|
ICSF uses SMF record type 82 to record certain ICSF events.
Record type 82 contains:
- a fixed header / self-defining section.
This section contains the common SMF record headers fields and the
triplet fields (offset/length/number), if applicable, that locate
the other sections on the record.
- ICSF event specific (subtype) section. Each
subtype contains information about the event that caused ICSF to write
to the SMF record. For subtypes that log state changes, the SMF record
will contain additional auditing sections.
- an auditing header section. This section
is present in the record for subtypes that log state changes. It describes
the number and overall length of the auditing sections that follow.
- a server user section and, optionally, an end user section. If both sections are present,
they can appear in either order.
You can map record type 82 by using the CSFSMF82 macro.
ICSF records information in the SMF data set when these events
occur:
- ICSF starts
- ICSF status changes on a processor
- ICSF handles error conditions for Cryptographic Coprocessor Feature failure or tampering
- You enable or disable special secure mode
- You enter a master key part
- You use the ICSF panels to process an operational key part or
key part register loaded using the TKE workstation
- TKE commands and responses are all audited through SMF 82 (TKE
commands on the Cryptographic Coprocessor Feature use CSFPKSC. TKE commands on the PCICC,
PCIXCC, CEX2C, and CEX3C use CSFPCI.)
- The in-storage cryptographic key data set (CKDS) is refreshed
- A dynamic change is made to the PKDS
- The in-storage PKDS is refreshed
- Duplicate tokens were detected
- A key store policy check resulted in a 'warning'
- You use the ICSF panels to update the new master key register
on a PCICC, PCIXCC, CEX2C, or CEX3C
- You create or delete a retained key on a PCICC, PCIXCC, CEX2C,
or CEX3C
- The TKE workstation issues a PCICC, PCIXCC, CEX2C, or CEX3C command
request or receives a reply response from a PCICC, PCIXCC, CEX2C,
or CEX3C
- ICSF records processing times for PCICCs, PCIXCCs, CEX2Cs,
CEX3Cs, PCICAs, CEX2As, and CEX3As.
- A PCICA, PCICC, PCIXCC, CEX2C, CEX3C CEX2A, or CEX3A is
either brought online or taken offline
- ICSF issues IXCJOIN to join the ICSF sysplex group or issues IXCLEAVE
to leave the sysplex group.
- The trusted block create callable service is used to create or
activate a trusted block.
Each of these events causes ICSF to record information in a separate
subtype in the SMF record.
Recording and Formatting type 82 SMF Records in
a Report - Sample jobs are available (in SYS1.SAMPLIB) to assist
in the recording and formatting of type 82 SMF data:
- CSFSMFJ - JCL that executes the code to
dump and format SMF type 82 records for ICSF. Before executing the
JCL, you need to make modifications to the JCL (see the prologue in
the sample for specific instructions). After the JCL has been modified,
terminate SMF recording of the currently active dump dataset (by issuing
I SMF) to allow for the unloading of SMF records. After SMF recording
has been terminated, execute the JCL. The output goes into the held
queue. This is an example of CSFSMFJ.
//CSFSMFJ JOB <JOB CARD PARAMETERS>
//********************************************************************
//* LICENSED MATERIALS - PROPERTY OF IBM *
//* 5694-A01 *
//* (C) COPYRIGHT IBM CORP. 2002 *
//* *
//* This JCL reads Type 82 SMF records and formats them in a report.*
//* *
//* CAUTION: This is neither a JCL procedure nor a complete JOB. *
//* Before using this JOB step, you will have to make the following *
//* modifications: *
//* *
//* 1) Add the job parameters to meet your system requirements. *
//* 2) Change the DUMPIN DSN=hlq.smfdata.input to be the name of *
//* the dataset where you currently have SMF data being *
//* recorded. *
//* 3) Change the STEPLIB VOL=SER=ttttt1 and VOL=SER=ttttt2 to *
//* be the volumes where these sort datasets reside. *
//* 4) Change the SYSPROC DSN=hlq.rexx.dataset to be the name of *
//* the dataset where you have placed the CSFSMFR REXX sample. *
//* *
//* Prior to executing this job, you need to terminate SMF *
//* recording of the currently active dump dataset for allow the *
//* unload of SMF records. *
//* *
//********************************************************************
//*
//*------------------------------------------------------------------*
//* UNLOAD SMF 82 RECORDS FROM VSAM TO VBS *
//*------------------------------------------------------------------*
//SMFDMP EXEC PGM=IFASMFDP
//DUMPIN DD DISP=SHR,DSN=hlq.smfdata.input
//DUMPOUT DD DISP=(NEW,PASS),DSN=&&VBS,UNIT=3390,
// SPACE=(CYL,(1,1)),DCB=(LRECL=32760,RECFM=VBS,BLKSIZE=4096)
//SYSPRINT DD SYSOUT=*
//SYSIN DD *
INDD(DUMPIN,OPTIONS(DUMP))
OUTDD(DUMPOUT,TYPE(82))
//*
//*------------------------------------------------------------------*
//* COPY VBS TO SHORTER VB AND SORT ON DATE/TIME *
//*------------------------------------------------------------------*
//COPYSORT EXEC PGM=SORT,REGION=6000K
//STEPLIB DD DISP=SHR,DSN=SYS1.SORTLPA,VOL=SER=ttttt1,UNIT=3390
// DD DISP=SHR,DSN=SYS1.SICELINK,VOL=SER=ttttt2,UNIT=3390
//SYSOUT DD SYSOUT=*
//SORTWK01 DD UNIT=3390,SPACE=(CYL,10)
//SORTIN DD DISP=(OLD,DELETE),DSN=&&VBS
//SORTOUT DD DISP=(NEW,PASS),DSN=&&VB,UNIT=3390,
// SPACE=(CYL,(1,1)),DCB=(LRECL=3000,RECFM=VB)
//SYSIN DD *
SORT FIELDS=(11,4,A,7,4,A),FORMAT=BI,SIZE=E4000
//*
//*------------------------------------------------------------------*
//* FORMAT TYPE 82 RECORDS *
//*------------------------------------------------------------------*
//FMT EXEC PGM=IKJEFT01,REGION=5128K,DYNAMNBR=100
//SYSPROC DD DISP=SHR,DSN=hlq.rexx.dataset
//SYSTSPRT DD SYSOUT=*
//INDD DD DISP=(OLD,DELETE),DSN=&&VB
//OUTDD DD SYSOUT=*
//SYSTSIN DD *
%CSFSMFR
- CSFSMFR - An EXEC that formats the SMF type
82 records into a readable report.
ICSF Initialization (Subtype 1)
When ICSF starts, ICSF writes to subtype 1 after initialization
is completed. Subtype 1 describes the values of installation options
that are specified in the installation options data set.
Subtype 1 contains this information:
- Special secure mode (SSM) option
- Key authentication (KEYAUTH) option
- Security Server (RACF) checking of Supervisor State and System
Key callers (CHECKAUTH) option
- Compatibility mode with CUSP or PCF (COMPAT) option
- Cryptographic domain number (DOMAIN) option
- Number of trace entries (TRACEENTRY) option
- CKDS name (CKDSN) option
- Maximum length for data in a callable service (MAXLEN) option
Beginning
with z/OS V1 R2, the MAXLEN parameter may still be specified in the
options data set, but only the maximum value limit will be enforced
(2147483647). If a value greater than this is specified, an error
will result and ICSF will not start.
- CKDS record authentication (CKTAUTH) option
- User parameter (USERPARM) option
- PKDS name (PKDSN) option
- TKDS name (TKDSN) option
SMF records for this subtype will also contain a server user audit
section.
ICSF Status Change (Subtype 3)
ICSF writes to subtype 3 when processors are verified at initialization,
after a master key is set or changed, when ICSF switches from stand-by
mode to normal mode, or when a processor comes online or offline.
When processor status changes, subtype 3 gives the status of the processors
still online.
Subtype 3 contains this information:
- Processor number
- Coprocessor number
- Cryptographic domain number
- Master key version number
If a master key change or set occurs, subtype 3 also contains
this information:
- Master key verification pattern
- Old master key verification pattern, if an old master key exists
- New master key verification pattern, if a new master key exists
Error Handling for Cryptographic Coprocessor Feature (Subtype 4)
ICSF writes to subtype 4 when the Coprocessor is in standby mode
or when the Cryptographic Coprocessor Feature detects tampering.
Subtype 4 contains this information:
- Status word from the Cryptographic Coprocessor Feature
- Processor number
- Cryptographic domain number
Special Secure Mode Change (Subtype 5)
Subtype 5 contains special secure mode status bit. ICSF writes
to subtype 5 when the status of special secure mode changes. ICSF also
updates subtype 5 when the Cryptographic Coprocessor Feature indicates that special secure mode
was required for an instruction, but was not enabled.
Master Key Part Entry (Subtype 6)
ICSF writes to subtype 6 when master key parts are entered using
TKE workstation and are processed using the TKE master key entry ICSF
panels. Subtype 6 contains this information:
- The verification pattern for the master key part
- The verification pattern for the new master key
- A bit indicating whether the verification pattern is valid
- The Coprocessor number
- The cryptographic domain number
If you enter the final master key part, the record also contains
the verification pattern for the entire master key and a bit indicating
whether the verification pattern is valid.
Operational Key Part Entry (Subtype 7)
ICSF writes to subtype 7 when key parts are entered using the
TKE workstation and are processed using the operational key entry
ICSF panels. Subtype 7 contains this information:
- The ENC-ZERO verification pattern of the completed key for a PCIXCC,
CEX2C, or CEX3C or the CCF verification pattern
- A bit indicating whether the verification pattern is valid
- The cryptographic coprocessor domain number
- The cryptographic coprocessor number
- The name of the CKDS that contains the entry with the key part
- The label of the CKDS entry that contains the key part
SMF records for this subtype will also contain server user and
end user audit sections.
CKDS Refresh (Subtype 8)
ICSF writes to subtype 8 when the in-storage CKDS is successfully
refreshed. ICSF refreshes the in-storage CKDS by reading a disk
copy of a CKDS into storage. Subtype 8 contains this information:
- Name of the current in-storage CKDS that ICSF refreshes
- Name of the disk copy of the CKDS that ICSF read into storage
to replace the current CKDS
SMF records for this subtype will also contain server user and
end user audit sections.
Dynamic CKDS Update (Subtype 9)
ICSF writes to subtype 9 when an application uses the dynamic
CKDS update services to write to the CKDS. Subtype 9 contains this
information:
- Name of the changed CKDS
- An indication of the operation performed.
- The CKDS entry (which includes the label name and key type) that
was changed
SMF records for this subtype will also contain server user and
end user audit sections.
PKA Key Part Entry (Subtype 10)
ICSF writes to subtype 10 when you use the ICSF panels to enter
PKA master key parts. Subtype 10 contains this information:
- An indication of which PKA Master key is changing; the Signature
Master Key (SMK), or the Key Management Master Key (KMMK)
- An indication of whether the hash pattern of the PKA master key
register is valid (It is valid when the final key part is entered.)
- The hash pattern (MDC-4) of the PKA master key register
- The hash pattern of PKA key part
- The Coprocessor number
- Current cryptographic domain
If no DES master key has been validated, the key part entries do
not contain a hash pattern. The record for the final key contains
the hash pattern of the complete key.
Clear New Master Key Part Entry (Subtype 11)
ICSF writes to subtype 11 when you use the ICSF panels to enter
new master key parts. Subtype 11 contains this information:
- An indication of whether the hash patterns for the new master
key register and new master key part are valid. (The new master keys
register hash pattern is only valid once the final key part in entered.)
- An indication of whether the verification patterns for the new
master key register and key part are valid. (The new master key verification
pattern is valid only after the final key part is entered.)
- The hash pattern of the new master key register
- The verification pattern of the new master key register
- The hash pattern of new master key part
- The verification pattern of new master key part
- The Coprocessor number
- Current cryptographic domain
If no DES master key has been validated, the key part entries do
not contain a verification pattern and hash pattern. The record for
the final key contains the verification pattern and hash pattern of
the complete key.
PKSC Commands (Subtype 12)
ICSF writes to subtype 12 for every PKSC command entered through
the CSFPKSC interface. Subtype 12 contains this information:
- The complete PKSC request
- The corresponding PKSC response
Dynamic PKDS Update (Subtype 13)
ICSF writes to subtype 13 when an application uses the dynamic
PKDS update services to change the PKDS. Subtype 13 contains this
information:
- The name of the changed PKDS
- An indication of the operation performed.
- The name of the changed entry in the PKDS
SMF records for this subtype will also contain server user and
end user audit sections.
Cryptographic Coprocessor Clear Master Key Entry (Subtype 14)
ICSF writes to subtype 14 whenever you use ICSF panels to update AES-MK,
DES-MK, ECC-MK, or RSA-MK in the new master
key register in a PCICC, PCIXCC, CEX2C, or CEX3C. Subtype
14 contains this information:
- The master Key valid indicator
- The indicator for a PCICC, PCIXCC, CEX2C, or CEX3C
- The new master key verification pattern
- The key part verification pattern
- The cryptographic coprocessor processor number
- The cryptographic coprocessor serial number
- The cryptographic coprocessor domain index
SMF records for this subtype will also contain server user and
end user audit sections.
Cryptographic Coprocessor Retained Key Create or Delete (Subtype
15)
ICSF writes to subtype 15 whenever you create or delete a retained
private key in a PCICC, PCIXCC, CEX2C, or CEX3C. Subtype
15 contains this information:
- The operation performed (created, deleted from PCI, deleted from
PKDS)
- The indicator for a PCICC, PCIXCC, CEX2C, or CEX3C
- The retained key label
- The cryptographic coprocessor processor number
- The cryptographic coprocessor serial number
- The domain index
SMF records for this subtype will also contain server user and
end user audit sections.
Cryptographic Coprocessor TKE Command Request or Reply (Subtype
16)
ICSF writes to subtype 16 whenever a TKE workstation either issues
a command request to, or receives a reply response from, a PCICC,
PCIXCC, CEX2C, or CEX3C. Subtype 16 contains this information:
- The indicator for request or reply
- The indicator for a PCICC, PCIXCC, CEX2C, or CEX3C
- The cryptographic coprocessor processor number
- The cryptographic coprocessor serial number
- The cryptographic coprocessor domain index
- The request command block or reply response block length
- The request command data block or reply response data block length
- The request or reply CPRB
- The length of the fixed audit data
- The number of relocate sections
- The function id
- The function return code
- The function description - describes the function id.
SMF records for this subtype will also contain server user and
end user audit sections.
PCI Cryptographic Coprocessor Timing (Subtype 17)
ICSF periodically records processing times for PCI Cryptographic Coprocessor operations
in subtype 17. Subtype 17 contains this information:
- The time immediately before the operation begins
- The time immediately after the operation ends
- The time immediately after the results of the operation have been
communicated to the caller address space
- The number of processes waiting to submit work to the same PCI Cryptographic Coprocessor,
domain, and reference slot used by this operation
- The function code for this operation
- The PCI Cryptographic Coprocessor processor number
- The PCI Cryptographic Coprocessor serial number
- The PCI Cryptographic Coprocessor domain
- A reference number that identifies an internal ICSF queue element
Cryptographic Coprocessor Configuration (Subtype 18)
ICSF writes subtype 18 when a PCICA, PCICC, PCIXCC, CEX2C, CEX2A, CEX3C,
or CEX3A is brought online or taken offline. Subtype 18 contains
this information:
- The operation performed (coprocessor brought online, taken offline)
- The coprocessor number
- The PCICC, PCIXCC, CEX2C, or CEX3C serial number, or
a PCICA, CEX2A, or CEX3A number
PCI X Cryptographic Coprocessor Timing (Subtype 19)
ICSF periodically records processing times for PCIXCC operations
in subtype 19. Subtype 19 contains this information:
- The time immediately before the operation begins
- The time immediately after the operation ends
- The time immediately after the results of the operation have been
communicated to the caller address space
- The number of processes waiting to submit work to the same PCIXCC,
domain, and reference slot used by this operation
- The function code for this operation
- The PCIXCC processor number
- The PCIXCC serial number
- The PCIXCC domain
- A reference number that identifies an internal ICSF queue element
Cryptographic Coprocessor Timing (Subtype 20)
ICSF periodically records processing times for PCIXCC, CEX2C,
CEX3C, CEX2A, and CEX3A operations in subtype 20. Subtype 20
contains this information:
- The device type
- The time immediately before the operation begins
- The time immediately after the operation ends
- The time immediately after the results of the operation have been
communicated to the caller address space
- The number of processes waiting to submit work to the same coprocessor,
domain, and reference slot used by this operation
- The function code for this operation
- The PCIXCC, CEX2C, CEX3C, CEX2A, or CEX3A processor number
- The PCIXCC, CEX2C, CEX3C, CEX2A, or CEX3A serial number
- The PCIXCC, CEX2C, CEX3C, CEX2A, or CEX3A domain
- A reference number that identifies an internal ICSF queue element
ICSF Sysplex Group (Subtype 21)
ICSF writes subtype 21 when ICSF joins or leaves the ICSF sysplex
group. Subtype 21 contains this information:
- The name of the ICSF sysplex group
- The name of the sysplex member
- An indication of whether the member joined or left the sysplex
group
- An indication of whether the join or leave was due to normal initialization/termination
processing
- An indication of whether the leave was due to error recovery processing
- The time of the join or leave
- The name of the active CKDS
Trusted Block Create (Subtype 22)
ICSF writes subtype 22 when the Trusted Block Create callable services
are invoked. Subtype 22 contains this information:
- Type of call, Active or Inactive
- If a Public Key Section was present in the Trusted Block Token
- ASID of the Caller
- If Input Trusted Block Token is in the PKDS, save it's Label
- If Output Trusted Block Token is in the PKDS, save it's Label
- If the Transport Key Token is in the CKDS, save it's Label
SMF records for this subtype will also contain server user and
end user audit sections.
Token Data Set (TKDS) (Subtype 23)
ICSF writes subtype 23 when the Token Data Set (TKDS) record is
updated (created, modified, deleted) of PKCS #11 tokens or token objects.
Token Data Set callable services are invoked. Subtype 23 contains
this information:
- The name of the changed TKDS
- An indication of the operation performed
- The name of the changed entry in the TKDS
SMF records for this subtype will also contain server user and
end user audit sections.
Duplicate Key Tokens (Subtype 24)
ICSF writes subtype 24 when the security administrator has indicated
that duplicate key tokens must be identified. Subtype 24 contains
this information:
- The data set name
- The number of key labels
- The key labels
Key Store Policy (Subtype 25)
ICSF writes subtype 25 when a callable service checks the key store
policy. Subtype 25 contains this information:
- The list information (incomplete, from CKDS, from PKDS)
- The number of key labels
- The unauthorized duplicate key label and key type
SMF records for this subtype will also contain server user and
end user audit sections.
PKDS Data Space Refresh (Subtype 26)
ICSF writes to subtype 26 when the in-storage PKDS is successfully
refreshed. ICSF refreshes the in-storage PKDS by reading a disk
copy of a PKDS into storage. Subtype 26 contains this information:
- Name of the current in-storage PKDS that ICSF refreshes
- Name of the disk copy of the PKDS that ICSF read into storage
to replace the current PKDS
SMF records for this subtype will also contain server user and
end user audit sections.
PKA Key Management Extensions (Subtype 27)
When PKA Key Management Extensions are enabled, ICSF writes to
subtype 27 to record operational and error information related to
PKA Key Management Extensions. A subtype 27 record is written:
- when a CSF.PKAEXTNS.ENABLE or CSF.PKAEXTNS.ENABLE.WARNONLY profile
in the XFACILIT class uses the APPLDATA field to specify a trusted
certificate repository, an SMF record is cut to indicate if the trusted
certificate repository was successfully changed, or whether there
was an error. The APPLDATA field and the repository it specifies will
be checked at startup and whenever the XFACILIT class is RACLISTed.
ICSF will write a subtype 27 record if the certificate repository
is changed, or if there is an error. In this case, subtype 27 will
indicate if:
- the trusted certificate repository was changed
- the specified trusted certificate repository is empty
- an error was detected while extracting the APPLDATA
- the specified repository was not found
- one or more certificates could not be parsed
- when an application calls a service attempting to use a key in
a way that is not allowed by the ICSF segment specifications within
the CSFKEYS or XCSFKEY profile that covers the key. The SMF record
will be written at the completion of the callable service, which,
depending on whether PKA Key Management Extensions had been enabled
in warning or fail mode, may or may not allow the requested operation
on the key. Subtype 27 contains this information. In this case, subtype
27 will indicate if:
- an asymmetric key may not be used for the requested function
- a symmetric key cannot be exported by the provided asymmetric
key
SMF records for this subtype will also contain server user and
end user audit sections.
High Performance Encrypted Key (Subtype 28)
Symmetric Key Encipher (CSNBSYE, CSNBSYE1, CSNESYE and CSNESYE1)
and Symmetric Key Decipher (CSNBSYD, CSNBSYD1, CSNESYD and CSNESYD1)
callable services exploit CP Assist for Cryptographic Functions (CPACF)
for improved key management performance. A CKDS encrypted key can
be used in these services, but only when SYMCPACFWRAP(YES) is specified
in the ICSF segment of the CSFKEYS class profile that covers the key.
ICSF writes to subtype 28 at the completion of functions that attempt
to wrap an encrypted key under the CPACF wrapping key. Subtype 28
will indicate if the rewrapping operation is:
- permitted for this symmetric key
- not permitted for this symmetric key
SMF records for this subtype will also contain server user and
end user audit sections.
TKE Workstation Audit Record (Subtype 29)
If you have the optional TKE Workstation, you can use the TKE Audit
Record Upload Configuration Utility to send Trusted Key Entry workstation
security audit records to a System z host, where they will be saved
in the z/OS System Management Facilities (SMF) dataset. Each TKE security
audit record is stored in the SMF dataset as a type 82 subtype 29
record. For more information on the TKE Audit Record Upload Configuration
Utility, refer to the z/OS Cryptographic Services ICSF TKE Workstation User’s Guide.
|
z/OS Cryptographic Services ICSF System Programmer's Guide
Copyright IBM Corporation 1990, 2014