Installation options enable you to specify certain modes and conditions to ICSF. For example, if your installation specifies YES for the SSM option, you can enable special secure mode. You specify installation options in the installation options data set. The ICSF startup procedure, specifies the installation options data set to be used for that start of ICSF. The options become active, when you start ICSF. You can use the panels to view each installation option and its current value.

To display installation options:

1. Select option 3, OPSTAT, on the Primary Option panel, as shown in Figure 182.
   Figure 182. Selecting the Installation Options on the Primary Menu Panel

    CSF@PRIM ----- Integrated Cryptographic Service Facility  ---------
    OPTION ===> 3
   
    Enter the number of the desired option.
   
      1  COPROCESSOR MGMT    -  Management of Cryptographic Coprocessors
      2  MASTER KEY MGMT     -  Master key set or change, CKDS/PKDS processing
      3  OPSTAT              -  Installation options
      4  ADMINCNTL           -  Administrative Control Functions
      5  UTILITY             -  ICSF Utilities
      6  PPINIT              -  Pass Phrase Master Key/KDS Initialization
      7  TKE                 -  TKE Master and Operational key processing
      8  KGUP                -  Key Generator Utility processes
      9  UDX MGMT            -  Management of User Defined Extensions 
   
          Licensed Materials - Property of IBM
   
         5694-A01 (C) Copyright IBM Corp. 1990, 2011. All rights reserved.
         US Government Users Restricted Rights - Use, duplication or
         disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
   
    Press ENTER to go to the selected option.
    Press END   to exit to the previous menu.
    

   The Installation Options panel appears. Refer to Figure 183.

   Figure 183. Installation Options Panel

    CSFSOP00 ----------- ICSF - Installation Options --------------
    COMMAND ===> 1
   
    Enter the number of the desired option above.
   
      1  OPTIONS  -  Display Installation Options
      2  EXITS    -  Display Installation exits and exit options
      3  SERVICES -  Display Installation Defined Services
     

2. Select option 1, Options, on the Installation Options panel.

   The Installation Option Display panel, which is shown in Figure 184, appears.

 CSFSOP10 ----------- ICSF - Installation Option Display  ROW 1 TO 14 OF 15
 COMMAND ===>                                                  SCROLL ===> PAGE 
        Active CKDS: CRYPTOR2.HCRICSF.CKDS
        Active PKDS: CRYPTOR2.HCRICSF.PKDS 
        Active TKDS: CRYPTOR2.HCRICSF.TKDS
   OPTION                                                CURRENT VALUE
  --------                                               -------------
   CHECKAUTH    RACF check authorized callers                YES
   COMPAT       Allow CUSP/PCF Compatibility                 NO
   DOMAIN       Current domain index or usage domain index   0
   KEYAUTH      Key Authentication in effect                 YES
   CKTAUTH      CKT Authentication                           NO  
   SSM          Allow Special Secure Mode                    YES
   TRACEENTRY   Number of trace entries active               599
   USERPARM     User specified parameter data                USERPARM
   REASONCODES  Source of callable services reason codes     ICSF
   SYSPLEXCKDS  Sysplex consistency for CKDS updates         YES,FAIL(YES)
   SYSPLEXPKDS  Sysplex consistency for PKDS updates         NO,FAIL(NO)
   SYSPLEXTKDS  Sysplex consistency for TKDS updates         YES,FAIL(YES)
   FIPSMODE     Operate PKCS #11 in FIPS 140-2 mode          YES,FAIL(YES)
   DEFAULTWRAP  Default symmetric key wrapping - internal    ENHANCED
   DEFAULTWRAP  Default symmetric key wrapping - external    ORIGINAL
   WAITLIST     Source of CICS Wait List if CICS installed   default
     
 ******************************* BOTTOM OF DATA ********************************
 

This panel displays the keyword for each installation option, a brief description, and the current value of the option.

You may want to change the current value of an installation option. To change and activate an installation option, you must change the option value in the installation options data set and restart ICSF. For integrity reasons, a change of the DOMAIN option also requires a re-IPL of MVS. For a complete description of these installation options and the installation options data set, see z/OS Cryptographic Services ICSF System Programmer’s Guide.

The installation options data set that the system uses at ICSF startup contains keywords and their values which specify certain installation options. On this panel, you can view these options and their values:

Active CKDS: (data-set-name)

This specifies the name of the CKDS the system uses during the startup of ICSF. On the Installation Options Display panel, this data set name is called the active CKDS.

Active PKDS: (data-set-name)

This specifies the name of the PKDS the system uses during the startup of ICSF.

Active TKDS: (data-set-name)

This specifies the name of the TKDS the system uses during the startup of ICSF.

CHECKAUTH(YES or NO)

Indicates whether ICSF performs access control checking of Supervisor State and System Key callers. If you specify CHECKAUTH(YES), ICSF issues RACROUTE calls to perform the security access control checking and the results are logged in RACF SMF records. If you specify CHECKAUTH(NO), the authorization checks against resources in the CSFSERV class are not performed resulting in a significant performance enhancement for supervisor state and system key callers. However, the authorization checks are not logged in the RACF SMF records. If you do not specify the CHECKAUTH option, the default is CHECKAUTH(NO).

Value

Indication

YES

ICSF checks Supervisor State and System Key callers.

NO

ICSF does not check Supervisor State and System Key callers, resulting in significant performance enhancement for applications that use ICSF callable services.

COMPAT(YES, NO, or COEXIST)

Indicates whether ICSF is running in compatibility mode, noncompatibility mode, or coexistence mode with the Programmed Cryptographic Facility (PCF). If you do not specify the COMPAT option, the default value is COMPAT(NO).

Value

Indication

YES

ICSF is running in compatibility mode, which means you can run CUSP and PCF applications on ICSF because ICSF supports the CUSP and PCF macros in this mode. You do not have to reassemble CUSP and PCF applications to do this. However, you cannot start CUSP or PCF at the same time as ICSF on the same MVS system.

NO

ICSF is running in noncompatibility mode, which means that you run PCF applications on PCF and ICSF applications on ICSF. You cannot run PCF applications on ICSF, because ICSF does not support the PCF macros in this mode. You can start PCF at the same time as ICSF on the same z/OS operating system. You can start ICSF and then start PCF or you can start PCF and then start CSF. You should use noncompatibility mode unless you are migrating from PCF to ICSF.

COEXIST

ICSF is running in coexistence mode. In this mode you can run a PCF application on PCF, or you can reassemble the PCF application to run on ICSF. To do this, you reassemble the application against coexistence macros that are shipped with ICSF. In this mode, you can start PCF at the same time as ICSF on the same MVS system.

DOMAIN(n)

Allows you to access one of several separate sets of master key registers. Each domain contains these master key registers:

• A master key register that contains the active DES master key
• For the CCF, there is an auxiliary DES master key register that holds either the old or new master key
• If you have a PCICC, there are symmetric master key registers that hold both the old and new master key
• If you have a PCIXCC, CEX2C, or CEX3C, there are symmetric master key registers that hold both the old and new master key
• A PKA key management master key register
• A PKA signature master key register
• If you have a PCICC, there are ASYM-MK registers for the new, old, and current master key.
• If you have a PCIXCC, CEX2C, or CEX3C, there are ASYM-MK registers for the new, old, and current master key.

You can use domains to have separate master keys for different purposes.

You can use domains in basic mode or with PR/SM logical partition (LPAR) mode. In basic mode, you access only one domain at a time. You can specify a different master key in each domain. For example, you might have one master key for production operations and a different master key for test operations. In LPAR mode, you can have a different domain for each partition. The number you specify is the number of the domain to be used for this start of ICSF.

The DOMAIN parameter is an optional parameter in the installation options data set. It is required if more than one domain is specified as the usage domain on the PR/SM panels or if running in native mode. If you assign multiple domains to an LPAR, you can have separate master keys for different purposes.

You use the Crypto page of the Customize Activation Profile to assign a usage domain index (0 to 15) to a logical partition and enable cryptographic functions. The DOMAIN number you specify in the installation options data set while running in a partition must be the same number as the usage domain index specified for the partition on the Crypto page. For more information about logical partitions, see zSeries PR/SM Planning Guide.

To change and activate the other installation options, you must restart ICSF. In compatibility or coexistence mode, to change and activate the DOMAIN option, you must also re-IPL MVS. A re-IPL ensures that a program does not use a key that has been encrypted under a different master key to access a cryptographic service.

KEYAUTH(YES, NO or DISABLED)

Indicates whether or not ICSF should authenticate a key entry when it retrieves one from the in-storage cryptographic key data set. If you do not specify the KEYAUTH option, the default value is KEYAUTH(NO).

Value

Indication

YES

ICSF authenticates the keys. ICSF generates a message authentication code (MAC) for each key entry in the CKDS whenever it creates or updates the key entry. ICSF also performs a MAC verification to ensure that the entry was not changed.

NO

ICSF does not authenticate keys retrieved from the in-storage CKDS. ICSF gains a small enhancement of performance.

DISABLED

Record level authentication is disabled in the active CKDS, or the active CKDS is a variable-length CKDS. This option is disabled.

CKTAUTH(YES, NO or DISABLED)

Indicates whether or not ICSF should authenticate each CKDS record when it is read from DASD to create or refresh the in-storage CKDS. If you do not specify the CKTAUTH option, the default value is CKTAUTH(NO).

Value

Indication

YES

If CKTAUTH(YES) - the MAC authentication code in each record will be authenticated when the record is read from DASD to create or refresh the in-storage CKDS.

NO

If CKTAUTH(NO) - MAC authentication is bypassed.

DISABLED

Record level authentication is disabled in the active CKDS, or the active CKDS is a variable-length CKDS. This option is disabled.

SSM(YES or NO)

Indicates whether or not an installation can ever enable special secure mode during the running of ICSF. This mode lowers the security of your system. It allows you to input clear keys by using KGUP, produce clear PINs, use the Secure Key Import callable service and the initial use of Pass Phrase. SSM(YES) for Pass Phrase is only required for CCF systems. If you do not specify the SSM option, the default value is SSM(NO).

Value

Indication

YES

Special secure mode is enabled. For z/OS ICSF, SSM(YES) must be specified in order to use KGUP, Secure Key Import callable service, Clear PIN Generate and the initial use of Pass Phrase. SSM(YES) for Pass Phrase is only required for CCF systems.

NO

You cannot enable the special secure mode.

TRACEENTRY(n)

Specifies the number, n, of trace buffers to allocate for ICSF tracing. n is a decimal value. The range of valid values is 100 through 10000.

If you do not specify the TRACEENTRY option, the default value is TRACEENTRY(1000).

USERPARM(value)

Displays the value of an 8-byte field that is defined for installation use. ICSF stores this value in the CCVT_USERPARM field of the Cryptographic Communication Vector Table (CCVT). An application program or installation exit can examine this field and use it to set system environment information.

REASONCODES(ICSF or TSS)

Specifies which set of reason codes the application interface returns.

Value

Indication

ICSF

ICSF reason codes are returned.

TSS

TSS reason codes are returned.

ICSF is the default.

SYSPLEXCKDS(YES or NO,FAIL(YES or NO))

Displays the current value of the SYSPLEXCKDS option. The values of the option can be YES or NO, with the default being NO. If SYSPLEXCKDS(NO,FAIL(fail-option)) is specified, no XCF signalling will be performed when an update to a CKDS record occurs. If SYSPLEXCKDS(YES,FAIL(fail-option)) is specified, the support described in CKDS management in a sysplex will occur.

The fail-option can be specified as either YES or NO. If FAIL(YES) is specified then ICSF initialization will end abnormally if the request during ICSF initialization to join the ICSF sysplex group fails. If FAIL(NO) is specified, then ICSF initialization processing will continue even if the request to join the ICSF sysplex group fails. This system will not be notified of updates to the CKDS by other members of the ICSF sysplex group. The default is SYSPLEXCKDS(NO,FAIL(NO)).

SYSPLEXPKDS(YES or NO,FAIL(YES or NO))

Displays the current value of the SYSPLEXPKDS option. The values of the option can be YES or NO, with the default being NO. If SYSPLEXPKDS(NO,FAIL(fail-option)) is specified, no XCF signalling will be performed when an update to a PKDS record occurs. If SYSPLEXPKDS(YES,FAIL(fail-option)) is specified, the support described in PKDS management in a sysplex will occur.

The fail-option can be specified as either YES or NO. If FAIL(YES) is specified then ICSF initialization will end abnormally if the request during ICSF initialization to join the ICSF sysplex group fails. If FAIL(NO) is specified, then ICSF initialization processing will continue even if the request to join the ICSF sysplex group fails. This system will not be notified of updates to the PKDS by other members of the ICSF sysplex group. The default is SYSPLEXPKDS(NO,FAIL(NO)).

SYSPLEXTKDS(YES or NO,FAIL(YES or NO))

Displays the current value of the SYSPLEXTKDS option. The values of the option can be YES or NO, with the default being NO. If SYSPLEXTKDS(NO,FAIL(fail-option)) is specified, no XCF signalling will be performed when an update to a TKDS record occurs. If SYSPLEXTKDS(YES,FAIL(fail-option)) is specified, the support described in TKDS management in a sysplex will occur.

The fail-option can be specified as either YES or NO. If FAIL(YES) is specified then ICSF initialization will end abnormally if the request during ICSF initialization to join the ICSF sysplex group fails. If FAIL(NO) is specified, then ICSF initialization processing will continue even if the request to join the ICSF sysplex group fails. This system will not be notified of updates to the TKDS by other members of the ICSF sysplex group. The default is SYSPLEXTKDS(NO,FAIL(NO)).

FIPSMODE(YES or COMPAT or NO,FAIL(fail-option))

Indicates whether z/OS PKCS #11 services must run in compliance with the Federal Information Processing Standard Security Requirements for Cryptographic Modules, referred to as FIPS 140-2. FIPS 140-2, published by the National Institute of Standards and Technology (NIST), is a standard that defines rules and restrictions for how cryptographic modules should protect sensitive or valuable information.

By configuring z/OS PKCS #11 services to operate in compliance with FIPS 140-2 specifications, installations or individual applications can use the z/OS PKCS #11 services in a way that allows only the cryptographic algorithms (including key sizes) approved by the standard, and restricts access to the algorithms that are not approved. For more information, refer to z/OS Cryptographic Services ICSF Writing PKCS #11 Applications.

DEFAULTWRAP(internal_wrapping_method,external_wrapping_method)

Specifies the default key wrapping for DES keys. Any token generated or updated by a service will be wrapped using the specified method unless overridden by rule array keyword or a skeleton token. The default wrapping method for internal and external tokens is specified independently.

Valid values for internal_wrapping_method and external_wrapping_method are:

ORIGINAL

Specifies the original CCA token wrapping be used: ECB wrapping for DES.

ENHANCED

Specifies the new X9.24 compliant CBC wrapping used. Note that the enhanced wrapping method requires a z196 with a CEX3C.

WAITLIST(value)

Displays the current value of the WAITLIST option. If WAITLIST is coded, the value will be 'dataset' and a second line will contain the name of the specified Wait List data set. If WAITLIST is not coded, the value will be 'default'. If the data set specified by the WAITLIST option cannot be allocated or opened, the value will also be 'default'.

For more information about the ICSF startup procedure and installation options, see z/OS Cryptographic Services ICSF System Programmer’s Guide. At any time while you are running ICSF, you can check the current value of these installation options.

The installation exits and installation-defined callable services are also specified in the installation options data set, but they are not displayed on this panel. For a description of how to display the installation exit information, see Displaying installation exits. For a description of how to display installation-defined callable service information, see Displaying installation-defined callable services.