z/OS Cryptographic Services PKI Services Guide and Reference
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


IKYP034E

z/OS Cryptographic Services PKI Services Guide and Reference
SA23-2286-00

IKYP034E
ICSF UNAVAILABLE. SCEP PROCESSING SUSPENDED

Explanation

PKI Services is attempting to decrypt a Simple Certificate Enrollment Protocol (SCEP) request received from a SCEP client or to sign its response. ICSF manages the private key required for SCEP decryption and signing but ICSF is unavailable for any of the following possible reasons:
  • ICSF is inactive or incorrectly configured.
  • The user ID of the PKI Services daemon has insufficient authority to use the ICSF private key.
  • A system administrator inadvertently deleted the certificate and its ICSF private key.

System action

PKI Services rejects the SCEP request.

System programmer response

Ensure that ICSF and the PCI cryptographic coprocessor (if applicable) are properly configured and operational. Follow the documentation pertaining to any issued messages having the CSF prefix. If you make changes to ICSF to correct the problem, stop and restart PKI Services.

If ICH408I messages are issued for insufficient authority to CSFKEYS or CSFSERV class resources, then the user ID of the PKI Services daemon has insufficient authority to use the private key. Give the user ID the required access to the specified resource.

To determine if your key still exists or requires the PCI cryptographic coprocessor, see RACF administration for PKI Services. To determine if your SCEP configuration requires a CA certificate or a CA/RA combination, see Installing and configuring ICSF (optional).

Routing code

2

Descriptor code

6

Parent topic: Messages

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014