IBM Health Checker for z/OS User's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


ICSFMIG7731_ICSF_RETAINED_RSAKEY

IBM Health Checker for z/OS User's Guide
SC23-6843-02

Description:
Detects the existence of retained RSA private keys on a PCICC or PCIXCC/CEX2C cryptographic card.
This check is inactive by default - in order to use this check you must activate it. You should run the check periodically, when the events occur that affect check results. For example, run the check dynamically when:
  • The ICSF product release level is being upgraded to any new ICSF release level.
  • The z/OS® product release level is being upgraded and ICSF is an exploited feature for that z/OS image.
Reason for check:
A PCICC or PCIXCC/CEX2C card may possess the only copy of a retained RSA private key. Customers that run applications and middleware that utilize the retained key functionality of these cards are exposed to the loss of keys upon hardware failure, which may result from a problem as simple as an exhausted or malfunctioning card battery. Lost retained keys have the further implication of lost data, for retained key management keys, and an inability to verify signatures, for retained signature keys. Starting with the Cryptographic Support for z/OS V1R7-V1R9 and z/OS.e V1R7-V1R8 Web deliverable (ICSF FMID HCR7750), you no longer have the ability to store new private RSA keys intended for key management usage in a cryptographic coprocessor. Existing applications will continue to be able to use the retained keys and to delete them from the cryptographic coprocessor cards.
z/OS releases the check applies to:
z/OS V1R9 and later.
Type of check (local or remote):
Local
User override of IBM® values:
The following shows keywords you can use to override check values on either a POLICY statement in the HZSPRMxx parmlib member or on a MODIFY command. This statement may be copied and modified to override the check defaults:
UPDATE
CHECK(IBMICSF, ICSFMIG7731_ICSF_RETAINED_RSAKEY)
INACTIVE
SEVERITY(LOW) INTERVAL(ONETIME) DATE('date_of_the_change')
REASON('Your reason for making the update.'))
Parameters accepted:
No.
Verbose support:
No
Debug support:
No
Reference:
For more information see z/OS Cryptographic Services ICSF System Programmer's Guide.
Messages:
This check issues the following exception messages:
  • CSFH0003E
See in z/OS Cryptographic Services ICSF Messages.
SECLABEL recommended for multilevel security users:
SYSLOW - see z/OS Planning for Multilevel Security and the Common Criteria for information on using SECLABELs.
Parent topic: ICSF checks (IBMICSF)

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014