This topic contains Programming Interface Information.

ICSF provides a utility program, CSFEUTIL, that performs certain functions that can also be performed using the administrator's panels.

The program that executes CSFEUTIL must be APF-authorized.

The utility can be used for installations with cryptographic coprocessors. You can run the utility program to perform these tasks:

• Reencipher a disk copy of a CKDS
• Change the master key (AES or DES)
• Refresh the in-storage CKDS
• Initialize a CKDS and load DES and PKA master keys using a pass phrase

  Starting with release HCR7780, there are two formats of the CKDS: a fixed-length record (supported by all releases of ICSF) and a new, variable-length record (supported by HCR7780 and later releases). Both formats are supported by the CSFEUTIL utility program.

  Restriction: You cannot use this utility to initialize a CKDS (and load DES and PKA master keys using a pass phrase) on the z990, z890, z9 EC, z9 BC, z10 EC, z10 BC, and z196.

  On the supported hardware, the utility only loads DES and PKA master keys on the CCF. If you have a PCICC as part of the configuration, the SYM-MK is not loaded.

You invoke the program as a batch job or from another program. To invoke the program as a batch job, use JCL. You specify different parameters on the EXEC statement depending on the task you want the utility program to perform. If the CSFEUTIL invocation from the batch job fails, you will need to invoke CSFEUTIL from another program to obtain the reason code from General Purpose Register 0 along with the return code in General Purpose Register 15. To invoke the program from another program, use standard MVS linkages like LINK, ATTACH, LOAD, and CALL.

For information about using the utility program to reencipher a disk copy of a CKDS and change the master key, see Reenciphering a disk copy of a CKDS and changing the master key. For information about using the program to refresh the in-storage CKDS, see Refreshing the in-storage CKDS using a utility program.