This document contains information previously presented in z/OS ICSF Administrator's Guide, SA22-7521-15,
which supports z/OS Version 1 Release 12.
This document is for ICSF FMID HCR7790. This release of ICSF runs
on z/OS V1R11, z/OS V1R12, and z/OS V1R13, and only on zSeries hardware.
New information
- Added support for AES CIPHER keys, AES EXPORTER and AES IMPORTER
keys. These are variable-length AES keys up to 725 bytes in
length, and require a CEX3C and the Sep. 2011 or later licensed internal
code (LIC). To store these keys in the CKDS, the CKDS must first have
been converted to the variable-length record format. ICSF provides
a CKDS conversion program, CSFCNV2, that converts a fixed-length record
format CKDS to a variable-length record format. For more information
in this utility, refer to z/OS Cryptographic Services ICSF System Programmer’s Guide.
- Added support for dynamic change of the RSA master key on z196
systems with CEX3C coprocessors and the Sep. 2011 licensed internal
code (LIC). Refer to Changes concerning the RSA master key (RSA-MK).
- Added new panels to simplify CKDS administration. The coordinated
CKDS administration panels simplify the process for changing the CKDS
master keys and performing CKDS refreshes. Tasks that had once been
distinct and spread over multiple panels and manual steps are combined
into a single panel. In a sysplex environment, these new panels enable
you to drive a CKDS change master key operation or a CKDS refresh
operation from a single instance of ICSF across all sysplex members
sharing the same active CKDS. For more information, refer to Symmetric Master Keys and the CKDS and Changing symmetric master keys and refreshing the CKDS when
the CKDS is shared in a sysplex environment.
- A new message, CSFC0316, is generated for a CKDS reencipher fail.
The message specifies the CKDS entry being processed at the time of
the fail.
- New health checks for informing the user of potential ICSF problems
have been added. See Using ICSF Health Checks for more information.
Changed information
- New profiles in the CSFSERV general resource class for covering
the resources associated with new callable services. Refer to Setting up profiles in the CSFSERV general resource class.
- References to the IBM zSeries 800 (z800) do not appear in this information.
Be aware that the documented notes and restrictions for the IBM zSeries 900 (z900)
also apply to the z800.
|