When you invoke the CSFEUTIL program as a batch job, you receive
the return code in a message when the job completes. The meanings
of the return codes are:
- Return Code
- Meaning
- 0
- Process successful.
- 4
- Parameters are incorrect.
- 8
- RACF authorization check failed.
- 12
- Process unsuccessful.
- 68 or 72
- CKDS processing has failed. An error was detected in the new
KDS.
- 100 or 104
- CKDS processing has failed. An error was detected in the old
KDS.
- 101 or 105
- CKDS processing has failed. An error occurred while processing
a KDS record. For a 101 return code, consult the Return Code 8 reason
codes in the z/OS Cryptographic Services ICSF Application Programmer’s Guide. For a 105 return code, consult the Return Code 12
reason codes in the z/OS Cryptographic Services ICSF Application Programmer’s Guide.
When the program is invoked from another program, the invoking
program receives the reason code in General Register 0 along with
the return code in General Register 15. The following list describes
the meaning of the reason codes. If a particular reason code is not
listed, refer to the listing of ICSF and TSS return and reason codes
in the z/OS Cryptographic Services ICSF Application Programmer’s Guide.
Return code 0 has these reason codes:
- Reason
Code
- Meaning
- 36132
- CKDS reencipher/Change MK processed only tokens encrypted under
the DES master key.
- 36136
- CKDS reencipher/Change MK processed only tokens encrypted under
the AES master key.
- 36140
- CKDS reencipher/Change MK processed tokens encrypted under the
DES and AES master key.
Return code 8 has these reason codes:
- Reason
Code
- Meaning
- 3114
- Another refresh utility request is executing, and this utility
request will not be allowed to run.
- 16000
- Invoker has insufficient RACF access authority to perform function.
Return code 12 has these reason codes:
- Reason
Code
- Meaning
- 36000
- Unable to change master key. Check hardware status.
- 36008
- Crypto master key register(s) in improper state.
- 36020
- Input CKDS is empty or not initialized (authentication pattern
in the control record is invalid).
- 36036
- The new master key register for Coprocessor 1 (C1) is not full,
but C0 is ready and the current master key is valid.
- 36040
- The new master key register for C0 is not full, but C1 is ready
and the current master key is valid.
- 36044
- The master key authentication pattern for the CKDS does not
match the authentication pattern of the coprocessors, which are not
equal.
- 36048
- The master key authentication pattern for the CKDS does not
match the authentication pattern of either of the coprocessors, which
are not equal.
- 36052
- A valid new master key is present in C0, but its authentication
pattern does not match that of C1 or the CKDS, which are equal.
- 36056
- A valid new master key is present in C1, but its authentication
pattern does not match that of C0 or the CKDS, which are equal.
- 36060
- The new master key register(s) is/are not full.
- 36064
- Both new master key registers are full but not equal.
- 36068
- The input KDS is not enciphered under the current master key.
- 36076
- The new master key register for C0 is not full, but the CPUs
are online.
- 36080
- The new master key register for C1 is not full, but the CPUs
are online.
- 36084
- The master key register cannot be changed since ICSF is running
in compatibility mode.
- 36104
- Option not available. There were no Cryptographic Coprocessors
available to perform the service that was attempted.
- 36108
- PKA callable services are enabled, and the PKDS is the active
PKDS as specified in the options data set.
- 36120
- The CKDS is unusable. The CKDS does not support record level
authentication.
- 36124
- The CKDS is unusable. The CKDS only supports encrypted AES keys
and encrypted DES support is required.
- 36128
- The CKDS is unusable. The CKDS does not support encrypted DES
keys which is required.
- 36160
- The attempt to reencipher the CKDS failed because there is an
enhanced token in the CKDS.
- 36001
- A variable-length record format CKDS cannot be used on a system
with a Cryptographic Coprocessor Feature.
- 36168
- The LRECL attribute of the input CKDS doesn't match the
LRECL of the output CKDS.
Return code 72 or 104 has these reason
codes:
- Reason Code
- Meaning
- 6008
- A service routine has failed.
The service routines that may
be called are:
- CSFMGN
- MAC generation
- CSFMVR
- MAC verification
- CSFMKVR
- Master key verification
- 6012
- The single-record, read-write installation exit (CSFSRRW) returned a return code
greater than 4.
- 6016
- An I/O error occurred reading or writing the CKDS.
- 6020
- The CSFSRRW installation exit abended and the installation options
EXIT keyword specifies that the invoking service should end.
- 6024
- The CSFSRRW installation exit abended and the installation options
EXIT keyword specifies that ICSF should end.
- 6028
- The CKDS access routine could not establish the ESTAE environment.
- 6040
- The CSFSRRW installation exit could not be loaded and is required.
- 6044
- Information necessary to set up CSFSRRW installation exit processing
could not be obtained.
- 6048
- The system keys cannot be found while attempting to write a
complete CKDS data set.
- 6052
- For a write CKDS record request, the current master key verification
pattern (MKVP) does not match the CKDS header record MKVP.
- 6056
- The output CKDS is not empty.
- 36001
- A variable-length record format CKDS cannot be used on a system
with a Cryptographic Coprocessor Feature.
- 36168
- The LRECL attribute of the input CKDS doesn't match the
LRECL of the output CKDS.
|