Now that you have created the key data sets, the installation data set, the started procedure, and the ICSF management panels, you can start ICSF.

For additional information on starting ICSF for the first time, see Appendix D. Helpful Hints for ICSF First Time Startup.

• Created an empty data set for use as a CKDS
• Specified the CKDS name in the installation options data set
• Created an empty data set for use as a PKDS
• Specified the PKDS name in the installation options data set
• If PKCS #11 support is desired, create the TKDS
• Created a startup procedure
• Installed ICSF

Steps for initializing ICSF

You must initialize ICSF and the cryptographic coprocessors:

1. Enter the START command and the startup procedure name. In this example, CSF is the name of the startup procedure.

      START CSF

   When you start ICSF, you specify the name of the ICSF startup procedure you created (see Steps to create the ICSF Startup Procedure). See Starting and stopping ICSF for more information about starting and stopping ICSF.

   Note:

   CCF Systems Only: If you start CSF using CSFSTART and then run the CSFSETMK JCL to set the master keys and initialize the CKDS, the DES master keys will be set and the PKA master keys will be set in the Cryptographic Coprocessor Feature, and the CKDS will be initialized using the appropriate pass phrase. If your environment has PCI Cryptographic Coprocessors, they will not be initialized by this process. Only the Cryptographic Coprocessor Feature is initialized. If you need to initialize the PCI Cryptographic Coprocessor, see z/OS Cryptographic Services ICSF Administrator’s Guide for additional information on using the Pass Phrase Initialization Utility. If you re-IPL or stop ICSF and want to perform a subsequent SMP/E E-delivery, you only need to start ICSF (providing you wish to reuse the previously established options and parameters).
2. Access the ICSF panels to define a master key and initialize the CKDS and PKDS. For a description of how to use the ICSF panels to define a master key and initialize the CKDS and PKDS at first-time startup, see z/OS Cryptographic Services ICSF Administrator’s Guide.

   When defining a master key by specifying master key parts, make sure the key parts are recorded and saved in a secure location. When you are entering the key parts for the first time, be aware that you may need to reenter these same key values at a later date to restore master key values that have been cleared. If defining a master key using a pass phrase, realize that the same pass phrase will always produce the same master key values, and is therefore as critical and sensitive as the master key values themselves. Make sure you save the pass phrase so that you can later reenter it if needed. Because of the sensitive nature of the pass phrase, make sure you secure it in a safe place.

3. When you start ICSF for the first time, you will see different messages depending on your system hardware.
   • z10 EC, z10 BC, and z196 with a CEX3C:
     • First time startup messages before master keys have been loaded and the CKDS and PKDS have not been initialized:

       S CSF                                                                  
       CSFM607I A CKDS KEY STORE POLICY IS NOT DEFINED.
       CSFM607I A PKDS KEY STORE POLICY IS NOT DEFINED.
       CSFM610I GRANULAR KEYLABEL ACCESS CONTROL IS DISABLED.
       CSFM611I XCSFKEY EXPORT CONTROL FOR AES IS DISABLED.  
       CSFM611I XCSFKEY EXPORT CONTROL FOR DES IS DISABLED.   
       CSFM612I PKA KEY EXTENSIONS CONTROL IS DISABLED.
       CSFM124I MASTER KEY DES ON CRYPTO EXPRESS3 COPROCESSOR xxx, SERIAL
       NUMBER nnnnnnnn, NOT INITIALIZED. 
       CSFM124I MASTER KEY RSA ON CRYPTO EXPRESS3 COPROCESSOR xxx, SERIAL
       NUMBER nnnnnnnn, NOT INITIALIZED. 
       CSFM124I MASTER KEY AES ON CRYPTO EXPRESS3 COPROCESSOR xxx, SERIAL      
       NUMBER nnnnnnnn, NOT INITIALIZED.   
       CSFM124I MASTER KEY ECC ON CRYPTO EXPRESS3 COPROCESSOR xxx, SERIAL      
       NUMBER nnnnnnnn, NOT INITIALIZED.                 
       CSFM100E CRYPTOGRAPHIC KEY DATA SET, CSF.CKDS IS NOT INITIALIZED. 
       CSFM508I CRYPTOGRAPHY - THERE ARE NO CRYPTOGRAPHIC ACCELERATORS ONLINE. 
       CSFM100E CRYPTOGRAPHIC KEY DATA SET, CSF.PKDS IS NOT INITIALIZED.
       CSFM012I NO ACCESS CONTROL AVAILABLE FOR CRYPTOZ RESOURCES. ICSF PKCS11 
       SERVICES DISABLED.
       CSFM122I PKA SERVICES WERE NOT ENABLED DURING ICSF INITIALIZATION
       CSFM001I ICSF INITIALIZATION COMPLETE                                    
       CSFM009I NO ACCESS CONTROL AVAILABLE FOR ICSF SERVICES OR KEYS 
       CSFM126I CRYPTOGRAPHY - FULL CPU-BASED SERVICES ARE AVAILABLE.

       Message CSFM124I will be issued for each CEX3C online.

       Notes:

       1. Message CSFM508I will not be issued if one of the Crypto Express3 Feature’s cryptographic engines is configured as an accelerator (CEX3A).
       2. Message CSFM122I will not be issued when your system has any CEX3C coprocessors (with the Sep. 2011 or later LIC) online. The PKA callable services control will not be active. The availability of RSA callable services will depend on the status of the RSA master key. CSFM130I is issued when the RSA master key is active and RSA callable services are available.
     • First time startup messages before master keys have been loaded and sharing an initialized CKDS and PKDS:

       S CSF                                                               
       CSFM607I A CKDS KEY STORE POLICY IS NOT DEFINED.                        
       CSFM607I A PKDS KEY STORE POLICY IS NOT DEFINED.
       CSFM610I GRANULAR KEYLABEL ACCESS CONTROL IS DISABLED.
       CSFM611I XCSFKEY EXPORT CONTROL FOR AES IS DISABLED.  
       CSFM611I XCSFKEY EXPORT CONTROL FOR DES IS DISABLED.  
       CSFM612I PKA KEY EXTENSIONS CONTROL IS DISABLED.
       CSFM123E MASTER KEY DES ON CRYPTO EXPRESS3 COPROCESSOR xxx, SERIAL      
       NUMBER nnnnnnnn, IN ERROR.                                       
       CSFM123E MASTER KEY AES ON CRYPTO EXPRESS3 COPROCESSOR xxx, SERIAL      
       NUMBER nnnnnnnn, IN ERROR.
       CSFM123E MASTER KEY ECC ON CRYPTO EXPRESS3 COPROCESSOR xxx, SERIAL      
       NUMBER nnnnnnnn, IN ERROR.
       CSFM123E MASTER KEY RSA ON CRYPTO EXPRESS3 COPROCESSOR xxx, SERIAL      
       NUMBER nnnnnnnn, IN ERROR.                                             
       CSFM508I CRYPTOGRAPHY - THERE ARE NO CRYPTOGRAPHIC ACCELERATORS ONLINE.
       CSFM122I PKA SERVICES WERE NOT ENABLED DURING ICSF INITIALIZATION
       CSFM001I ICSF INITIALIZATION COMPLETE           
       CSFM126I CRYPTOGRAPHY - FULL CPU-BASED SERVICES ARE AVAILABLE. 

       Message CSFM123E will be issued for each CEX3C online.

       Notes:

       1. Message CSFM508I will not be issued if one of the Crypto Express3 Feature’s cryptographic engines is configured as an accelerator (CEX3A).
       2. Message CSFM122I will not be issued when your system has any CEX3C coprocessors (with the Sep. 2011 or later LIC) online. The PKA callable services control will not be active. The availability of RSA callable services will depend on the status of the RSA master key. CSFM130I is issued when the RSA master key is active and RSA callable services are available.
     • Normal ICSF restart messages. Master key registers are valid and match the CKDS/PKDS.

       S CSF                                                                
       CSFM607I A CKDS KEY STORE POLICY IS NOT DEFINED.                        
       CSFM607I A PKDS KEY STORE POLICY IS NOT DEFINED.
       CSFM610I GRANULAR KEYLABEL ACCESS CONTROL IS DISABLED.
       CSFM611I XCSFKEY EXPORT CONTROL FOR AES IS DISABLED.  
       CSFM611I XCSFKEY EXPORT CONTROL FOR DES IS DISABLED.  
       CSFM612I PKA KEY EXTENSIONS CONTROL IS DISABLED.
       CSFM129I MASTER KEY DES ON CRYPTO EXPRESS2 COPROCESSOR Epp, SERIAL      
       NUMBER nnnnnnnn, IS CORRECT.                                       
       CSFM129I MASTER KEY AES ON CRYPTO EXPRESS2 COPROCESSOR Epp, SERIAL      
       NUMBER nnnnnnnn, IS CORRECT.
       CSFM129I MASTER KEY ECC ON CRYPTO EXPRESS3 COPROCESSOR xxx, SERIAL      
       NUMBER nnnnnnnn, IS CORRECT.
       CSFM129I MASTER KEY RSA ON CRYPTO EXPRESS3 COPROCESSOR xxx, SERIAL      
       NUMBER nnnnnnnn, IS CORRECT. 
       CSFM129I MASTER KEY mk ON coprocessor-name cii, SERIAL 
       NUMBER nnnnnnn, IS CORRECT. 
       CSFM508I CRYPTOGRAPHY - THERE ARE NO CRYPTOGRAPHIC ACCELERATORS ONLINE.
       CSFM400I CRYPTOGRAPHY - SERVICES ARE NOW AVAILABLE. 
       CSFM130I CRYPTOGRAPHY - RSA SERVICES ARE AVAILABLE. 
       CSFM127I CRYPTOGRAPHY - AES SERVICES ARE AVAILABLE. 
       CSFM130I CRYPTOGRAPHY - ECC SERVICES ARE AVAILABLE. 
       CSFM126I CRYPTOGRAPHY - FULL CPU-BASED SERVICES ARE AVAILABLE.
       CSFM001I ICSF INITIALIZATION COMPLETE 

       Message CSFM129I will be issued for each active CEX3C.

       Note:

       Message CSFM508I will not be issued if one of the Crypto Express3 Feature’s cryptographic engines is configured as an accelerator (CEX3A).
   • z9 EC, z9 BC, z10 EC and z10 BC with a CEX2C:
     • First time startup messages before master keys have been loaded and the CKDS and PKDS have not been initialized:

       S CSF                                                                  
       CSFM607I A CKDS KEY STORE POLICY IS NOT DEFINED.                        
       CSFM607I A PKDS KEY STORE POLICY IS NOT DEFINED.
       CSFM610I GRANULAR KEYLABEL ACCESS CONTROL IS DISABLED.
       CSFM611I XCSFKEY EXPORT CONTROL FOR AES IS DISABLED.  
       CSFM611I XCSFKEY EXPORT CONTROL FOR DES IS DISABLED.  
       CSFM612I PKA KEY EXTENSIONS CONTROL IS DISABLED.
       CSFM124I MASTER KEY DES ON CRYPTO EXPRESS2 COPROCESSOR Epp, SERIAL      
       NUMBER nnnnnnnn, NOT INITIALIZED.                                       
       CSFM124I MASTER KEY AES ON CRYPTO EXPRESS2 COPROCESSOR Epp, SERIAL      
       NUMBER nnnnnnnn, NOT INITIALIZED.                                                  
       CSFM100E CRYPTOGRAPHIC KEY DATA SET, CSF.CKDS IS NOT INITIALIZED. 
       CSFM508I CRYPTOGRAPHY - THERE ARE NO CRYPTOGRAPHIC ACCELERATORS ONLINE. 
       CSFM100E CRYPTOGRAPHIC KEY DATA SET, CSF.PKDS IS NOT INITIALIZED.
       CSFM012I NO ACCESS CONTROL AVAILABLE FOR CRYPTOZ RESOURCES. ICSF PKCS11 
       SERVICES DISABLED.
       CSFM122I PKA SERVICES WERE NOT ENABLED DURING ICSF INITIALIZATION
       CSFM001I ICSF INITIALIZATION COMPLETE                                    
       CSFM009I NO ACCESS CONTROL AVAILABLE FOR ICSF SERVICES OR KEYS 
       CSFM126I CRYPTOGRAPHY - FULL CPU-BASED SERVICES ARE AVAILABLE. 
        

       Message CSFM124I will be issued for each CEX2C online.

       Note:

       Message CSFM508I will not be issued if one of the Crypto Express2 Feature’s cryptographic engines is configured as an accelerator (CEX2A).
     • First time startup messages before master keys have been loaded and sharing an initialized CKDS and PKDS:

       S CSF                                                               
       CSFM607I A CKDS KEY STORE POLICY IS NOT DEFINED.                        
       CSFM607I A PKDS KEY STORE POLICY IS NOT DEFINED.
       CSFM610I GRANULAR KEYLABEL ACCESS CONTROL IS DISABLED.
       CSFM611I XCSFKEY EXPORT CONTROL FOR AES IS DISABLED.  
       CSFM611I XCSFKEY EXPORT CONTROL FOR DES IS DISABLED.  
       CSFM612I PKA KEY EXTENSIONS CONTROL IS DISABLED.
       CSFM123E MASTER KEY DES ON CRYPTO EXPRESS2 COPROCESSOR Epp, SERIAL      
       NUMBER nnnnnnnn, IN ERROR.                                       
       CSFM123E MASTER KEY AES ON CRYPTO EXPRESS2 COPROCESSOR Epp, SERIAL      
       NUMBER nnnnnnnn, IN ERROR.
       CSFM123E MASTER KEY RSA ON CRYPTO EXPRESS2 COPROCESSOR E38, SERIAL      
       NUMBER nnnnnnnn, IN ERROR.                                             
       CSFM508I CRYPTOGRAPHY - THERE ARE NO CRYPTOGRAPHIC ACCELERATORS ONLINE.
       CSFM122I PKA SERVICES WERE NOT ENABLED DURING ICSF INITIALIZATION
       CSFM001I ICSF INITIALIZATION COMPLETE           
       CSFM126I CRYPTOGRAPHY - FULL CPU-BASED SERVICES ARE AVAILABLE. 
        

       Message CSFM123E will be issued for each CEX2C online.

       Note:

       CSFM508I will not be issued if one of the Crypto Express2 Feature’s cryptographic engines is configured as an accelerator (CEX2A).
     • Normal ICSF restart messages. Master key registers are valid and match the CKDS/PKDS.

       S CSF                                                                
       CSFM607I A CKDS KEY STORE POLICY IS NOT DEFINED.                        
       CSFM607I A PKDS KEY STORE POLICY IS NOT DEFINED.
       CSFM610I GRANULAR KEYLABEL ACCESS CONTROL IS DISABLED.
       CSFM611I XCSFKEY EXPORT CONTROL FOR AES IS DISABLED.  
       CSFM611I XCSFKEY EXPORT CONTROL FOR DES IS DISABLED.  
       CSFM612I PKA KEY EXTENSIONS CONTROL IS DISABLED.
       CSFM124I MASTER KEY DES ON CRYPTO EXPRESS2 COPROCESSOR Epp, SERIAL      
       NUMBER nnnnnnnn, NOT INITIALIZED.                                       
       CSFM124I MASTER KEY AES ON CRYPTO EXPRESS2 COPROCESSOR Epp, SERIAL      
       NUMBER nnnnnnnn, NOT INITIALIZED.
       CSFM129I MASTER KEY AES ON coprocessor-name cii, SERIAL 
       NUMBER nnnnnnn, IS CORRECT.                                       
       CSFM129I MASTER KEY DES ON coprocessor-name cii, SERIAL 
       NUMBER nnnnnnn, IS CORRECT.                                       
       CSFM129I MASTER KEY RSA ON coprocessor-name cii, SERIAL 
       NUMBER nnnnnnn, IS CORRECT.                                       
       CSFM508I CRYPTOGRAPHY - THERE ARE NO CRYPTOGRAPHIC ACCELERATORS ONLINE.
       CSFM001I ICSF INITIALIZATION COMPLETE                                  
       CSFM400I CRYPTOGRAPHY - SERVICES ARE NOW AVAILABLE.
       CSFM126I CRYPTOGRAPHY - FULL CPU-BASED SERVICES ARE AVAILABLE.
       CSFM127I CRYPTOGRAPHY - AES SERVICES ARE AVAILABLE. 
        

       Message CSFM129I will be issued for each active CEX2C.

       Note:

       Message CSFM508I will not be issued if one of the Crypto Express2 Feature’s cryptographic engines is configured as an accelerator (CEX2A).
     • z9 EC, z9 BC, z10 EC and z10 BC with CPACF only (no CEX2C/CEX3C or CEX2A/CEX3A)

       S CSF
       CSFM607I A CKDS KEY STORE POLICY IS NOT DEFINED.                        
       CSFM607I A PKDS KEY STORE POLICY IS NOT DEFINED.
       CSFM610I GRANULAR KEYLABEL ACCESS CONTROL IS DISABLED.
       CSFM611I XCSFKEY EXPORT CONTROL FOR AES IS DISABLED.  
       CSFM611I XCSFKEY EXPORT CONTROL FOR DES IS DISABLED.  
       CSFM612I PKA KEY EXTENSIONS CONTROL IS DISABLED.
       CSFM101E PKA KEY DATA SET, CSF.PKDS IS NOT INITIALIZED.          
       CSFM100E CRYPTOGRAPHIC KEY DATA SET, CSF.CKDS IS NOT INITIALIZED.                                    
       CSFM507I CRYPTOGRAPHY - THERE ARE NO CRYPTOGRAPHIC COPROCESSORS ONLINE.  
       CSFM508I CRYPTOGRAPHY - THERE ARE NO CRYPTOGRAPHIC ACCELERATORS ONLINE.  
       CSFM122I PKA SERVICES WERE NOT ENABLED DURING ICSF INITIALIZATION
       CSFM001I ICSF INITIALIZATION COMPLETE
       CSFM126I CRYPTOGRAPHY - FULL CPU-BASED SERVICES ARE AVAILABLE. 

     • z9 EC, z9 BC, z10 EC and z10 BC with CPACF and CEX2A/CEX3A

       S CSF                                                                  
       CSFM607I A CKDS KEY STORE POLICY IS NOT DEFINED.                        
       CSFM607I A PKDS KEY STORE POLICY IS NOT DEFINED.
       CSFM610I GRANULAR KEYLABEL ACCESS CONTROL IS DISABLED.
       CSFM611I XCSFKEY EXPORT CONTROL FOR AES IS DISABLED.  
       CSFM611I XCSFKEY EXPORT CONTROL FOR DES IS DISABLED.  
       CSFM612I PKA KEY EXTENSIONS CONTROL IS DISABLED.                     
       CSFM507I CRYPTOGRAPHY - THERE ARE NO CRYPTOGRAPHIC COPROCESSORS ONLINE.  
       CSFM122I PKA SERVICES WERE NOT ENABLED DURING ICSF INITIALIZATION
       CSFM001I ICSF INITIALIZATION COMPLETE                                    
       CSFM400I CRYPTOGRAPHY - SERVICES ARE NOW AVAILABLE.  
       CSFM126I CRYPTOGRAPHY - FULL CPU-BASED SERVICES ARE AVAILABLE. 
          

   You'll receive message CSFM511E for each Cryptographic Coprocessor Feature you have online.

Notes:

1. When you are starting ICSF for the first time and loading the first master key and initializing one or more CKDSs, you provide the name of the empty VSAM data set you defined previously (see step 3) to use for the CKDS when starting ICSF.
2. While ICSF processes the data set, it requires exclusive use so that no one can make changes while the data set is read. ICSF releases the data set when it completes startup processing.
3. During CKDS initialization or refresh, ICSF reads the CKDS into extended private storage. Make sure that the region size is sufficient for reading in the entire data set. The parameter setting REGION=0M specifies the maximum available space.
4. You can add keys to the CKDS in several ways. See The Cryptographic Key Data Set (CKDS) for details.
5. You can also write application programs to call services to perform cryptographic functions. See Creating ICSF exits and generic services for details.