Installing and configuring ICSF (optional)
You can install and configure ICSF the first time you are setting
up PKI Services or later.
Using ICSF is suggested, but it is not required for most PKI Services
functions. However, ICSF is required for the following functions:
- RACF® can use ICSF's public key data set (PKDS) to securely store the PKI Services CA signing key if directed to do so. For this to be successful, the ICSF programmer must install and configure ICSF for Public Key Algorithms (PKA), and ICSF must be running. (The RACF administrator uses the IKYSETUP REXX exec to set up any RACF profiles that are needed to control access to ICSF services and keys. For more information, see Running IKYSETUP to perform RACF administration.)
- PKI Services uses ICSF's PKCS #11 token data set (TKDS) to store key pairs that PKI Services generates for non-CMP (certificate management protocol) certificate requests. If ICSF is not running and the TKDS is not set up, PKI Services cannot generate key pairs.
- PKI Services uses ICSF's PKCS #11 support to handle certificate requests that involve elliptic curve cryptography (ECC) keys. If ICSF is not running, PKI Services cannot process a certificate request that has an ECC public key, or for which the signing key is an ECC private key. (The TKDS is not required for these functions.)
- The PKI Services certificate management protocol (CMP) CGI uses ICSF's PKCS #11 support to generate key pairs. If ICSF is not running, the CMP CGI cannot generate key pairs. (The TKDS is not required, because the CMP CGI does not store keys.)
Note: You do not have to choose whether to install ICSF and perform the installation
and configuration at this point. You can do so later in the process.
Before you begin
- You need ICSF programming skills to complete this procedure.
- You might need to refer to the following documents:
- z/OS Cryptographic Services ICSF Administrator's Guide
This document provides information about managing cryptographic keys, setting up and maintaining the PKDS, controlling who can use cryptographic keys and services, and general information about ICSF and cryptographic keys.
- z/OS Cryptographic Services ICSF Writing PKCS #11 Applications
This document describes the ICSF support for PKCS #11, and provides information about setting up the TKDS.
- z/OS Cryptographic Services ICSF Administrator's Guide
Procedure
If ICSF is not already installed and configured for PKA, do this by following the instructions in z/OS Cryptographic Services ICSF Administrator's Guide. If you want PKI Services to generate key pairs for certificate requests, set up the TKDS by following the instructions in z/OS Cryptographic Services ICSF Writing PKCS #11 Applications.