|
- Description:
- Detects any TKDS object that is too large to allow the TKDS to
be read into storage during ICSF initialization starting with ICSF
FMID HCR77A1.
This check is inactive by default – in order to
use this check you must activate it. You should run this check on
your system before installing the HCR77A1 release of ICSF.
- Reason for check:
- In ICSF FMID HCR77A1, ICSF introduces new common KDS record format
for CCA key tokens and PKCS #11 tokens and objects. This new format
of the record adds new fields for key utilization and metadata. Because
of the size of the new fields, some PKCS #11 objects in the TKDS may
cause ICSF to fail to start. This check will detect any TKDS object
that is too large to allow the TKDS to be loaded when ICSF is started.
- z/OS® releases the check
applies to:
- ICSF FMID HCR7770 or later running on z/OS V1R9, z/OS V1R10,
z/OS V1R11, z/OS V1R12, z/OS V1R13
or z/OS V2R1 with PTFs for
APAR OA42011 applied.
- Type of check (local or remote):
- Local
- User override of IBM® values:
- The following shows keywords you can use to override check values
on either a POLICY statement in the HZSPRMxx parmlib member or on
a MODIFY command. This statement may be copied and modified to override
the check defaults:
UPDATE
CHECK(IBMICSF, ICSFMIG77A1_TKDS_OBJECT)
INACTIVE
SEVERITY(LOW) INTERVAL(ONETIME) DATE('date_of_the_change')
REASON('Your reason for making the update.'))
- Parameters accepted:
- No.
- Verbose support:
- No
- Debug support:
- No
- Reference:
- For more information see z/OS Cryptographic Services ICSF Writing PKCS #11 Applications.
- Messages:
- This check issues the following exception messages:
See in z/OS Cryptographic Services ICSF Messages.
- SECLABEL recommended for multilevel security users:
- SYSLOW - see z/OS Planning for Multilevel Security and the Common Criteria for
information on using SECLABELs.
|