Type: Migration

Initial State: Inactive

Interval: One Time

This is a migration check. The check detects the presence of retained keys on the cryptographic coprocessors. Retained keys will not be supported in subsequent releases of ICSF. Existing retained keys will become unusable.

Retained keys are listed by coprocessor. The generated Health Checker report lists the coprocessor serial number and the retained key label. Existing retained keys must be replaced with RSA keys stored in the PKDS rather than retained on the coprocessor.

The check output is obtained by selecting (s) on the Health Checker menu:

CHECK(IBMICSF,ICSFMIG7731_ICSF_RETAINED_RSAKEY)                         
START TIME: 05/20/2011 08:16:29.689677                                  
CHECK DATE: 20071201  CHECK SEVERITY: LOW                               
Coprocessor                                                             
  Serial     Retained key label                                         
----------------------------------------------------------------------  
93X06020  HCR7750.RKEY.RSA.CRT.1024MOD                        
93X06020  HCR7750.RKEY.RSA.CRT.1024MOD.SIGONLY                         
                                                                        
* Low Severity Exception *                                              
                                                                        
CSFH0003E Cryptographic coprocessors were examined and found to         
possess retained RSA Keys.                                              
                                                                        
  Explanation:  Coprocessors online to this system were found to possess
    one or more retained RSA keys, implying retained RSA keys are       
    potentially being used on this system. ICSF is deprecating its      
    retained RSA key support.                                           
                                                                        
  System Action:  There is no effect on the system.                     
                                                                        
  Operator Response:  Report this exception to the System Programmer.   
                                                                        
  System Programmer Response:  Alert the installation security          
    Administrator and application and middleware administrators for this
    system. 

  Problem Determination:  Investigate the cryptographic services        
    utilized by the workload executed on this system and determine which
    application and middleware products use retained RSA key services   
    for key management use that would depend upon the key labels in the 
    report. Develop an immediate strategy to remove any dependencies on 
    creating new ICSF-supported retained RSA keys prior to migration to 
    ICSF release level HCR7750, and an eventual strategy to remove any  
    dependencies on ICSF-supported retained key interfaces.             
                                                                      
  Source:  Integrated Cryptographic Service Facility (ICSF)             
                                                                      
  Reference Documentation:  z/OS Cryptographic Services Integrated      
    Cryptographic Service Facility: Systems Programmers Guide (HCR7750  
    and later).                                                         
                                                                      
  Automation:  n/a                                                      
                                                                      
  Check Reason:  Detects use of retained RSA private keys.