logging in SMF the results of any authorization checks that are
made.
Table 3. Exit Identifiers and Exit Invocations| Exit Identifiers | Exit Invocations |
|---|
| CSFEXIT1 | Gets control after the operator issues
the START command, but before processing takes place.
Note:
You
must not specify an EXIT statement for the first mainline exit, CSFEXIT1. | | CSFEXIT2 | Gets control after ICSF reads and
interprets the installation options data set. | | CSFEXIT3 | Gets control before ICSF completes
initialization. | | CSFEXIT4 | Gets control after the operator issues
the STOP command to stop ICSF. | | CSFEXIT5 | Gets control when the operator issues
the MODIFY command to modify ICSF. | | CSFEMK | Gets control during the compatibility
service for the PCF EMK macro. | | CSFGKC | Gets control during the compatibility
service for the PCF GENKEY macro. | | CSFRTC | Gets control during the compatibility
service for the PCF RETKEY macro. | | CSFEDC | Gets control during the compatibility
service for the PCF CIPHER macro. | | CSFCKDS | Gets control when a callable service
retrieves an entry from the CKDS. | | CSFKGUP | Gets control during key generator
utility program initialization, processing, and termination. | | CSFCONVX | Gets control when you run the PCF
CKDS conversion program. | | CSFSRRW | Gets control when an access to a
single record in the CKDS is made using the key entry hardware. | | CSFAEGN | Gets control during the ANSI X9.17
EDC generate callable service. | | CSFAKEX | Gets control during the ANSI X9.17
key export callable service. | | CSFAKIM | Gets control during the ANSI X9.17
key import callable service. | | CSFAKTR | Gets control during the ANSI X9.17
key translate callable service. | | CSFATKN | Gets control during the ANSI X9.17
transport key partial notarize callable service. | | CSFCKC | Gets control during the CVV key combine callable
service. | | CSFCKI | Gets control during the clear key
import callable service. | | CSFCPE | Gets control during the clear PIN
encrypt callable service. | | CSFCPA | Gets control during the clear PIN
generate alternate callable service. | | CSFCSG | Gets control during the VISA CVV service generate
callable service. | | CSFCSV | Gets control during the VISA CVV service verify
callable service. | | CSFCTT | Gets control during the ciphertext
translate callable service. | | CSFCTT1 | Gets control during the ciphertext
translate (with ALET) callable service. | | CSFPGN | Gets control during the Clear PIN
generate callable service. | | CSFCVT | Gets control during the control vector
translate callable service. | | CSFCVE | Gets control during the cryptographic
variable encipher callable service. | | CSFDKX | Gets control during the data key
export callable service. | | CSFDKM | Gets control during the data key
import callable service. | | CSFDEC | Gets control during the decipher
callable service. | | CSFDEC1 | Gets control during the decipher
(with ALET) callable service. | | CSFDCO | Gets control during the decode callable
service. | | CSFDSG | Gets control during the digital signature
generate service. | | CSFDSV | Gets control during the digital signature
verify callable service. | | CSFDKG | Gets control during the diversified
key generate callable service. | | CSFENC | Gets control during the encipher
callable service. | | CSFENC1 | Gets control during the encipher
(with ALET) callable service. | | CSFECO | Gets control during the encode callable
service. | | CSFEDH | Gets control during the ECC Diffie-Hellman callable
service. | | CSFEPG | Gets control during the encrypted
PIN generate callable service. | | CSFHMG | Gets control during the HMAC generate callable
service. | | CSFHMV | Gets control during the HMAC Verify callable
service. | | CSFPTR | Gets control during the encrypted
PIN translate callable service. | | CSFPVR | Gets control during the encrypted
PIN verify callable service. | | CSFKEX | Gets control during the key export
callable service. | | CSFKGN | Gets control during the key generate
callable service. | | CSFKGN2 | Gets control during the key generate2
callable service. | | CSFKIM | Gets control during the key import
callable service. | | CSFKPI | Gets control during the key part
import callable service. | | CSFKPI2 | Gets control during the key part
import2 callable service. | | CSFKRC | Gets control during the CKDS key
record create callable service. | | CSFKRC2 | Gets control during the CKDS key
record create2 callable service. | | CSFKRD | Gets control during the CKDS key
record delete callable service. | | CSFKRR | Gets control during the CKDS key
record read callable service. | | CSFKRR2 | Gets control during the CKDS key
record read2 callable service. | | CSFKRW | Gets control during the CKDS key
record write callable service. | | CSFKRW2 | Gets control during the CKDS key
record write2 callable service. | | CSFKYT | Gets control during the key test
callable service. | | CSFKYT2 | Gets control during the key test2
callable service. | | CSFKYTX | Gets control during the key test
extended callable service. | | CSFMDG | Gets control during the MDC generate
callable service. | | CSFKTR | Gets control during the key translate
callable service. | | CSFKTR2 | Gets control during the key translate2 callable
service. | | CSFMGN1 | Gets control during the MAC generate
(with ALET) callable service. | | CSFMVR | Gets control during the MAC verify
callable service. | | CSFMVR1 | Gets control during the MAC verify
(with ALET) callable service. | | CSFMDG1 | Gets control during the MDC generate
(with ALET) callable service. | | CSFMGN | Gets control during the MAC generate
callable service. | | CSFCKM | Gets control during the multiple
clear key import callable service. | | CSFSKM | Gets control during the multiple
secure key import callable service. | | CSFOWH | Gets control during the one-way hash
generate callable service. | | CSFOWH1 | Gets control during the one-way hash
generate (with ALET) callable service. | | CSFPCI | Gets control during the PCI interface
callable service. | | CSFPCU | Gets contol during the PIN Change/Unblock callable
service | | CSFPEX | Gets control during the prohibit
export callable service. | | CSFPEXX | Gets control during the prohibit
export extended callable service. | | CSFPKD | Gets control during the PKA decrypt callable service. | | CSFPKE | Gets control during the PKA encrypt callable service. | | CSFPKG | Gets control during the PKA key generate
callable service. | | CSFPKI | Gets control during the PKA key import
callable service. | | CSFPKT | Gets control during the PKA key translate callable
service. | | CSFPKTC | Gets control during the PKA key token
change callable service. | | CSFPKX | Gets control during the PKA Public
Key Extract callable service. | | CSFPKRC | Gets control during the PKDS key record create callable service. | | CSFPKRD | Gets control during the PKDS key record delete callable service. | | CSFPKRR | Gets control during the PKDS key record read callable service. | | CSFPKRW | Gets control during the PKDS key record write callable service. | | CSFPKSC | Gets control during the PKSC interface
callable service. | | CSFRKA | Gets control during the restrict
key attribute callable service. | | CSFRNG | Gets control during the random number
generate callable service. | | CSFRNGL | Gets control during the random number
generate long callable service. | | CSFRKD | Gets control during the retained
key delete callable service. | | CSFRKL | Gets control during the retained
key list callable service. | | CSFRKX | Gets control during the remote key export callable
service. | | CSFSKI | Gets control during the secure key
import callable service. | | CSFSKI2 | Gets control during the secure key
import2 callable service. | | CSFSKY | Gets control during the secure messaging
for keys callable service. | | CSFSMG | Gets control during the symmetric
MAC generate callable service. | | CSFSMG1 | Gets control during the symmetric
MAC generate (with ALET) callable service. | | CSFSMV | Gets control during the symmetric
MAC verify callable service. | | CSFSMV1 | Gets control during the symmetric
MAC verify (with ALET) callable service. | | CSFSPN | Gets control during the secure messaging
for PINs callable service. | | CSFSBC | Gets control during the SET block
compose callable service. | | CSFSBD | Gets control during the SET block
decompose callable service. | | CSFSYX | Gets control during the symmetric
key export callable service. | | CSFSYG | Gets control during the symmetric
key generate callable service. | | CSFSYI | Gets control during the symmetric
key import callable service. | | CSFSYI2 | Gets control during the symmetric key import2
callable service. | | CSFT31X | Gets control during the TR-31 export
callable service. | | CSFT31I | Gets control during the TR-31 import
callable service. | | CSFTBC | Gets control during the trusted block create
callable service. | | CSFTCK | Gets control during the transform
CDMF key callable service. | | CSFTRV | Gets control during the transaction validation
callable service | | CSFUDK | Gets control during the user derived
key callable service. | See Installation Exits for a detailed description
of each ICSF exit, including the valid fail options.
Note:
z/OS no longer ships IBM-supplied security exit routines;
the security exit points remain. Users of z/OS should use the
Security Server (RACF) or an equivalent product to obtain access checking
of services and keys. ICSF no longer needs these exit routines.
- FIPSMODE(YES or COMPAT or NO,FAIL(fail-option))
- Indicates whether z/OS PKCS #11 services must run in compliance
with the Federal Information Processing Standard Security Requirements
for Cryptographic Modules, referred to as FIPS 140-2. FIPS 140-2,
published by the National Institute of Standards and Technology (NIST),
is a standard that defines rules and restrictions for how cryptographic
modules should protect sensitive or valuable information. The standard
is available at http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf.
By
configuring z/OS PKCS #11 services to operate in compliance with FIPS
140-2 specifications, installations or individual applications
can use the z/OS PKCS #11 services in a way that allows only the cryptographic
algorithms (including key sizes) approved by the standard, and restricts
access to the algorithms that are not approved. For more information,
refer to z/OS Cryptographic Services ICSF Writing PKCS #11 Applications.
- YES
- Indicates that the z/OS PKCS #11 services will operate in FIPS standard mode. Any application using the
PKCS #11 services will be forced to use those services in a FIPS-compliant
manner. Applications will not have access to the algorithms or key
sizes not approved by FIPS 140-2. In addition, ICSF initialization
will test that it is running on an IBM System z model type, and a
version and release of z/OS, that supports FIPS. If so, then ICSF
will perform a series of cryptographic known answer tests as required
by the FIPS 140-2 standard. If any of these initialization tests should
fail, the action the ICSF initialization process takes will depend
on the fail-option specified.
- COMPAT
- Indicates that the z/OS PKCS #11 services will operate in FIPS compatibility mode. This mode is intended
for installations where only certain z/OS PKCS #11 applications must
comply with the FIPS 140-2 standard, while other applications
do not. In this mode, the PKCS #11 services can be further configured
so that the applications that do not need to comply with the FIPS
140-2 standard are not restricted from using any of the PKCS
#11 algorithms, while applications that must comply with the standard
are restricted from using the non-approved algorithms. By default,
the COMPAT option will have the same effect as the YES option, and
all applications using the PKCS #11 services will be forced to use
those services in a FIPS-compliant manner. However, additional
specifications can be made:
- at the PKCS #11 token and application level, by creating FIPSEXEMPT.token-name resource profiles in the CRYPTOZ class.
A FIPSEXEMPT.token-name resource exists for
each token. User IDs with READ access authority to a FIPSEXEMPT.token-name are exempt from FIPS compliance, while
user IDs with access authority NONE can only use the PKCS #11 services
in a FIPS-compliant manner.
- within applications themselves for individual keys. When an application
creates a key, the application can specify that the key must be used
in a FIPS 140-2 compliant fashion. The application can specify this
by setting the Boolean key attribute CKA_IBM_FIPS140 to TRUE.
When the COMPAT option is specified, ICSF initialization will
test that it is running on an IBM System z model type, and a version
and release of z/OS, that supports FIPS. If so, then ICSF will perform
a series of cryptographic known answer tests as required by the FIPS
140-2 standard. If any of these initialization tests should fail,
the action the ICSF initialization process takes will depend on the fail-option specified.
- NO
- Indicates that no z/OS PKCS #11 applications at the installation
need to comply with the FIPS 140-2 standard, and ICSF will
bypass the extra processing that is required to ensure FIPS compliance.
FIPSEXEMPT.token-name profiles, if they exist,
will not be examined. Requests to generate or use a key with CKA_IBM_FIPS140=TRUE
will result in a failure return code.
The fail-option is either YES
or NO, and indicates what action the ICSF initialization process should
take if any of the initialization tests (performed when FIPSMODE is YES or COMPAT) should fail.
- YES
- indicates that ICSF should end abnormally if any of the tests
fail.
- NO
- Specifies that ICSF initialization process should continue even
if one or more of the tests fail. However, z/OS PKCS #11 support will
be limited or nonexistent depending on the test that failed.
- If ICSF is running on an IBM system z model type or with a version
of z/OS that does not support FIPS, most FIPS processing is bypassed.
PKCS #11 callable services will be available, but ICSF will not adhere
to FIPS 140 restrictions. Requests to generate or use a key with CKA_IBM_FIPS140=TRUE
will result in a failure return code.
- If a known answer test failed, all ICSF PKCS #11 callable services
will be unavailable.
- KEYAUTH(YES or NO)
- Indicates whether or not ICSF authenticates a key entry after ICSF retrieves
one from the in-storage CKDS. If you specify KEYAUTH(YES), ICSF authenticates
the key. ICSF generates a message authentication code (MAC) for
each key entry in the CKDS when you create or update the entry. If
you specify KEYAUTH(YES), ICSF performs a MAC verification to ensure
that the entry has not changed. If you specify KEYAUTH(NO), ICSF does
not perform this authentication and gains a small performance enhancement.
If you do not specify the KEYAUTH option, the default value is KEYAUTH(NO).
Note:
If the active CKDS is a variable-length record
format CKDS or a fixed-length record format CKDS that does not use
record level authentication, the KEYAUTH option will be ignored. It
will be displayed as DISABLED on the Installation Options Display
panel.
- MAXLEN(n)
- Defines the maximum length of characters in a text string, including
any necessary padding, for some callable service requests. For example,
this option defines the maximum length of the text the encipher service
encrypts for each call. Specify n as a decimal value from
1024 through 2147483647. If you do not specify the MAXLEN option,
the default value is MAXLEN(65535).
The MAXLEN parameter may still
be specified in the options data set, but only the maximum value limit
will be enforced (2147483647). If a value greater than this is specified,
an error will result and ICSF will not start.
Note:
MAXLEN
is no longer displayed on the Installation Option Display panel.
- PKDSCACHE
- This keyword is no longer supported but is tolerated.
- PKDSN(data-set-name)
- Specifies the PKDS name the system uses to start ICSF. Whenever
you restart ICSF, the PKDS named in the PKDSN option becomes the active
PKDS. (At first-time startup, you should specify the name of an empty
VSAM data set you created to use as the PKDS.)
If you do not specify this
keyword, ICSF does not become active. There is no default for this
option, so you must specify a value.
- REASONCODES(ICSF or TSS)
- Specifies which set of reason codes are to be returned from
callable services. If you do not specify the REASONCODES option, the
default of REASONCODES(ICSF) is used. If you specify REASONCODES(TSS),
TSS reason codes will be returned. If there is a 1-to-1 mapping, the
codes will be converted.
If you specified REASONCODES(ICSF) and
your service was processed on a PCICC, PCIXCC, CEX2C, or CEX3C,
a TSS reason code may be returned if there is no 1–1 corresponding
ICSF reason code.
- SERVICE(service-number,load-module-name,FAIL(fail-option))
- Indicates information about an installation-defined service.
ICSF allows
an installation to define its own service similar to an ICSF callable
service. The service-number specifies a number that identifies
the service to ICSF. The valid service numbers are 1 through 32767,
inclusive. This set of service numbers is valid for both installation-defined
services and UDX services. The service number of an installation-defined
service must not be the same as the service number of a UDX service.
The load-module-name is the name of the module that contains
the service. During ICSF startup, ICSF loads this module and binds
it to the service-number you specified.
The fail-option is
YES or NO, indicating the action ICSF should take if loading the
service ends abnormally.
- YES
- Specifies that ICSF ends abnormally if your service cannot
be loaded.
- NO
- Specifies that ICSF continues to start if your service cannot
be loaded.
If the service itself ends abnormally, ICSF does not
end, but takes a system dump instead. The ICSF service functional
recovery routine (FRR) protects the service.
See Installation-Defined Callable Services for a description of how to write and run an installation-defined
callable service.
- SSM(YES or NO)
- Specifies whether or not an installation can enable special
secure mode (SSM) while running ICSF. SSM lowers the security of
your system to let you enter clear keys and generate clear PINs. You
must enable SSM for KGUP to permit generation or entry of clear keys
and to enable the secure key import or clear pin generate callable
services.
- YES
- Indicates that you can enable the SSM.
- NO
- Indicates that you cannot enable the SSM.
If you do not specify the SSM option, the default value
is SSM(NO).
Note:
CCF Systems only:
When you initialize ICSF for the first time, SSM must be active.
Therefore, at first-time startup, you must specify SSM(YES).
If you are running with the IBM  zSeries 900, S/390 Enterprise Servers and S/390 Multiprise servers, you
must perform these tasks to make SSM active:
- Specify SSM(YES) in the installation options data set
- Enable SSM in the cryptographic hardware
- When running under a logical partition (LPAR), enable SSM for
each partition.
SSM must be enabled or disabled in ALL places or errors may be
logged and functions will not work as expected.
Note:
The
setting of the Environment Control Mask (ECM) enables SSM. Without
TKE, the supplied ECM enables SSM. With TKE, you can set the ECM directly;
the supplied ECM enables SSM, but you have the ability to disable
it. For details, refer to Support Element Operations Guide and z/OS Cryptographic Services ICSF TKE Workstation User’s Guide.
- SYSPLEXCKDS(YES or NO,FAIL(fail-option))
-
- SYSPLEXCKDS(YES,FAIL(fail-option))
- ICSF will join the ICSF sysplex group SYSICSF and this system
will participate in sysplex-wide consistency for CKDS data.
- SYSPLEXCKDS(YES,FAIL(YES))
- Indicates ICSF initialization will end abnormally if the ICSF
cross-system services environment cannot be established during ICSF
initialization due to a failure creating the CKDS latch set or a failure
to join the ICSF sysplex group.
- SYSPLEXCKDS(YES,FAIL(NO))
- Indicates ICSF initialization processing will continue even
if the request to create a CKDS latch set fails or the request to
join the ICSF sysplex group fails. The system will not be notified
of updates to the CKDS by other members of the ICSF sysplex group. A
value of either FAIL(YES) or FAIL(NO) will be ignored with SYSPLEXCKDS(NO,...).
- SYSPLEXCKDS(NO,FAIL(fail-option))
- CKDS update processing proceeds as it does today (i.e. no Cross-System
Services task will be initialized, nor will any XCF signalling be
performed when an update to a CKDS record occurs).
If you do not specify the SYSPLEXCKDS option, the default
value is SYSPEXCKDS(NO,FAIL(NO)).
- SYSPLEXPKDS(YES or NO,FAIL(fail-option))
- ICSF will join the ICSF sysplex group SYSICSF and this system
will participate in sysplex-wide consistency for PKDS data.
- SYSPLEXPKDS(YES,FAIL(fail-option))
- ICSF will join the ICSF sysplex group SYSICSFP and this system
will participate in sysplex-wide consistency for PKDS data.
- SYSPLEXPKDS(YES,FAIL(YES))
- Indicates ICSF initialization will fail to join the sysplex
if the ICSF cross-system services environment cannot be established
during ICSF initialization due to a failure creating the PKDS latch
set or a failure to join the ICSF sysplex group.
- SYSPLEXPKDS(YES,FAIL(NO))
- Indicates ICSF initialization processing will continue even
if the request to create a PKDS latch set fails or the request to
join the ICSF sysplex group fails. The system will not be notified
of updates to the PKDS by other members of the ICSF sysplex group.
A value of either FAIL(YES) or FAIL(NO) will be ignored with SYSPLEXPKDS(NO,...).
- SYSPLEXPKDS(NO,FAIL(fail-option))
- PKDS update processing proceeds without trying to join the
ICSF sysplex group.
If you do not specify the SYSPLEXPKDS option,
the default value is SYSPEXPKDS(NO,FAIL(NO)).
- SYSPLEXTKDS(YES or NO,FAIL(fail-option))
-
ICSF will join the ICSF sysplex group SYSICSF and this system
will participate in sysplex-wide consistency for TKDS data.
Note:
TKDSN needs to be specified for this to work. See ***.
- SYSPLEXTKDS(NO,FAIL(fail-option))
- Indicates no XCF signalling will be performed when an update
to a TKDS record occurs.
- SYSPLEXTKDS(YES,FAIL(fail-option))
- Indicates the system will be notified of updates made to the
TKDS by other members of the sysplex who have also specified SYSPLEXTKDS(YES,FAIL(fail-option)).
- SYSPLEXTKDS(YES,FAIL(YES))
- Indicates ICSF will terminate abnormally if there is a failure
creating the TKDS latch set.
- SYSPLEXTKDS(YES,FAIL(NO))
- Indicates ICSF initialization processing will continue even
if the request to create a TKDS latch set fails with an environment
failure. This system will not be notified of updates to the TKDS by
other members of the ICSF sysplex group.
If you do not specify the SYSPLEXTKDS option, the default
value is SYSPLEXTKDS(NO,FAIL(NO)) is the default.
- TKDSN(data-set-name)
- The name of an existing TKDS or an empty VSAM data set to be
used as the TKDS. To enable applications to create and use persistent
PKCS #11 tokens and objects using the PKCS #11 services, this option
must be specified.
- TRACEENTRY(n)
- Specifies the number, n, of trace buffers to allocate
for ICSF tracing. Specify n as a decimal value from 10000
through 500000, inclusive. The default is 10000.
You should set
this parameter to the maximum in case you ever need this trace material.
- UDX(UDX-id,service-number,load-module-name,'comment_text',FAIL(fail-option))
- ICSF allows the development of User Defined Extensions for the PCICC,
PCIXCC, CEX2C, or CEX3C. The UDX-id is supplied to the
installation when the UDX is developed. The service-number specifies
a number that identifies the service to ICSF. The valid service numbers
are 1 to 32767, inclusive. This set of service numbers is valid for
both installation-defined services and UDX services. The service number
of a UDX service must not be the same as the service number of an
installation-defined service. The load-module-name is the
name of the module that contains this service. During ICSF startup,
ICSF loads this module and binds it to the service-number that was
specified. A comment may be specified. The positional parameter
is required. The comment consists of up to 40 EBCDIC characters, and
may include imbedded blank characters. The comment text is enclosed
by single quotes. If no comment text is desired, two contiguous single
quotes should be specified.
The fail-option is YES or
NO, indicating the action ICSF should take if loading the service
ends abnormally. If the service itself ends abnormally, ICSF does
not end, but takes a system dump instead.
- YES
- Specifies that ICSF ends abnormally if your service cannot
be loaded.
- NO
- Specifies that ICSF continues to start if your service cannot
be loaded.
The User Defined Extension (UDX) is responsible for logging
in SMF the results of any authorization checks that were made.
- USERPARM(value)
- Specifies an 8-byte field for installation use. The Installation
Option Display panel displays this value, which is stored in the Cryptographic
Communication Vector Table (CCVT) in the CCVT_USERPARM field.
An application program or installation exit can examine this field
and use it to set system environment information. The default is eight
blanks.
- WAITLIST(data_set_name)
- This optional parameter can be used if you have ICSF with CICS (CICS
4.1 or higher) installed. It specifies a customer modifiable
data set will be used to determine names of the services to be placed
into the ICSF CICS Wait List. A sample data set is provided by ICSF
via member CSFWTL00 of SYS1.SAMPLIB with CCFs/PCICCs and CSFWTL01
for systems with PCIXCCs, CEX2Cs, or CEX3Cs. The sample
data set contains the same entries as the default ICSF CICS Wait List
(i.e., the data set contains the names of all ICSF callable services
which, by default, will be driven through the CICS TRUE). The WAITLIST
option should be added to the Installation Options data set under
these conditions.
- Non-CICS customers will not specify a WAITLIST keyword. You must
ensure, however, that if you have any existing CICS applications which
invoke any of the ICSF services in the Wait List and if these applications
were linked with ICSF stubs at a pre-OS/390 V2R10 level, then these
applications must be re-linked with the current ICSF stubs.
If running
on a z990, z890, z9 EC or z9 BC however, you must
also ensure that any existing CICS applications which invoke any of
these services are re-linked to ensure that the correct version of
the stub is used: CSNBCKI, CSNBCKM, CSNBDEC, CSNBENC, CSNBKYTX, CSNBMGN,
CSNBMVR, CSNBPEXX, CSNBRNG
- CICS customers who do not want to make use of CICS TRUE must either
not enable the TRUE or must specify a WAITLIST keyword and point to
an empty wait list data set (or specify WAITLIST(DUMMY)) in the Installation
Options data set.
- CICS customers who wish to modify the ICSF default CICS Wait List
should modify the sample Wait List data set supplied in member CSFWTL00 or
CSFWTL01 of SYS1.SAMPLIB. The WAITLIST keyword in the Installation
Options Data Set should be set to point to this modified data
set. If you have any existing CICS applications which invoke any
of the ICSF services in the Wait List and if these applications were
linked with ICSF stubs at a pre-OS/390 V2R10 level, then these applications
must be re-linked with the current ICSF stubs.
If running on
a z990, z890, z9 EC or z9 BC any existing CICS applications
which invoke any of these services are re-linked to ensure that the
correct version of the stub is used: CSNBCKI, CSNBCKM, CSNBDEC, CSNBENC,
CSNBKYTX, CSNBMGN, CSNBMVR, CSNBPEXX, CSNBRNG.
For additional
information on the CICS Attachment Facility, see Appendix C. CICS-ICSF Attachment Facility.
|
z/OS Cryptographic Services ICSF System Programmer's Guide
Copyright IBM Corporation 1990, 2014