Type: Migration
Initial State: Inactive
Interval: One Time
This is a migration check. The check detects the presence of retained
keys on the cryptographic coprocessors. Retained keys will not be
supported in subsequent releases of ICSF. Existing retained keys
will become unusable.
Retained keys are listed by coprocessor. The generated Health
Checker report lists the coprocessor serial number and the retained
key label. Existing retained keys must be replaced with RSA keys
stored in the PKDS rather than retained on the coprocessor.
The check output is obtained by selecting (s) on the Health Checker
menu:
CHECK(IBMICSF,ICSFMIG7731_ICSF_RETAINED_RSAKEY)
START TIME: 05/20/2011 08:16:29.689677
CHECK DATE: 20071201 CHECK SEVERITY: LOW
Coprocessor
Serial Retained key label
----------------------------------------------------------------------
93X06020 HCR7750.RKEY.RSA.CRT.1024MOD
93X06020 HCR7750.RKEY.RSA.CRT.1024MOD.SIGONLY
* Low Severity Exception *
CSFH0003E Cryptographic coprocessors were examined and found to
possess retained RSA Keys.
Explanation: Coprocessors online to this system were found to possess
one or more retained RSA keys, implying retained RSA keys are
potentially being used on this system. ICSF is deprecating its
retained RSA key support.
System Action: There is no effect on the system.
Operator Response: Report this exception to the System Programmer.
System Programmer Response: Alert the installation security
Administrator and application and middleware administrators for this
system.
Problem Determination: Investigate the cryptographic services
utilized by the workload executed on this system and determine which
application and middleware products use retained RSA key services
for key management use that would depend upon the key labels in the
report. Develop an immediate strategy to remove any dependencies on
creating new ICSF-supported retained RSA keys prior to migration to
ICSF release level HCR7750, and an eventual strategy to remove any
dependencies on ICSF-supported retained key interfaces.
Source: Integrated Cryptographic Service Facility (ICSF)
Reference Documentation: z/OS Cryptographic Services Integrated
Cryptographic Service Facility: Systems Programmers Guide (HCR7750
and later).
Automation: n/a
Check Reason: Detects use of retained RSA private keys.
|