IP Services: Ensure ICSF is active before starting the Policy Agent when AT-TLS groups are configured in FIPS 140 mode

Description: As of z/OS V2R1, FIPS140 support now requires ICSF services. Ensure ICSF is started before starting AT-TLS groups with FIPS140 support enabled. ICSF services will be used for random number generation and for Diffie Hellman support for generating key parameters, key pairs and key exchanges.

Element or feature:

Communications Server

When change was introduced:

z/OS V2R1

Applies to migration from:

z/OS V1R13 and z/OS V1R12.

Timing:

Before the first IPL of z/OS V2R1.

Is the migration action required?

Yes, if AT-TLS groups are configured in FIPS 140 mode.

Target system hardware requirements:

None.

Target system software requirements:

None.

Other system (coexistence or fallback) requirements:

None.

Restrictions:

None.

System impacts:

The AT-TLS group will be installed but inactive.

Related IBM Health Checker for z/OS check:

None.

Steps to take: Follow these steps:

Ensure ICSF is active before starting AT-TLS groups configured to support FIPS140-2
If the CSFSERV class is defined, give READ access to the userid associated with the TCPIP stack and any application userid using the TTLSGroup to the CSFRNG resource within the RACF CSFSERV class.
If the CSFSERV class is defined and Diffie Hellman is being used, give READ access to the application userid to the CSF1TRC, CSF1DVK, CSF1GKP, CSF1GSK, CSF1GAV, and CSF1TRD resources within the RACF CSFSERV class.

Reference information: See "FIPS 140-2 support" in z/OS V2R1.0 Communications Server: IP Configuration Guide.