ICSF provides invocation points where you can use installation
exits to perform processing that is specific to your installation.
For example, ICSF provides a preprocessing and postprocessing exit
invocation for each ICSF callable service. You can write and define
an exit to set return codes at postprocessing of a callable service.
You must define each installation exit in the installation options
data set. You define the ICSF name for the exit, the load module
name of the exit, and the action ICSF takes if the exit fails. You
can use the panels to view the ICSF name for each exit invocation.
For a defined exit, you view the exit's load module name and fail
options.
ICSF provides these types of exits:
- ICSF mainline exits
- Key generator utility program exit
- Callable services exits
- Cryptographic Key Data Set (CKDS) Conversion program exit
- Single-record, read-write exit
- CKDS retrieval exit
- Security exits
The mainline exits are called when you start and stop ICSF. The
key generator utility program exit is called during key generator
utility program processing. The callable services exits are called
during each of the callable services. The CKDS conversion program
exit is called during conversion of CUSP or PCF CKDS to ICSF CKDS
format. The single-record, read-write exit is called when an access to a single record
is made to a disk copy of the CKDS. The security exits are called
during initialization and stopping of ICSF, during a call to a callable
service, and during access of a CKDS entry.
For a detailed description of the ICSF exits, see z/OS Cryptographic Services ICSF System Programmer’s Guide.
To display installation exits:
- Select option 3, OPSTAT, on the Primary Option panel, as shown
in Figure 194.
Figure 194. Selecting the Installation Options and Hardware Status Option on the Primary Menu Panel
CSF@PRIM ---- Integrated Cryptographic Service Facility ---------
OPTION ===> 3
Enter the number of the desired option.
1 COPROCESSOR MGMT - Management of Cryptographic Coprocessors
2 MASTER KEY MGMT - Master key set or change, CKDS/PKDS processing
3 OPSTAT - Installation options
4 ADMINCNTL - Administrative Control Functions
5 UTILITY - ICSF Utilities
6 PPINIT - Pass Phrase Master Key/KDS Initialization
7 TKE - TKE Master and Operational key processing
8 KGUP - Key Generator Utility processes
9 UDX MGMT - Management of User Defined Extensions
Licensed Materials - Property of IBM
5694-A01 (C) Copyright IBM Corp. 1990, 2011. All rights reserved.
US Government Users Restricted Rights - Use, duplication or
disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Press ENTER to go to the selected option.
Press END to exit to the previous menu.
The Installation Options panel appears. Refer to Figure 195.
Figure 195. Installation Options Panel
CSFSOP00 ----------- ICSF - Installation Options --------
OPTION ===> 2
Enter the number of the desired option above.
1 OPTIONS - Display Installation Options
2 EXITS - Display Installation exits and exit options
3 SERVICES - Display Installation Defined Services
- Select option 2, Exits, on the Installation Options panel.
The
first of the Installation Exits Display panels appears. Refer to Figure 196.
Figure 196. First Installation Exits Display Panel
CSFSOP30 ------ ICSF - Installation Exits Display ---- ROW 1 TO 18 OF 70
COMMAND ===>
ICSF NAME LOAD MODULE OPTIONS
------------- ----------- -------
CSFAEGN *** No Exit Name was specified ***
CSFAKEX *** No Exit Name was specified ***
CSFAKIM *** No Exit Name was specified ***
CSFAKTR *** No Exit Name was specified ***
CSFATKN *** No Exit Name was specified ***
CSFCKDS *** No Exit Name was specified ***
CSFCKI *** No Exit Name was specified ***
CSFCKM *** No Exit Name was specified ***
CSFCONVX *** No Exit Name was specified ***
CSFCPA *** No Exit Name was specified ***
CSFCPE *** No Exit Name was specified ***
CSFCSG *** No Exit Name was specified ***
CSFCSV *** No Exit Name was specified ***
CSFCTT *** No Exit Name was specified ***
CSFCTT1 *** No Exit Name was specified ***
CSFCVE *** No Exit Name was specified ***
CSFCVT *** No Exit Name was specified ***
CSFDCO *** No Exit Name was specified ***
CSFDEC *** No Exit Name was specified ***
CSFDEC1 *** No Exit Name was specified ***
CSFDKG *** No Exit Name was specified ***
CSFDKM *** No Exit Name was specified ***
CSFDKX *** No Exit Name was specified ***
CSFDSG *** No Exit Name was specified ***
CSFDSV *** No Exit Name was specified ***
CSFDVPI *** No Exit Name was specified ***
CSFECO *** No Exit Name was specified ***
CSFEDC USEREDC NONE - Take no action, if this exit fails
The Installation Exits Display panel displays the ICSF name
for all the possible installation exits your installation can write.
- Scroll through the screens, to view all of the installation exits.
The
system programmer specified the exit identifier, the load-module-name,
and the failure option for each exit your installation uses with the
EXIT keyword in the installation options data set. On this panel,
you can view information about any exit that is specified in the installation
options data set. The exit identifier is the ICSF name for the exit.
Table 19 shows the names for some general ICSF exits. Table 20 and Table 21 show the ICSF name for each
callable service exit.
Table 19. General ICSF Exits and Exit IdentifiersGeneral ICSF Exit | Exit Identifier |
---|
Conversion Exit | CSFCONVX | Cryptographic Key Data Set Retrieval
Exit | CSFCKDS | Key Generator Utility Program Exit | CSFKGUP | Mainline Exits | CSFEXIT2, CSFEXIT3,
CSFEXIT4, CSFEXIT5 | Security Initialization Exit Point | CSFESECI | Security Key Exit Point | CSFESECK | Security Service Exit Point | CSFESECS | Security Termination Exit Point | CSFESECT | Single-record, Read-write Exit Point | CSFSRRW |
Table 20. Callable Service and its Exit IdentifierService | Exit Identifier |
---|
ANSI X9.17 EDC generate | CSFAEGN | ANSI X9.17 Key Export | CSFAKEX | ANSI X9.17 Key Import | CSFAKIM | ANSI X9.17 Key Translate | CSFAKTR | ANSI X9.17 Transport Key Partial
Notarize | CSFATKN | Clear PIN Encrypt | CSFCPE | Clear PIN Generate Alternate | CSFCPA | Clear Key Import | CSFCKI | Cipher/Decipher | CSFEDC | Cipher Text Translate | CSFCTT | Cipher Text Translate (with ALET) | CSFCTT1 | Control Vector Translate | CSFCVT | Cryptographic Variable Encipher | CSFCVE | CVV Key Combine | CSFCKC | Data Key Import | CSFDKM | Decode | CSFDCO | Decipher | CSFDEC | Decipher (with ALET) | CSFDEC1 | Data Key Export | CSFDKX | Digital Signature Generate | CSFDSG | Digital Signature Verify | CSFDSV | Diversified Key Generate | CSFDKG | ECC Diffie-Hellman | CSFEDH | Encode | CSFECO | Encipher under Master Key | CSFEMK | Encipher | CSFENC | Encipher (with ALET) | CSFENC1 | Encrypted PIN Generate | CSFEPG | HMAC Generate | CSFHMG | HMAC Verify | CSFHMV | Key Export | CSFKEX | Key Generate | CSFKGN | Key Generate2 | CSFKGN2 | Key Import | CSFKIM | Key Part Import | CSFKPI | Key Part Import2 | CSFKPI2 | Key Record Create | CSFKRC | Key Record Create2 | CSFKRC2 | Key Record Delete | CSFKRD | Key Record Read | CSFKRR | Key Record Read2 | CSFKRR2 | Key Record Write | CSFKRW | Key Record Write2 | CSFKRW2 | Key Test | CSFKYT | Key Test2 | CSFKYT2 | Key Test Extended | CSFKYTX | Key Translate | CSFKTR | MAC Generate | CSFMGN | MAC Generate (with ALET) | CSFMGN1 | MAC Verify | CSFMVR | MAC Verify (with ALET) | CSFMVR1 | MDC Generate | CSFMDG | MDC Generate (with ALET) | CSFMDG1 | Multiple Clear Key Import | CSFCKM | Multiple Secure Key Import | CSFSCKM | One-Way Hash Generate | CSFOWH | One-Way Hash Generate (with ALET) | CSFOWH1 | PCI Interface | CSFPCI | PIN Change/Unblock | CSFPCU | PIN Generate | CSFPGN | PIN Generate | CSFPGN | PIN Translate | CSFPTR | PIN Verify | CSFPVR | PKA Decrypt | CSFPKD | PKA Encrypt | CSFPKE | PKA Key Generate | CSFPKG | PKA Key Import | CSFPKI | PKA Key Token Change | CSFPKTC | PKA Key Translate | CSFPKT | PKDS Record Create | CSFPKRC | PKDS Record Delete | CSFPKRD | PKDS Record Read | CSFPKRR | PKDS Record Write | CSFPKRW | Prohibit Export | CSFPEX | Prohibit Export Extended | CSFPEXX | Random Number Generate | CSFRNG | Random Number Generate Long | CSFRNGL | Remote Key Export | CSFRKX | Restrict Key Attribute | CSFRKA | Retained Key Delete | CSFRKD | Retained Key List | CSFRKL | Secure Key Import | CSFSKI | Secure Key Import2 | CSFSKI2 | Secure Messaging for Keys | CSFSKY | Secure Messaging for PINs | CSFSPN | SET Block Compose | CSFSBC | SET Block Decompose | CSFSBD | Symmetric Algorithm Decipher | CSFSAD | Symmetric Algorithm Encipher | CSFSAE | Symmetric Key Generate | CSFSYG | Symmetric Key Import | CSFSYI | Symmetric Key Import2 | CSFSYI2 | Symmetric Key Export | CSFSYX | Symmetric MAC Generate | CSFSMG | Symmetric MAC Generate (with ALET) | CSFSMG1 | Symmetric MAC Verify | CSFSMV | Symmetric MAC Verify (with ALET) | CSFSMV1 | Transaction Validation | CSFTRV | Transform CDMF Key | CSFTCK | Trusted Block Create | CSFTBC | TR-31 Export | CSFT31X | TR-31 Import | CSFT31I | User Derived Key | CSFUDK | VISA CVV Service Generate | CSFCSG | VISA VISA CVV Service Verify | CSFCSV |
The load module name is the name of the module that
contains the exit. The LOAD MODULE column on the panel lists the load
module name for each exit. The OPTIONS column on this panel lists
the action to occur if the exit fails.
- To change the module name or failure option of an exit or add
a new exit when viewing this panel, access the installation options
data set. In the data set, change how you specified an exit or specify
a new exit and restart ICSF.
|