Installation options enable you to specify certain modes and conditions
to ICSF. For example, if your installation specifies YES for
the SSM option, you can enable special secure mode. You specify installation
options in the installation options data set. The ICSF startup procedure,
specifies the installation options data set to be used for that start
of ICSF. The options become active, when you start ICSF. You can
use the panels to view each installation option and its current value.
To display installation options:
- Select option 3, OPSTAT, on the Primary Option panel, as shown
in Figure 182.
Figure 182. Selecting the Installation Options on the Primary Menu Panel
CSF@PRIM ----- Integrated Cryptographic Service Facility ---------
OPTION ===> 3
Enter the number of the desired option.
1 COPROCESSOR MGMT - Management of Cryptographic Coprocessors
2 MASTER KEY MGMT - Master key set or change, CKDS/PKDS processing
3 OPSTAT - Installation options
4 ADMINCNTL - Administrative Control Functions
5 UTILITY - ICSF Utilities
6 PPINIT - Pass Phrase Master Key/KDS Initialization
7 TKE - TKE Master and Operational key processing
8 KGUP - Key Generator Utility processes
9 UDX MGMT - Management of User Defined Extensions
Licensed Materials - Property of IBM
5694-A01 (C) Copyright IBM Corp. 1990, 2011. All rights reserved.
US Government Users Restricted Rights - Use, duplication or
disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Press ENTER to go to the selected option.
Press END to exit to the previous menu.
The Installation Options panel appears. Refer to Figure 183.
Figure 183. Installation Options Panel
CSFSOP00 ----------- ICSF - Installation Options --------------
COMMAND ===> 1
Enter the number of the desired option above.
1 OPTIONS - Display Installation Options
2 EXITS - Display Installation exits and exit options
3 SERVICES - Display Installation Defined Services
- Select option 1, Options, on the Installation Options panel.
The
Installation Option Display panel, which is shown in Figure 184,
appears.
Figure 184. Installation Options Display Panel
CSFSOP10 ----------- ICSF - Installation Option Display ROW 1 TO 14 OF 15
COMMAND ===> SCROLL ===> PAGE
Active CKDS: CRYPTOR2.HCRICSF.CKDS
Active PKDS: CRYPTOR2.HCRICSF.PKDS
Active TKDS: CRYPTOR2.HCRICSF.TKDS
OPTION CURRENT VALUE
-------- -------------
CHECKAUTH RACF check authorized callers YES
COMPAT Allow CUSP/PCF Compatibility NO
DOMAIN Current domain index or usage domain index 0
KEYAUTH Key Authentication in effect YES
CKTAUTH CKT Authentication NO
SSM Allow Special Secure Mode YES
TRACEENTRY Number of trace entries active 599
USERPARM User specified parameter data USERPARM
REASONCODES Source of callable services reason codes ICSF
SYSPLEXCKDS Sysplex consistency for CKDS updates YES,FAIL(YES)
SYSPLEXPKDS Sysplex consistency for PKDS updates NO,FAIL(NO)
SYSPLEXTKDS Sysplex consistency for TKDS updates YES,FAIL(YES)
FIPSMODE Operate PKCS #11 in FIPS 140-2 mode YES,FAIL(YES)
DEFAULTWRAP Default symmetric key wrapping - internal ENHANCED
DEFAULTWRAP Default symmetric key wrapping - external ORIGINAL
WAITLIST Source of CICS Wait List if CICS installed default
******************************* BOTTOM OF DATA ********************************
This panel displays the keyword for each installation option, a
brief description, and the current value of the option.
You may want to change the current value of an installation option.
To change and activate an installation option, you must change the
option value in the installation options data set and restart ICSF.
For integrity reasons, a change of the DOMAIN option also requires
a re-IPL of MVS. For a complete description of these installation options and
the installation options data set, see z/OS Cryptographic Services ICSF System Programmer’s Guide.
The installation options data set that the system uses at ICSF startup
contains keywords and their values which specify certain installation
options. On this panel, you can view these options and their values:
- Active CKDS: (data-set-name)
- This specifies the
name of the CKDS the system uses during the startup of ICSF. On
the Installation Options Display panel, this data set name is called
the active CKDS.
- Active PKDS: (data-set-name)
- This specifies the name of the PKDS the system uses during
the startup of ICSF.
- Active TKDS: (data-set-name)
- This specifies the name of the TKDS the system uses during
the startup of ICSF.
- CHECKAUTH(YES or NO)
- Indicates
whether ICSF performs access control checking of Supervisor State
and System Key callers. If you specify CHECKAUTH(YES), ICSF issues
RACROUTE calls to perform the security access control checking and
the results are logged in RACF SMF records. If you specify CHECKAUTH(NO),
the authorization checks against resources in the CSFSERV class are
not performed resulting in a significant performance enhancement for
supervisor state and system key callers. However, the authorization
checks are not logged in the RACF SMF records. If you do not
specify the CHECKAUTH option, the default is CHECKAUTH(NO).
- Value
- Indication
- YES
- ICSF checks Supervisor State and System Key callers.
- NO
- ICSF does not check Supervisor State and System Key callers,
resulting in significant performance enhancement for applications
that use ICSF callable services.
- COMPAT(YES, NO, or COEXIST)
- Indicates whether ICSF is running in compatibility mode, noncompatibility
mode, or coexistence mode with the Programmed Cryptographic Facility
(PCF). If you do not specify the COMPAT option, the default value
is COMPAT(NO).
- Value
- Indication
- YES
- ICSF is running in compatibility mode, which means you can
run CUSP and PCF applications on ICSF because ICSF supports the
CUSP and PCF macros in this mode. You do not have to reassemble CUSP
and PCF applications to do this. However, you cannot start CUSP or
PCF at the same time as ICSF on the same MVS system.
- NO
- ICSF is running in noncompatibility mode, which means that
you run PCF applications on PCF and ICSF applications on ICSF.
You cannot run PCF applications on ICSF, because ICSF does not
support the PCF macros in this mode. You can start PCF at the same
time as ICSF on the same z/OS operating system. You can start ICSF and
then start PCF or you can start PCF and then start CSF. You should
use noncompatibility mode unless you are migrating from PCF to ICSF.
- COEXIST
- ICSF is running in coexistence mode. In this mode you can
run a PCF application on PCF, or you can reassemble the PCF application
to run on ICSF. To do this, you reassemble the application against
coexistence macros that are shipped with ICSF. In this mode, you
can start PCF at the same time as ICSF on the same MVS system.
- DOMAIN(n)
- Allows you to access one of several separate sets of master
key registers. Each domain contains these master key registers:
- A master key register that contains the active DES master key
- For the CCF, there is an auxiliary DES master key register that
holds either the old or new master key
- If you have a PCICC, there are symmetric master key registers
that hold both the old and new master key
- If you have a PCIXCC, CEX2C, or CEX3C, there are symmetric
master key registers that hold both the old and new master key
- A PKA key management master key register
- A PKA signature master key register
- If you have a PCICC, there are ASYM-MK registers for the new,
old, and current master key.
- If you have a PCIXCC, CEX2C, or CEX3C, there are ASYM-MK
registers for the new, old, and current master key.
You can use domains to have separate master keys for different
purposes.
You can use domains in basic mode or with PR/SM logical
partition (LPAR) mode. In basic mode, you access only one domain at
a time. You can specify a different master key in each domain. For
example, you might have one master key for production operations and
a different master key for test operations. In LPAR mode, you can
have a different domain for each partition. The number you specify
is the number of the domain to be used for this start of ICSF.
The
DOMAIN parameter is an optional parameter in the installation options
data set. It is required if more than one domain is specified as the
usage domain on the PR/SM panels or if running in native mode. If
you assign multiple domains to an LPAR, you can have separate master
keys for different purposes.
You use the Crypto page of the
Customize Activation Profile to assign a usage domain index (0 to
15) to a logical partition and enable cryptographic functions. The
DOMAIN number you specify in the installation options data set while
running in a partition must be the same number as the usage domain
index specified for the partition on the Crypto page. For more information
about logical partitions, see zSeries PR/SM Planning Guide.
To change and
activate the other installation options, you must restart ICSF.
In compatibility or coexistence mode, to change and activate the DOMAIN
option, you must also re-IPL MVS. A re-IPL ensures that a program
does not use a key that has been encrypted under a different master
key to access a cryptographic service.
- KEYAUTH(YES, NO or DISABLED)
- Indicates
whether or not ICSF should authenticate a key entry when it retrieves
one from the in-storage cryptographic key data set. If you do not
specify the KEYAUTH option, the default value is KEYAUTH(NO).
- Value
- Indication
- YES
- ICSF authenticates the keys. ICSF generates a message authentication
code (MAC) for each key entry in the CKDS whenever it creates or updates
the key entry. ICSF also performs a MAC verification to ensure that
the entry was not changed.
- NO
- ICSF does not authenticate keys retrieved from the in-storage
CKDS. ICSF gains a small enhancement of performance.
- DISABLED
- Record level authentication is disabled in the active CKDS,
or the active CKDS is a variable-length CKDS. This option is
disabled.
- CKTAUTH(YES, NO or DISABLED)
- Indicates
whether or not ICSF should authenticate each CKDS record when it
is read from DASD to create or refresh the in-storage CKDS. If you
do not specify the CKTAUTH option, the default value is CKTAUTH(NO).
- Value
- Indication
- YES
- If CKTAUTH(YES) - the MAC authentication code in each record
will be authenticated when the record is read from DASD to create
or refresh the in-storage CKDS.
- NO
- If CKTAUTH(NO) - MAC authentication is bypassed.
- DISABLED
- Record level authentication is disabled in the active CKDS,
or the active CKDS is a variable-length CKDS. This option is
disabled.
- SSM(YES or NO)
- Indicates whether or not an installation can ever enable special
secure mode during the running of ICSF. This mode lowers the security
of your system. It allows you to input clear keys by using KGUP, produce
clear PINs, use the Secure Key Import callable service and the initial
use of Pass Phrase. SSM(YES) for Pass Phrase is only required for
CCF systems. If you do not specify the SSM option, the default value
is SSM(NO).
- Value
- Indication
- YES
- Special secure mode is enabled. For z/OS ICSF, SSM(YES)
must be specified in order to use KGUP, Secure Key Import callable
service, Clear PIN Generate and the initial use of Pass Phrase. SSM(YES)
for Pass Phrase is only required for CCF systems.
- NO
- You cannot enable the special secure mode.
- TRACEENTRY(n)
- Specifies
the number, n, of trace buffers to allocate for ICSF tracing. n is
a decimal value. The range of valid values is 100 through 10000.
If
you do not specify the TRACEENTRY option, the default value is TRACEENTRY(1000).
- USERPARM(value)
- Displays the value of an 8-byte field that is defined for installation
use. ICSF stores this value in the CCVT_USERPARM field of the
Cryptographic Communication Vector Table (CCVT). An application program
or installation exit can examine this field and use it to set system
environment information.
- REASONCODES(ICSF or TSS)
- Specifies which set of reason codes the application interface
returns.
- Value
- Indication
- ICSF
- ICSF reason codes are returned.
- TSS
- TSS reason codes are returned.
ICSF is the default.
- SYSPLEXCKDS(YES or NO,FAIL(YES or NO))
- Displays the current value of the SYSPLEXCKDS option. The values
of the option can be YES or NO, with the default being NO. If SYSPLEXCKDS(NO,FAIL(fail-option))
is specified, no XCF signalling will be performed when an update to
a CKDS record occurs. If SYSPLEXCKDS(YES,FAIL(fail-option)) is specified,
the support described in CKDS management in a sysplex will occur.
The
fail-option can be specified as either YES or NO. If FAIL(YES) is
specified then ICSF initialization will end abnormally if the request
during ICSF initialization to join the ICSF sysplex group fails. If
FAIL(NO) is specified, then ICSF initialization processing will continue
even if the request to join the ICSF sysplex group fails. This system
will not be notified of updates to the CKDS by other members of the
ICSF sysplex group. The default is SYSPLEXCKDS(NO,FAIL(NO)).
- SYSPLEXPKDS(YES or NO,FAIL(YES or NO))
- Displays the current value of the SYSPLEXPKDS option. The values
of the option can be YES or NO, with the default being NO. If SYSPLEXPKDS(NO,FAIL(fail-option))
is specified, no XCF signalling will be performed when an update to
a PKDS record occurs. If SYSPLEXPKDS(YES,FAIL(fail-option)) is specified,
the support described in PKDS management in a sysplex will occur.
The
fail-option can be specified as either YES or NO. If FAIL(YES) is
specified then ICSF initialization will end abnormally if the request
during ICSF initialization to join the ICSF sysplex group fails. If
FAIL(NO) is specified, then ICSF initialization processing will continue
even if the request to join the ICSF sysplex group fails. This system
will not be notified of updates to the PKDS by other members of the
ICSF sysplex group. The default is SYSPLEXPKDS(NO,FAIL(NO)).
- SYSPLEXTKDS(YES or NO,FAIL(YES or NO))
- Displays the current value of the SYSPLEXTKDS option. The values
of the option can be YES or NO, with the default being NO. If SYSPLEXTKDS(NO,FAIL(fail-option))
is specified, no XCF signalling will be performed when an update to
a TKDS record occurs. If SYSPLEXTKDS(YES,FAIL(fail-option)) is specified,
the support described in TKDS management in a sysplex will
occur.
The fail-option can be specified as either YES or NO. If
FAIL(YES) is specified then ICSF initialization will end abnormally
if the request during ICSF initialization to join the ICSF sysplex
group fails. If FAIL(NO) is specified, then ICSF initialization processing
will continue even if the request to join the ICSF sysplex group fails.
This system will not be notified of updates to the TKDS by other members
of the ICSF sysplex group. The default is SYSPLEXTKDS(NO,FAIL(NO)).
- FIPSMODE(YES or COMPAT or NO,FAIL(fail-option))
- Indicates whether z/OS PKCS #11 services must run in compliance
with the Federal Information Processing Standard Security Requirements
for Cryptographic Modules, referred to as FIPS 140-2. FIPS 140-2,
published by the National Institute of Standards and Technology (NIST),
is a standard that defines rules and restrictions for how cryptographic
modules should protect sensitive or valuable information.
By configuring
z/OS PKCS #11 services to operate in compliance with FIPS 140-2
specifications, installations or individual applications can use the
z/OS PKCS #11 services in a way that allows only the cryptographic
algorithms (including key sizes) approved by the standard, and restricts
access to the algorithms that are not approved. For more information,
refer to z/OS Cryptographic Services ICSF Writing PKCS #11 Applications.
- DEFAULTWRAP(internal_wrapping_method,external_wrapping_method)
- Specifies the default key wrapping for DES keys. Any token generated
or updated by a service will be wrapped using the specified method
unless overridden by rule array keyword or a skeleton token. The default
wrapping method for internal and external tokens is specified independently.
Valid
values for internal_wrapping_method and external_wrapping_method are:
- ORIGINAL
- Specifies the original CCA token wrapping be used: ECB wrapping
for DES.
- ENHANCED
- Specifies the new X9.24 compliant CBC wrapping used. Note that
the enhanced wrapping method requires a z196 with a CEX3C.
- WAITLIST(value)
- Displays the current value of the WAITLIST option. If WAITLIST
is coded, the value will be 'dataset' and a second line will
contain the name of the specified Wait List data set. If WAITLIST
is not coded, the value will be 'default'. If the data set specified
by the WAITLIST option cannot be allocated or opened, the value
will also be 'default'.
For more information about the ICSF startup procedure and
installation options, see z/OS Cryptographic Services ICSF System Programmer’s Guide.
At any time while you are running ICSF, you can check the current
value of these installation options.
The installation exits and installation-defined callable services
are also specified in the installation options data set, but they
are not displayed on this panel. For a description of how to display
the installation exit information, see Displaying installation exits. For a description
of how to display installation-defined callable service information,
see Displaying installation-defined callable services.
|