This is the normal message that is expected in response to a START CSF operator command. However, if ICSF services are not supported because the master key has not been validated yet, message CSFM400I may follow.

Processing continues.

None.

If ICSF services are not available, check to see if the master key has been validated.

If installation exit CSFEXIT4 denies or overrides the STOP request, ICSF issues this message in response to an operator requested STOP (P CSF) command. The exit returned a return code of 4. For more information about CSFEXIT4, see the z/OS Cryptographic Services ICSF System Programmer’s Guide.

The exit-name is the name of the routine.

Processing continues.

If appropriate, contact your system programmer.

Determine if the CSFEXIT4 installation exit is working properly.

ICSF must be started with a START CSF operator command. If ICSF is not a started task (for example, a batch job), this message is issued.

ICSF ends.

If appropriate, issue the START CSF command.

Determine why ICSF was not started as a started task.

This message is issued if you try to start ICSF and one of these is true:

• You specified COMPAT(YES) mode, and PCF or CUSP is currently active.
• ICSF is currently active.

If PCF or CUSP is active, ICSF ends. If ICSF is already active, the new call to ICSF ends, and ICSF remains active.

If appropriate, contact your system programmer.

If PCF or CUSP is already active, you can start ICSF with either COMPAT(NO) or COMPAT(COEXIST) mode.

This message is no longer issued.

None.

None.

None.

ICSF issues this message when an installation exit issues a request to stop ICSF. The exit-name indicates the name of the exit. CSFEXIT1, CSFEXIT2, CSFEXIT3, and CSFEXIT5 are the possible exits that can issue a request to stop ICSF. For more information about these exits, see the z/OS Cryptographic Services ICSF System Programmer’s Guide.

ICSF ends.

If necessary, contact your system programmer.

None.

This message is no longer issued.

None.

None.

ICSF issues this message if it is unable to perform RACROUTE REQUEST=LIST for the classes CSFSERV and/or CSFKEYS during initialization.

Processing continues.

Inform system programmer.

If the installation is using security exits instead of RACF for ICSF security, ensure that the ICSF OPTIONS data set contains EXIT statements that name those exits.

If the installation is using RACF for ICSF security, ensure that the correct level of RACF is installed. Also check RACF to see that ICSF is setup (that the CSFSERV and CSFKEYS classes have been defined for ICSF).

This message is no longer issued.

None.

None.

None.

ICSF issues this message to notify users when it will not be issuing RACROUTE REQUEST=FASTAUTH requests due to the installed security product not supporting those requests.

ICSF will continue processing. No checking will be performed before accessing ICSF services or the CKDS and PKDS.

Notify your security administrator.

Contact your installed security product provider to see if an upgrade is available which supports RACROUTE REQUEST=FASTAUTH.

ICSF issues this message if it is unable to perform RACROUTE REQUEST=LIST for the class CRYPTOZ during initialization. It is issued only if CRYPTOZ processing is required based on the ICSF options specified:

• TKDSN(tkds-data-set-name) or
• FIPSMODE(COMPAT,FAIL(fail-option))

Processing continues. However, ICSF PKCS11 service functions that require CRYPTOZ processing are disabled.

• Persistent (TKDS) PKCS11 objects are not available
• FIPS compatibility mode reverts to FIPS standard mode.

Inform your system programmer.

If the installation is using security exits instead of RACF for ICSF security, ensure that the ICSF OPTIONS data set contains EXIT statements that name those exits.

If the installation is using RACF for ICSF security, ensure that the correct level of RACF is installed. Check RACF to ensure that the CRYPTOZ class has been activated and RACLISTed.

ICSF requires a PPT entry for CSFINIT in order to start.

ICSF initialization terminates.

Ensure that the proper PPT registration for CSFINIT is installed, and that the library containing the CSFINIT CSECT is APF authorized.

The ICSF installation option FIPSMODE(YES,FAIL(NO)) or FIPSMODE(COMPAT,FAIL(NO)) has been specified, indicating that the z/OS PKCS #11 services must operate in compliance with FIPS 140-2. As a part of this compliance, the ICSF z/OS PKCS #11 software services must perform a series of known answer cryptographic algorithm tests. This message indicates that at least one of the tests did not complete successfully.

ICSF initialization continues, but FIPSMODE mode is disabled.

Contact the IBM Support Center.

The ICSF installation option FIPSMODE(YES,FAIL(fail-option)) or FIPSMODE(COMPAT,FAIL(fail-option)) has been specified, indicating that the z/OS PKCS #11 services must operate in compliance with FIPS 140-2. As a part of this compliance, the ICSF z/OS PKCS #11 software services must perform a series of self tests. This message indicates that all the tests have completed successfully.

ICSF initialization continues.

This is an information message only. No response is required.

The ICSF installation option FIPSMODE(YES,FAIL(NO)) FIPSMODE(COMPAT,FAIL(NO)) has been specified, indicating that the z/OS PKCS #11 services must operate in compliance with FIPS 140-2. However, either the current IBM system z model type or the version/release of z/OS that is running on it does not support FIPS. The supported model types are: z890/z990 and newer. The supported z/OS versions/releases are V1R10 and higher.

ICSF initialization continues, but FIPSMODE mode is disabled.

None

This message is no longer issued.

None.

None.

This message is no longer issued.

None

None.

An attempt was made to start ICSF using PGM=CSFMMAIN in the started procedure. As of HCR7770, the use of PGM=CSFINIT is required for ICSF to start.

ICSF initialization terminates.

Change the started procedure to use PGM=CSFINIT

The options data set keyword DEFAULTWRAP was specified with ENHANCED wrapping for symmetric keys. There are no coprocessors online that support the enhanced wrapping. All symmetric keys will be wrapped with the original wrapping until a coprocessor that supports enhanced wrapping comes online.

Processing continues.

Check that the correct coprocessors are available on this system.

ICSF attempted to set the default wrapping configuration on a cryptographic coprocessor, but was unable to do so due to an error in the coprocessor code. To ensure symmetric keys are properly wrapped, this coprocessor will not be available for active work. The substitution variables are:

• c - the short name for the coprocessor type. For example, G (representing a CEX3C).
• ii - the index or position where the cryptographic feature is installed.

Processing continues.

Consider restarting ICSF. If the problem persists, contact the system programmer.

When there is a coprocessor with persistent error setting the default wrapping configuration, contact IBM.

ICSF detected a master key authentication pattern that was not valid on the cryptographic key data set (CKDS). Either the CKDS was not initialized or the CKDS is not valid for this system.

It is normal to see this message the first time ICSF starts, as the CKDS has yet to be initialized.

If the CKDS was not initialized, processing continues but cryptographic services are not enabled.

Contact your system programmer.

If the CKDS was not initialized, initialize the CKDS through the ICSF panels. You may need to load the master key into the new master key register.

If the CKDS is unusable for the system, update the installation options data set with the correct CKDS and restart ICSF.

ICSF detected a master key hash pattern that was not valid on the PKA data set (PKDS). Either the PKDS was not initialized or the PKDS may not be valid for this system. It is normal to see this message the first time ICSF starts.

The system continues processing but the PKA callable services are not enabled.

None

The system administrator should enter the correct PKA master key and initialize the PKDS.

The value of the DOMAIN parameter in the installation options file has specified a cryptographic domain that this operating system cannot access. Either the number was incorrect, or the PR/SM definition tables do not allow access.

For more information about the number of domains that your processor supports, see either the S/390 PR/SM Planning Guide or the IBM ES/9000 and ES/3090 Processor Complex PR/SM Planning Guide.

ICSF ends.

Contact your system programmer.

Ensure that the specified DOMAIN is valid for your processor. If you are running in logically partitioned (LPAR) mode, ensure that the DOMAIN has been assigned to your LPAR mode. If neither of these conditions resolve the problem, contact the IBM Support Center.

One or both of the PKA master keys are not valid. This occurs if a PKA master key is not installed in all cryptographic units, or if the PKA master keys on all the cryptographic units are not the same. It is normal to see this message the first time ICSF starts.

Processing continues, but PKA callable services are not enabled.

Notify your security administrator to install the PKA master keys.

None.

The Cryptographic Configuration Control (CCC) installed on the cryptographic units is not the same. The Processor Controller installs the CCC from the Cryptographic Configuration diskette.

ICSF abends.

Notify your system programmer.

Verify that the correct Cryptographic Configuration diskettes were used to initialize the cryptographic units and that the Processor Controller initialization completed successfully. If the diskettes are incorrect, contact IBM.

A cryptographic feature is busy performing maintenance functions. This state may occur when the cryptographic feature is first brought online and is going through power-on reset. The cryptographic feature may also be in this state when new licensed internal code is being loaded or when the unit is going through recovery processing. When the type of coprocessor could not be determined, a coprocessor-name of UNKNOWN is used. The substitution variables are:

• coprocessor-name - the cryptographic feature name and how it is configured. Possible values are:
  • CRYPTO EXPRESS2 COPROCESSOR
  • CRYPTO EXPRESS2 ACCELERATOR
  • CRYPTO EXPRESS3 COPROCESSOR
  • CRYPTO EXPRESS3 ACCELERATOR
  • UNKNOWN
• c - the short name for the coprocessor type. Possible values are:
  • E (representing a CEX2C)
  • F (representing a CEX2A)
  • G (representing a CEX3C)
  • H (representing a CEX3A)
  • U (representing an unknown coprocessor)
• ii - the index or position where the cryptographic feature is installed.
• nnnnnnn or N/A - the serial number for the cryptographic feature, or N/A when the feature is configured as an accelerator or is unknown.

The system will retry the cryptographic feature until it is no longer busy.

None

None

A cryptographic feature is offline and cannot be used for any operation. The substitution variables are:

• coprocessor-name - the cryptographic feature name and how it is configured. Possible values are:
  • CRYPTO EXPRESS2 COPROCESSOR
  • CRYPTO EXPRESS2 ACCELERATOR
  • CRYPTO EXPRESS3 COPROCESSOR
  • CRYPTO EXPRESS3 ACCELERATOR
• c - the short name for the coprocessor type. Possible values are:
  • E (representing a CEX2C)
  • F (representing a CEX2A)
  • G (representing a CEX3C)
  • H (representing a CEX3A)
• ii - the index or position where the cryptographic feature is installed.
• nnnnnnn or N/A - the serial number for the cryptographic feature, or N/A when the feature is configured as an accelerator.

The system will not use the cryptographic feature for cryptographic operations.

None

Have the cryptographic feature brought online.

The cryptographic feature failed. When the type of coprocessor could not be determined, a coprocessor-name of UNKNOWN is used. The substitution variables are:

• coprocessor-name - the cryptographic feature name and how it is configured. Possible values are:
  • CRYPTO EXPRESS2 COPROCESSOR
  • CRYPTO EXPRESS2 ACCELERATOR
  • CRYPTO EXPRESS3 COPROCESSOR
  • CRYPTO EXPRESS3 ACCELERATOR
  • UNKNOWN
• c - the short name for the coprocessor type. Possible values are:
  • E (representing a CEX2C)
  • F (representing a CEX2A)
  • G (representing a CEX3C)
  • H (representing a CEX3A)
  • U (representing an unknown coprocessor)
• ii - the index or position where the cryptographic feature is installed.
• nnnnnnn or N/A - the serial number for the cryptographic feature, or N/A when the feature is configured as an accelerator or is unknown.

The system will not use the cryptographic feature for cryptographic operations.

None

Have the cryptographic feature removed or replaced by your IBM customer engineer.

The cryptographic feature is online and operational. When the Cryptographic feature is a coprocessor, the ACTIVE message indicates that one or more master keys are active and ICSF services may be used. The substitution variables are:

• coprocessor-name - the cryptographic feature name and how it is configured. Possible values are:
  • CRYPTO EXPRESS2 COPROCESSOR
  • CRYPTO EXPRESS2 ACCELERATOR
  • CRYPTO EXPRESS3 COPROCESSOR
  • CRYPTO EXPRESS3 ACCELERATOR
• c - the short name for the coprocessor type. Possible values are:
  • E (representing a CEX2C)
  • F (representing a CEX2A)
  • G (representing a CEX3C)
  • H (representing a CEX3A)
• ii - the index or position where the cryptographic feature is installed.
• nnnnnnn or N/A - the serial number for the cryptographic feature, or N/A when the feature is configured as an accelerator.

The system will use the cryptographic feature for cryptographic operations.

None

None

The cryptographic module that the message identifies has not been initialized.

If neither cryptographic module has been initialized, then ICSF ends; no cryptographic function is possible. If either cryptographic module has been successfully initialized, ICSF continues initialization processing.

Notify your system programmer.

The Service Processor needs to initialize the cryptographic module from a diskette. Use the cryptographic module identifier in the message to identify the correct diskette to use. Then restart ICSF.

The processing that is required to pass work to the asynchronous coprocessor is not available.

Processing continues, but services that are using the asynchronous coprocessor will not function.

Notify your system programmer.

Check that the proper domain is specified in the Installation Options Data Set. The domain must agree with the PR/SM usage domain specification. If you cannot resolve the problem, contact the IBM Support Center.

The random number generator of the cryptographic module that the message identifies has not been initialized.

This is most likely a hardware error. If the random number generator has not been initialized on either cryptographic module, ICSF ends; no cryptographic function is possible. If the random number generator on either cryptographic module has been successfully initialized, ICSF continues the initialization processing.

Notify your system programmer.

Contact the IBM Support Center.

The PCI cryptographic coprocessor with serial number nn-nnnn is online and operational. It is installed at position pp.

The system will use the PCI cryptographic coprocessor for cryptographic operations.

The PCI cryptographic coprocessor with serial number nn-nnnn is offline and cannot be used for any operation. It is installed at position pp.

The system will not use the PCI cryptographic coprocessor for cryptographic operations.

Have the PCI cryptographic coprocessor brought online.

The PCI cryptographic coprocessor with serial number nn-nnnn, installed at position pp, has failed and cannot be used for any operation.

The system will not use the PCI cryptographic coprocessor for cryptographic operations.

Have the PCI cryptographic coprocessor removed or replaced by your IBM Customer Engineer.

The PCI cryptographic coprocessor with serial number nnnnnnn, installed at position pp, has an incorrect master key. Specifically, the master key verification pattern (MKVP) in the CKDS/PKDS does not match the MKVP of the master key. The variable mk will specify either SYM-MK or ASYM-MK or BOTH. This message may be issued at initialization or when a new PCI cryptographic coprocessor unit comes online.

The system will not use the PCI cryptographic coprocessor for cryptographic operations until the security administrator changes its master key.

Have the system adminstrator enter the correct master key.

There are several functions that must be enabled on the PR/SM definition. They are Enable cryptographic functions and Enable public key secure cable (PKSC) and integrated cryptographic service facility (ICSF). These boxes must be checked on the Crypto page of Customize/Delete Activation Profiles. These options are selected on the Support Element panels.

See PR/SM Planning Guide.

ICSF ends.

Contact your system programmer.

Update the PR/SM panels and restart ICSF.

The Cryptographic Configuration Control (CCC) has not been installed on the cryptographic units. The Processor Controller installs the CCC from the Crytographic Configuration diskettes.

ICSF terminates.

Notify your system programmer.

Ensure the Processor Controller installation of the CCC is successful.

This message is issued during ICSF initialization and indicates that the PKA callable services control was not enabled. There are multiple reasons why ICSF would not have enabled the PKA services control. Not having the signature/asymmetric/RSA Master Key set on the cryptographic coprocessor or having a signature/asymmetric/RSA Master Key on the cryptographic coprocessor which does not match the signature/asymmetric/RSA Master Key verification pattern in the PKDS header record are possibilities. Once the PKA callable services control is enabled, this message is no longer highlighted and the message is allowed to scroll.

ICSF initialization continues.

None.

Verify a valid signature/asymmetric/RSA Master Key is set on the cryptographic coprocessor. Verify the active PKDS is initialized and contains a matching signature/asymmetric/RSA Master Key verification/hash pattern. Manually enable the PKA callable services control from the ICSF Utilities panel.

The cryptographic coprocessor has an incorrect master key. Specifically, the master key verification pattern (MKVP) in the CKDS/PKDS does not match the MKVP of the master key. The substitution variables are:

• mk - master key. It identifies the master key that is in error. May have the value AES, DES, RSA, or ECC.
• coprocessor-name - the type of cryptographic coprocessor. May have the value:
  • CRYPTO EXPRESS2 COPROCESSOR
  • CRYPTO EXPRESS3 COPROCESSOR
• c - the short name for the coprocessor type. May have the value:
  • E (representing a CEX2C)
  • G (representing a CEX3C)
• ii - the index or position where the cryptographic coprocessor is installed.
• nnnnnnn - the serial number for the cryptographic coprocessor.

This message is issued once for the first master key that is determined to be in error.

When a master key is incorrect, then the cryptographic coprocessor may not be used for operations with the master key until the system administrator has changed the master key.

None.

Have the system administrator enter the correct master key.

The cryptographic coprocessor does not have the master key. The substitution variables are:

• mk - master key. It identifies the master key that is in error. May have the value AES, DES, RSA, or ECC.
• coprocessor-name - the type of cryptographic coprocessor. May have the value:
  • CRYPTO EXPRESS2 COPROCESSOR
  • CRYPTO EXPRESS3 COPROCESSOR
• c - the short name for the coprocessor type. May have the value:
  • E (representing a CEX2C)
  • G (representing a CEX3C)
• ii - the index or position where the cryptographic coprocessor is installed.
• nnnnnnn - the serial number for the cryptographic coprocessor.

This message is issued once for the first master key that is determined not to be initialized.

When a master key is not set, then the cryptographic coprocessor may not be used for operations with the master key until the system administrator has provided the master key. This may be a normal situation for your installation.

None.

Have the system administrator enter the correct master key if appropriate.

This is an informational message. ICSF is up and remains started. Only SHA-1 and SHA-2 services are available. The DES CPACF feature code is not enabled.

Processing continues.

None.

None.

This is an informational message. ICSF is up and remains started. This message indicates that the DES CPACF feature code is enabled. This allows clear key services to run in the CPACF. This support is available on z890, z990, z9 BC, z9 EC, z10 EC, z10 BC, and z196.

Processing continues.

None.

None.

This is an informational message and will only be issued if the AES master key is active. ICSF is up and remains started. Secure AES key services are available if you are on a z9 BC, z9 EC, z10 EC, z10 BC, or z196.

Processing continues.

None.

None.

The cryptographic key data set (CKDS) cannot be used on this system. There are several reasons for this occurring.

• Some of the keys required by this system are missing from the CKDS. This can occur when a CKDS is initialized on a system that requires fewer system keys. For a z900 system, the CKDS must be initialized on a z900.
• The CKDS was initialized on a system without cryptographic coprocessors, but the current system has cryptographic coprocessors.
• The CKDS is a variable-length record format CKDS and can not be used on z900 systems.

ICSF terminates.

Contact your system programmer.

Update the ICSF installation options data set with the correct CKDS and restart ICSF.

The cryptographic coprocessor has a correct master key. The substitution variables are:

• mk - master key. It identifies the master key that is in error. May have the value AES, DES, RSA, or ECC.
• coprocessor-name - the type of cryptographic coprocessor. May have the value:
  • CRYPTO EXPRESS2 COPROCESSOR
  • CRYPTO EXPRESS3 COPROCESSOR
• c - the short name for the coprocessor type. May have the value:
  • E (representing a CEX2C)
  • G (representing a CEX3C)
• ii - the index or position where the cryptographic coprocessor is installed.
• nnnnnnn - the serial number for the cryptographic coprocessor.

The system will use the cryptographic coprocessor for the cryptographic operations that it supports.

None.

None.

This is an informational message and will only be issued if the mk master key is active. The variable mk can be RSA or ECC. ICSF is up and remains started.

Processing continues.

None.

None.

The mk master key is no longer active. Callable services that require the master key to be active will fail. This may occur because

• the master keys in an active coprocessor were cleared by the ICSF administrator.
• one or more coprocessors were activated or deactivated on the ICSF Coprocessor Management panel.

The master key validation routine found the mk master key was not available on all of the active coprocessors.

The variable mk can be AES, DES, ECC or RSA.

Processing continues. The callable services that require the master key to be active will fail.

Contact the system programmer.

Work with the ICSF administrator to determine the reason for the inactive master key. See the migration chapter in the z/OS Cryptographic Services ICSF System Programmer’s Guide. The mk master key should be loaded on all coprocessors.

This is an informational message only.

Processing continues.

Determine if the name of the service that is indicated in service-name is valid. If it is wrong, correct it and restart ICSF.

You specified a service with option FAIL(ICSF) in the installation options data set, and ICSF could not find the service.

ICSF ends.

Correct the name of the service and restart ICSF.

This state may occur when the PCI cryptographic coprocessor is first brought online and is going through power-on reset. The PCI cryptographic coprocessor may also be in this state when new licensed internal code is being loaded or when the unit is going through recovery processing.

The system will retry the PCI cryptographic coprocessor until it is no longer busy.

A message authentication code (MAC) verification for a CKDS key entry failed. If a system key (key with a label name of 64 bytes of X'00') fails authentication, the key-name field has the constant SYSTEM_KEY.

Processing continues.

Investigate the key entry to determine why the MAC verification failed.

The active CKDS in use by sysplex member member_name has been successfully updated by a member of the sysplex. An attempt by sysplex member member_name to update the corresponding key token in its in-storage copy of the CKDS has failed with return code of return_code and reason code of reason_code. The in-storage CKDS is now out of sync with the DASD version of the CKDS. If the message specifies RC = none, RS= none the sysplex member that initiated the CKDS I/O update left the sysplex unexpectedly and the status of the CKDS DASD I/O operation is unknown. CSFM303E will also be issued to identify the label of the record for which the in-storage CKDS update failed.

ICSF processing will continue.

The operator should attempt to refresh the CKDS on sysplex member member_name using the ICSF TSO panels.

None.

The CKDS I/O subtask timed out waiting for an exclusive ENQ on the SYSZCKDS.ckdsdsn resource. At least one member of the ICSF sysplex group has not relinquished its ENQ on the resource.

ICSF processing will continue. The CKDS update operation will be failed with return code 12, reason code 3005 (X'BBD').

The operator should issue D GRS,RES=nnnnn from the message to determine which system(s) hold the resource. The operator should determine if action should be taken to cause the holding system to release its ENQ on the CKDS resource.

nnnnn

The CKDS resource name.

None.

The active CKDS has been successfully updated by a member of the ICSF sysplex group. An attempt by the local system to update the key token with label label in its in-storage copy of the CKDS has failed. The in-storage CKDS is now out of sync with the DASD version of the CKDS. Refer to message CSFM301A for further information about this error.

ICSF processing will continue.

The operator should attempt to refresh the CKDS on sysplex member member_name using the ICSF TSO panels.

None.

The active TKDS in use by sysplex member member_name has been successfully updated by a member of the sysplex. An attempt by sysplex member member_name to update the TKDS record in its in-storage copy of the TKDS has failed with return code of return_code and reason code of reason_code. The in-storage TKDS is now out of sync with the DASD version of the TKDS. If the message specifies RC = none RS= none, the sysplex member that initiated the CKDS I/O update left the sysplex unexpectedly and the status of the TKDS DASD I/O operation is unknown. Message CSFM306E will also be issued to identify the handle of the record for which the in-storage TKDS update failed.

ICSF processing will continue.

In order to synchronize the in-storage copy of the TKDS on sysplex member member_name, ICSF must be stopped and restarted.

None.

The TKDS I/O subtask timed out waiting for an exclusive ENQ on the SYSZTKDS.tkdsdsn resource. At least one member of the ICSF sysplex group has not relinquished its ENQ on the resource.

ICSF processing will continue. The TKDS update operation will be failed with return code 12, reason code 3005 (X'BBD').

The operator should issue D GRS,RES=(*,nnnnn) (where nnnn is the TKDS resource name from the message) to determine which system or systems hold the resource. Then the operator should determine if action should be taken to cause the holding system to release its ENQ on the TKDS resource.

None.

The active TKDS has been successfully updated by a member of the ICSF sysplex group. An attempt by the local system to update the TKDS record with handle handle in its in-storage copy of the TKDS has failed. The in-storage TKDS is now out of sync with the DASD version of the TKDS. Refer to message CSFM304A for further information about this error.

ICSF processing will continue.

Refer to message CSFM304A.

None.

The active PKDS has been successfully updated by a member of the ICSF sysplex group. An attempt by the local system to update the key token with label label in its in-storage copy of the PKDS has failed. The in-storage PKDS is now out of sync with the DASD version of the PKDS. Refer to message CSFM314E for further information about this error.

ICSF processing will continue.

The operator should attempt to refresh the PKDS on sysplex member member_name using the ICSF TSO panels.

None.

Sysplex group member member_name is no longer participating in sysplex group group_name. This is due to one of two possibilities:

• The ICSF started task on member member_name has stopped, or
• the system was reported or detected as gone from the sysplex.

ICSF sysplex processing will continue with the remaining members of the sysplex group.

The operator should verify that member_name leaving group_name was intentional.

None.

The active PKDS in use by sysplex member member_name has been successfully updated by a member of the sysplex. An attempt by sysplex member member_name to update the PTKDS record in its in-storage copy of the PKDS has failed with return code of return_code and reason code of reason_code. The in-storage PKDS is now out of sync with the DASD version of the PKDS. If the message specifies RC = none RS= none, the sysplex member that initiated the PKDS I/O update left the sysplex unexpectedly and the status of the PKDS DASD I/O operation is unknown. Message CSFM602E will also be issued to identify the handle of the record for which the in-storage PKDS update failed.

ICSF processing will continue.

In order to synchronize the in-storage copy of the PKDS on sysplex member member_name ICSF must be stopped and restarted.

None.

The PKDS I/O subtask timed out waiting for an exclusive ENQ on the SYSZPKDS.pkdsdsn resource. At least one member of the ICSF sysplex group has not relinquished its ENQ on the resource.

ICSF processing will continue. The PKDS update operation will be failed with return code 12, reason code 3005 X'BBD').

The operator should issue D GRS,RES=(*,nnnnn) (where nnnn is the PKDS resource name from the message) to determine if a system or systems hold the resource. Then the operator should determine if action should be taken to cause the holding system to release its ENQ on the PKDS resource.

None.

This is an informational message. ICSF is up and the DES master key is active. DES application services are available.

Processing continues.

None.

None.

Either ICSF is stopping, or access to a cryptographic unit is no longer possible. For example, the last unit is in a ‘DISABLED’ state.

ICSF ends.

Contact your system programmer.

Investigate the sequence of error messages prior to this message to help you resolve the problem.

ICSF detected a changed domain parameter in the options data set and COMPAT(YES) was specified, but there was no intervening IPL. The specified index in the domain installation option was ignored. The index was set to the value that was stored in the cryptographic communications vector table (CCVT) when ICSF was last started.

Processing continues.

Contact your system programmer.

If the cryptographic domain index needs to be changed, re-IPL the system.

This message is no longer issued.

None.

None.

None.

The PKA Hash Pattern, which is part of the PKDS header record, does not match the PKA Hash Pattern currently in use by ICSF. This can occur if the PKA master keys are changed and ICSF is ended before writing any PKDS records. In this situation, the PKDS header record is not updated. When ICSF is restarted it detects a mismatch in the PKDS header record. This can also occur if the PKDS being used is not associated with the ICSF being started or the PKDS is back level or empty.

ICSF continues the initialization process, but marks the PKDS services as unavailable.

None.

If the PKDS is usable, use the ICSF panels to invoke the User Control functions and enable PKDS Read Access and PKDS Write, Create, and Delete Access. If the PKDS is unusable, correct the condition (if possible), stop ICSF, and restart with appropriate or fixed PKDS.

The authentication code is a hash value computed using all the data in the record. It is stored in the header record when it is written, and is used as an integrity check. Subsequently, when ICSF read the record and recomputed the authentication code, it did not match the one in the record. This may mean that the record has been altered since it was written to the PKDS.

If the PKDS is empty when you start ICSF, it is normal to see this message. This message will no longer appear at start up once you have written to the PKDS.

ICSF continues the initialization process, but marks the PKDS services as unavailable.

None.

If the PKDS is usable, use the ICSF panels to invoke the User Control functions and chose the options to allow PKDS Read Access and PKDS Write, Create, and Delete Access. If the PKDS is unusable, correct the condition (if possible), stop ICSF, and restart with fixed PKDS.

This message is no longer issued.

None.

None.

None.

This message is no longer issued.

None.

None.

None.

Multiple domains are available for this LPAR or native system. Select the domain using the DOMAIN parameter in the options data set.

If this error is generated even though the DOMAIN parameter is specified, it indicates that the DOMAIN parameter specifies an invalid value. Valid values are 0-15 (in decimal).

ICSF ends.

Contact your system programmer.

Add the DOMAIN parameter to the options data set (or verify that it is set to a valid value) and restart ICSF.

Some keywords or parameters are not valid in the options data set. Check the CFLIST data set for the specific error messages.

ICSF ends.

Contact your system programmer.

Correct the error in the options data set and restart ICSF.

The PCI cryptographic accelerator is online and operational. It is installed at position aa.

The system will use the PCI cryptographic accelerator.

The PCI cryptographic accelerator is offline. It is installed at position aa.

The system will not use the PCI cryptographic accelerator.

Have the PCI cryptographic accelerator brought online.

The PCI cryptographic accelerator installed at position Aaa has failed.

The system will not use the PCI cryptographic accelerator.

Have the PCI cryptographic accelerator removed or replaced by your IBM Customer Engineer.

This state may occur when the PCI cryptographic accelerator is first brought online and is going through power-on reset. The PCI cryptographic accelerator may also be in this state when new licensed internal code is being loaded or when the unit is going through recovery processing.

The system will retry the PCI cryptographic accelerator until it is no longer busy.

The PCI X Cryptographic Coprocessor with serial number nnnnnnn is online and operational. It is installed at position pp.

The system will use the PCI X Cryptographic Coprocessor for cryptographic operations

None

None

The PCI X Cryptographic Coprocessor with serial number nnnnnnn is offline and cannot be used for any operation. It is installed at position pp.

The system will not use the PCI X Cryptographic Coprocessor for cryptographic operations

None

Have the PCI X Cryptographic Coprocessor brought online.

The PCI X Cryptographic Coprocessor with serial number nnnnnnn has failed and cannot be used for any operation. It is installed at position pp.

The system will not use the PCI X Cryptographic Coprocessor for cryptographic operations

None

Have the PCI X Cryptographic Coprocessor removed or replaced by your IBM customer engineer.

The PCI X Cryptographic Coprocessor with serial number nnnnnnn, installed at position pp, has an incorrect master key. Specifically, the master key verification pattern (MKVP) in the CKDS/PKDS does not match the MKVP of the master key. The variable mk will specify SYM, ASYM, or BOTH. This message may be issued at initialization or when a new cryptographic coprocessor unit comes online.

If the SYM-MK is valid, then the PCI X Cryptographic Coprocessor may be used for DES operations, else the system will not use the PCI X Cryptographic Coprocessor for cryptographic operations until the security administrator has changed its master keys.

None

Have the security administrator enter the correct master key.

The PKDS contains only an ECC MKVP. The header record of the PKDS has been checked and only an ECC MKVP was found. The valid states are: no MKHP/MKVPs, both RSA MKHP and ECC MKVPs, or only an RSA MKHP. The PKDS specified for this system must be changed to match one of the valid states. This message is issued at initialization.

ICSF ends.

Notify the security administrator. The PKDS must be changed or modified for use on this system.

None

This state may occur when the PCI X Cryptographic Coprocessor is first brought online and is going through power-on reset. The PCI X Cryptographic Coprocessor may also be in this state when new licensed internal code is being loaded or when the unit is going through recovery processing.

The system will retry the PCI X Cryptographic Coprocessor until it is no longer busy.

None

None

This message is no longer issued.

None

None

None

This message is no longer issued.

None.

None

None

This message is no longer issued.

None.

None.

None.

This message is no longer issued.

None.

None

None.

This message is no longer issued.

None.

None

None.

This message is no longer issued.

None.

None.

None.

This message is no longer issued.

None

None.

None.

This message is no longer issued.

None.

None.

None.

This message is no longer issued.

None.

None.

None.

The symmetric-keys master key has been set on PCI X Cryptographic Coprocessor with serial number nnnnnnnn. The coprocessor is able to process service requests for services requiring the symmetric-keys master key.

The system will use the PCI X Cryptographic Coprocessor for cryptographic operations.

None.

None.

This message is no longer issued.

None.

None.

None.

An error occurred during processing of the kds (CKDS, PKDS, or TKDS) during initialization of ICSF. This may have occurred during allocation, open, read or write.

kds will be either CKDS, PKDS, or TKDS.

For an explanation of the rc and rs values, refer to the Return and Reason Codes in either the z/OS Cryptographic Services ICSF Application Programmer’s Guide or z/OS DFSMS Macro Instructions for Data Sets. If the error occurred during data set allocation, the reason code is a combination of the dynamic allocation error code and an ICSF-assigned reason code for dynamic allocation error. Message CSFC0036 precedes this message and gives more useful information in this case.

ICSF ends.

Attempt to start ICSF again, and contact the system programmer.

Correct the problem as appropriate for any error messages that precede this one. Start ICSF again with an empty or error-free CKDS, PKDS, or TKDS.

A cryptographic coprocessor is checkstopped and cannot be used for any operation. It is installed at position pp.

The system will not use the cryptographic coprocessor for cryptographic operations.

None.

Have the cryptographic coprocessor removed or replaced by your IBM customer engineer.

This message is no longer issued.

None.

None.

None.

A cryptographic instruction has ended, indicating a cryptographic hardware failure. ICSF disables the failing CPU for cryptographic operations. An SMF82 record is written.

The CPU is disabled for cryptography.

Contact your system programmer.

Contact the IBM Support Center.

A tamper condition occurred. The cryptographic feature has zeroed the master key registers in the indicated coprocessor-id and cpu-id.

The CPU alarm sounds. The CPU is disabled for cryptography. ICSF generates an SMF type 82 record.

See S/390 Support Element Operations Guide.

Contact the IBM Support Center.

A sequence of error messages has resulted in the disabling of all cryptographic CPUs.

The CPU is disabled for cryptographic services. They will be restored when at least one CPU is made available for cryptographic functions.

Investigate the sequence of error messages prior to this message to help you resolve the problem.

If you cannot resolve the problem, contact the IBM Support Center.

One or more errors or user actions has resulted in the disabling of all cryptographic coprocessors.

The system continues processing. The system will not be able to use a PCI X Cryptographic Coprocessor or Crypto Express2 Coprocessor for cryptographic operations until a coprocessor is activated.

Investigate the problem. Contact the system administrator to enter the master keys for any online coprocessors or to bring a new cryptographic coprocessor online (if one is available).

None.

ICSF does not have access to any cryptographic coprocessors or accelerators. This message is issued when:

• Domain is not specified on the LPAR activation panel.
• Domain in the ICSF options data set does not match the usage domain on the Support Element LPAR activation panel.
• There are no coprocessors defined in LPAR candidates lists.

It is a normal message if only the CP assist instructions are being exploited. If cryptographic coprocessors are required, then update the Options Data Set or reconfigure the partition correctly and restart ICSF.

The system continues processing and only a limited subset of ICSF services are available.

Contact your system programmer; this may be an error.

The Options Data Set may need to be updated.

During ICSF initialization, there were no online cryptographic coprocessors detected. This may be the desired configuration.

The system continues processing.

None.

None.

During ICSF initialization, there were no online cryptographic accelerators detected. This may be the desired configuration.

The system continues processing.

None.

None.

The master key authentication pattern is not valid.

The CPU is disabled for cryptography.

Contact your system programmer.

Ensure that the CKDS is valid for the master key that is installed for that CPU.

The cryptographic unit has a zero master key.

The CPU is disabled for cryptography.

Determine why the master key is zeroed. You need to re-install the correct key before using the CPU for cryptographic services. If you cannot resolve the problem, contact the IBM Support Center. It is normal to see this message the first time ICSF starts.

A new cryptographic unit has come online, but the PKA master key is not valid or does not agree with the PKA master key of the cryptographic unit already online.

Processing continues, but PKA callable services are not enabled on the new unit.

Notify your security administrator to install the correct PKA master key on the new unit.

None.

Cryptographic functions are disabled in the Environment Control Mask (ECM). This can only be done from the TKE workstation.

The CPU is disabled for cryptography.

Enable cryptographic functions for the cryptographic unit in the ECM using the TKE workstation.

ICSF initialization determined that system conditions were sufficient for operating with the cryptographic accelerator and coprocessor I/O interrupt capability, and therefore enabled this functionality. The substitution variables are:

• coprocessor-name - the type of cryptographic coprocessor.
• c - the short name for the coprocessor type. For example, G (representing a CEX3C).
• ii - the index or position where the cryptographic coprocessor is installed.
• nnnnnnn - the serial number for the cryptographic coprocessor.

This instance of ICSF will operate with cryptographic accelerator and coprocessor I/O interrupt capability.

None.

ICSF has discovered and recovered from a missed I/O Interrupt from either a cryptographic accelerator or coprocessor. The substitution variables are:

• coprocessor-name - the type of cryptographic coprocessor.
• c - the short name for the coprocessor type. For example, G (representing a CEX3C).
• ii - the index or position where the cryptographic coprocessor is installed.
• nnnnnnn - the serial number for the cryptographic coprocessor.

This instance of ICSF will continue to operate with cryptographic accelerator and coprocessor I/O interrupt capability.

None.

The length field in the PKDS record's fixed section did not match the length returned by VSAM. This message will be issued either during ICSF initialization, PKDS refresh, PKDS reencipher, or when changing the asymmetric master key.

If the key record length in the PKDS record's fixed section is smaller then the record size returned by VSAM, processing will continue. This indicates that padding was added to the record which will be ignored by ICSF.

If the key record length in the PKDS record's fixed section is larger then the record size returned by VSAM, ICSF will abend with ICSF abend code X'18F'/reason code X'458'. This indicates that a record was truncated. ICSF can not process truncated PKDS records.

Contact the system programmer.

Remove truncated key records from the PKDS.

Key records containing additional padding may remain in the PKDS. However, to avoid the CSFM532I message from re-appearing, the additional padding on those records must be removed.

Contact the IBM Support Center for assistance in correcting the affected PKDS records, if needed.

A failing response was encountered from a coprocessor during ICSF initialization. The coprocessor is bypassed and is unavailable for work.

Processing continues.

Operator should check support element. Contact the system programmer.

Have the ICSF administrator investigate the coprocessor response to determine cause of problem. Contact system hardware support for assistance. If problem is not resolved, contact the IBM Support Center.

Sysplex member member_name has successfully established a connection to the ICSF sysplex group group_name.

This system will participate in sysplex-wide consistency for the specified ICSF resource (CKDS or TKDS).

None.

This message is no longer issued.

None.

None.

The ICSF Cross-System Services task on sysplex member member_name has terminated abnormally.

Sysplex member member_name is disconnected from the ICSF sysplex group group_name.

In releases of ICSF prior to HCR7770, ICSF processing will continue and this system will no longer participate in sysplex-wide consistency for the specified ICSF resource (CKDS or TKDS).

Starting in HCR7770, ICSF recovery processing attempts to restart the subtask, and sysplex member member_name will rejoin the sysplex as if ICSF has been restarted. If ICSF recovery processing cannot restart the subtask, ICSF terminates.

None.

A failure occurred in either the IXCJOIN processing when sysplex member member_name attempted to join the ICSF sysplex group group_name, or in the IXCLEAVE processing when sysplex member member_name attempted to leave the ICSF sysplex group group_name.

In the message text:

return_code

The hexadecimal return code from the IXCJOIN/IXCLEAVE macro.

reason_code

The hexadecimal reason code from the IXCJOIN/IXCLEAVE macro.

For an IXCJOIN failure: the system action depends upon the specification of the SYSPLEXCKDS or SYSPLEXTKDS option in the ICSF Installation Options Data Set. If FAIL(NO) was specified, ICSF initialization will continue and this system will not be notified of updates to the ICSF Key Data Set (CKDS or TKDS) by other sysplex members. If FAIL(YES) was specified, ICSF will abend with abend code X'18F', reason code 84 (X'54').

For an IXCLEAVE failure: none.

Examine the return code and reason code from the IXCJOIN or IXCLEAVE operation to determine if an environmental condition relating to XCF can be corrected.

A failure occurred while setting up the ICSF cross-system services environment. The function code identifies the process that failed. If code is 1, an error occurred in IXCJOIN processing when attempting to join the ICSF sysplex group. If code is 2, a failure occurred when attempting to create the latch set for either the CKDS or TKDS.

In the message text:

return_code

The hexadecimal return code from the IXCJOIN/ISGLCRT process.

reason_code

The hexadecimal reason code from the IXCJOIN/ISGLCRT process.

For a failure in IXCJOIN, message CSFM603E will also be issued.

The system action depends upon the specification of the SYSPLEXCKDS or SYSPLEXTKDS option in the ICSF Installation Options Data Set. If FAIL(NO) was specified, ICSF initialization will continue and this system will not be notified of updates to the ICSF Key Data Set (CKDS or TKDS) by other sysplex members. If FAIL(YES) was specified, ICSF will abend with abend code X'18F', reason code 84 (X'54' or 85 (X'55').

Contact the system programmer.

Examine the return code and reason code from the IXCJOIN or ISGLCRT operation to determine if an environmental condition relating to the failure can be corrected.

This message is no longer issued.

None.

This message is no longer issued.

None.

None.

None.

None of the key policy controls that activate the key policy for the specified key-data-store are defined. Possible key-data-stores are CKDS or PKDS.

The key policy controls that activate the CKDS key policy are the CSF.CKDS.TOKEN.CHECK.LABEL.WARN, the CSF.CKDS.TOKEN.CHECK.LABEL.FAIL, or the CSF.CKDS.TOKEN.CHECK.NODUPLICATES resources in the XFACILIT class.

The key policy controls that activate the PKDS key policy are the CSF.PKDS.TOKEN.CHECK.LABEL.WARN, the CSF.PKDS.TOKEN.CHECK.LABEL.FAIL, or the CSF.PKDS.TOKEN.CHECK.NODUPLICATES resources in the XFACILIT class.

RACF commands may be used to define, change, list or delete the profiles that cover these resources in the XFACILIT class.

This message may be issued during ICSF initialization or when ICSF detects that the key policy is deactivated.

Processing continues.

None.

None.

One or more of the key policy controls that activate the key policy for the specified key-datastore is defined. Possible key-data-stores are CKDS or PKDS.

The key policy controls that activate the CKDS key policy are the CSF.CKDS.TOKEN.CHECK.LABEL.WARN, the CSF.CKDS.TOKEN.CHECK.LABEL.FAIL, or the CSF.CKDS.TOKEN.CHECK.NODUPLICATES resources in the XFACILIT class.

The key policy controls that activate the PKDS key policy are the CSF.PKDS.TOKEN.CHECK.LABEL.WARN, the CSF.PKDS.TOKEN.CHECK.LABEL.FAIL, or the CSF.PKDS.TOKEN.CHECK.NODUPLICATES resources in the XFACILIT class.

RACF commands may be used to define, change, list or delete the profiles that cover these resources in the XFACILIT class.

This message may be issued during ICSF initialization or when ICSF detects that the key policy is deactivated.

Processing continues.

None.

None.

This message is no longer issued.

None.

None.

None.

If state is DISABLED, neither of the profiles that activate the granular keylabel access controls are defined. If state is ENABLED, either or both of the profiles are defined.

The profiles that activate the granular keylabel access controls are the CSF.CSFKEYS.AUTHORITY.LEVELS.FAIL and CSF.CSFKEYS.AUTHORITY.LEVELS.WARN resources in the XFACILIT class.

RACF commands may be used to define, change, list or delete the profiles that cover these resources in the XFACILIT class.

This message may be issued during ICSF initialization or when ICSF detects that the key policy is deactivated.

Processing continues.

None.

None.

algorithm can be DES or AES. If state is DISABLED, the profile that activates the Symmetric Key Label Access control for that algorithm is not defined. If state is ENABLED, the profile is defined.

The profiles that activate the Symmetric Key Label Access control for CSNDSYX are the CSF.XCSFKEY.ENABLE.AES and CSF.XCSFKEY.ENABLE.DES resources in the XFACILIT class.

RACF commands may be used to define, change, list or delete the profiles that cover these resources in the XFACILIT class.

This message may be issued during ICSF initialization or when ICSF detects that the key policy is deactivated.

Processing continues.

None.

None.

If state is DISABLED, the profile that enables the PKA Key Management Extensions control is not defined. If state is ENABLED, the profile is defined.

The existence of a profile for the CSF.PKAEXTNS.ENABLE resource in the XFACILIT class enables the PKA Key Management Extensions control. RACF commands can be used to define, change, list, or delete the profiles that cover this resource in the XFACILIT class.

This message may be issued during ICSF initialization or when ICSF detects that the policy is either activated or deactivated.

Processing continues.

None

None

ICSF has encountered recursive ABENDs in one or more subtasks and can no longer remain operational.

ICSF ends.

Inform your system programmer.

Collect any documentation that precedes this message, including messages and dumps, and contact the IBM Support Center.

And ICSF subtask routine terminated. ICSF will attempt to perform recovery.

This instance of ICSF will attempt recovery on a terminated subtask.

None.

The Coordinated Change Master Key operation failed due to incorrect new master key values on system sysname. The return code and reason code provide a more specific reason for the failure.

ICSF processing will continue.

Contact the security administrator to ensure that the new master key values on system sysname match the new master key values on all other systems sharing the same active Key Data Set (KDS). Once all systems sharing the same active KDS contain the same new master key values, the coordinated change master key operation may be executed again.

For more information on the return-code and reason-code, refer to the z/OS Cryptographic Services ICSF Application Programmer’s Guide or the information on the CSFEUTIL program in the z/OS Cryptographic Services ICSF Administrator’s Guide.

Refer to the z/OS Cryptographic Services ICSF Administrator’s Guide for information on recovering from a coordinated CKDS administration failure.

The coordinated KDS administration operation failed. The operation may be CHANGE-MK or REFRESH. return-code and reason-code indicate the primary return code and reason code for the failure. supplemental-return-code and supplemental-reason-code indicate the supplemental return code and reason code for the failure. flags indicate additional internal diagnostic information about the failure.

ICSF processing will continue.

Contact the security administrator for help determining the problem. Use the return-codeand reason-code for problem determination. For more information on the return-code and reason-code, refer to the z/OS Cryptographic Services ICSF Application Programmer’s Guide or the information on the CSFEUTIL program in the z/OS Cryptographic Services ICSF Administrator’s Guide.

Refer to the z/OS Cryptographic Services ICSF Administrator’s Guide for information on recovering from a coordinated CKDS administration failure.

If you are unable to determine the problem by looking up these values, contact the IBM Support Center. The supplemental-return-code, supplemental-reason-code, and flags show IBM internal diagnostic information. You may need to provide this information to the IBM Support Center.

The coordinated KDS administration operation completed successfully. The operation may be CHANGE-MK or REFRESH.

ICSF processing will continue.

None.

The data set with data-set-name was renamed to the new data set name of new-data-set-name.

ICSF processing will continue.

None.

The data set with data set name of data-set-name is not cataloged.

ICSF processing will continue.

Catalog the data set with data-set-name. Once the data set is cataloged, notify the security administrator to retry the function that failed. Refer to the z/OS Cryptographic Services ICSF Administrator’s Guide for information on recovering from a coordinated CKDS administration failure.

A coordinated KDS administration operation failed because of the reason-for-failure. The operation may be CHANGE-MK or REFRESH.

ICSF processing will continue.

Notify the security administrator for help in determining the reason for the failure. Refer to the z/OS Cryptographic Services ICSF Administrator’s Guide for information on recovering from a coordinated CKDS administration failure. If unable to resolve the problem, contact the IBM Support Center.

Back out processing for a coordinated operation failed because of reason-for-failure. The operation may be CHANGE-MK or REFRESH.

Depending on the reason-for-failure, ICSF processing may continue or may shutdown across all instances of ICSF sharing the same active KDS.

Notify the security administrator for help in determining the reason for the failure. Refer to the z/OS Cryptographic Services ICSF Administrator’s Guide for information on recovering from a coordinated CKDS administration failure. If unable to resolve the problem, contact the IBM Support Center.

This message indicates the progress of the coordinated operation. The operation may be CHANGE-MK or REFRESH.

ICSF processing will continue.

None.

If this message is issued during ICSF startup, a problem occurred while retrieving catalog information about the active KDS. If this message is issued during a coordinated change master key or a coordinated refresh operation, a problem occurred while retrieving catalog information about the new KDS. The problem occurred in the module identified by module-id. The return-code and reason-code indicate what type of problem occurred.

If this message is issued during ICSF startup, the KDS sysplex group will convert to the sysplex communication protocol used prior to HCR7790, and coordinated KDS administrative functions will be unavailable. If this message is issued during a coordinated change master key or a coordinated refresh operation, the operation will fail. In either case, ICSF processing will continue.

If this message is issued during ICSF startup, ensure that the active KDS is correctly cataloged on the system. If this message is issued during a coordinated change master key or a coordinated refresh operation, notify the security administrator and make sure the new target data set is correctly cataloged on the system.

Refer to the z/OS Cryptographic Services ICSF Administrator’s Guide for information on recovering from a coordinated CKDS administration failure.

The ICSF sysplex communication level changed from the previous-level to the new-level. previous-level may be 0 or 2. new-level may be 0 or 2.

The coordinated change master key and coordinated refresh operations are only available when all ICSF instances in the sysplex are at HCR7790 or above.

ICSF processing will continue. ICSF will process KDS updates using the communication level indicated by this message.

None.

A failure occurred when attempting to set a new key-type master key for the coprocessor with serial number serial-number. key-type may be DES or AES. serial-number is the serial number of the coprocessor that experienced the failure.

ICSF processing will continue.

Notify the security administrator to ensure that the new master key register for key-type is correctly loaded. If sharing the KDS across a sysplex and performing a coordinated change master key operation, the security administrator should ensure all instances of ICSF sharing the same active KDS have the same new master key value loaded into the new master key register for key-type. After correcting the new master key register(s), the security administrator should retry the operation.

Refer to the z/OS Cryptographic Services ICSF Administrator’s Guide for information on recovering from a coordinated CKDS administration failure.

The coordinated operation has completed. The operation may be CHANGE-MK or REFRESH. If a failure occurred during the operation, the return-code, reason-code, and cancel-reason-code may be used to determine the cause of the failure.

ICSF processing will continue.

In the case of a failure, an explanation of the return-code, reason-code, and cancel-reason-code values can be found in the "Return and Reason Codes" section of the z/OS Cryptographic Services ICSF Application Programmer’s Guide. Alternatively, refer to the return and reason code information for the CSFEUTIL program described in the z/OS Cryptographic Services ICSF Administrator’s Guide.

The system with system-name has missed a sysplex KDS update. kds-type indicates which type of KDS update was missed. diagnostic-information contains additional diagnostic information about the failure.

diagnostic-information may be the following:

• PREP - This indicates that an internal ICSF sysplex message was missed. This message is used during internal KDS I/O processing in a sysplex environment.
• '10'X - This indicates that a sysplex KDS record create was missed. This message is used to notify sysplex members of a KDS record create.
• '11'X - This indicates that a sysplex KDS record update was missed. This message is used to notify sysplex members of a KDS record update.
• '13'X - This indicates that a sysplex KDS record delete was missed. This message is used to notify sysplex members of a KDS record delete.

ICSF processing continues, however the system indicated in this message by system-name has missed a KDS update. This system’s in-storage KDS will now be out of sync with other members in the sysplex group sharing the same active KDS. The next time a KDS update is processed against this systems active KDS, ICSF will recognize that its in-storage KDS is out of sync and will perform an internal KDS refresh to get back in sync.

None.

Notify the security administrator to perform a single-system KDS refresh on the system where the KDS is out of sync.

This message is used to route IDCAMS processor messages to the job log. This message is used during the rename step of a coordinated change master key or coordinated refresh operation.

ICSF processing continues.

If this message indicates a failure, notify the security administrator for help in determining the reason for the failure. Refer to the z/OS Cryptographic Services ICSF Administrator’s Guide for information on recovering from a coordinated CKDS administration failure. If unable to resolve the problem, contact the IBM Support Center.

The rename step of the a coordinated change master key or coordinated refresh operation failed. kds-type indicates which KDS this rename was being performed for. original-name indicates the original name of the KDS. new-name indicates the new name of the KDS.

ICSF processing continues.

Notify the security administrator for help in determining the reason for the failure. Refer to the z/OS Cryptographic Services ICSF Administrator’s Guide for information on recovering from a coordinated CKDS administration failure. If unable to resolve the problem, contact the IBM Support Center.

The coordinated change master key and coordinated refresh operations may only be performed when all systems in the KDS sysplex group are at the ICSF HCR7790 release level or higher. If an instance of ICSF joins the KDS sysplex group at a level lower than the ICSF HCR7790 release level, then, regardless of active KDS, the coordinated change master key and coordinated refresh operations will be unavailable.

operation may be CHANGE-MK or REFRESH, and indicates whether a coordinated change master key or coordinated refresh operation was requested.

list-of-systems indicates the systems containing an instance of ICSF at lower then the HCR7790 release level.

ICSF processing continues.

In order to perform a coordinated change master key or coordinated refresh operation, systems running a release of ICSF lower then HCR7790 must be removed from the KDS sysplex group or upgraded to the HCR7790 release or higher. Refer to the z/OS Cryptographic Services ICSF Administrator’s Guide for information on recovering from a coordinated CKDS administration failure.

The ICSF subtask specified by name experienced a problem that ICSF tried to recover. ICSF recovery was unable to restart this subtask. This subtask is critical to ICSF processing. ICSF will terminate without this subtask.

ICSF terminates.

Restart ICSF. If this problem reoccurs, contact the IBM Support Center.

The ICSF subtask specified by name experienced a problem that ICSF tried to recover. ICSF recovery was unable to restart this subtask. This subtask is not critical to ICSF processing. ICSF processing will continue with limited capabilities.

ICSF continues processing with limited capabilities.

Restart ICSF. If this problem reoccurs, contact the IBM Support Center.

The system identified by system-name experienced a failure performing coordinated KDS activity. A reason-code of C3A indicates that the system system-name is not being responsive to the originator of the coordinated KDS function.

• system-name - Name of the system which either detected a problem or failed to respond.
• kds-type - KDS type for the coordinated activity.
• message-type - Internal diagnostic information.
• return-code - Return code either returned by the remote system or set by the originating system in case of timeout.
• reason-code - Reason code either returned by the remote system or set by the originating system in case of timeout.

ICSF processing continues.

Notify the security administrator for help in determining the reason for the failure. Refer to the z/OS Cryptographic Services ICSF Administrator’s Guide for information on recovering from a coordinated CKDS administration failure.