When you invoke the CSFEUTIL program as a batch job, you receive the return code in a message when the job completes. The meanings of the return codes are:

Return Code

Meaning

0

Process successful.

4

Parameters are incorrect.

8

RACF authorization check failed.

12

Process unsuccessful.

68 or 72

CKDS processing has failed. An error was detected in the new KDS.

100 or 104

CKDS processing has failed. An error was detected in the old KDS.

101 or 105

CKDS processing has failed. An error occurred while processing a KDS record. For a 101 return code, consult the Return Code 8 reason codes in the z/OS Cryptographic Services ICSF Application Programmer’s Guide. For a 105 return code, consult the Return Code 12 reason codes in the z/OS Cryptographic Services ICSF Application Programmer’s Guide.

When the program is invoked from another program, the invoking program receives the reason code in General Register 0 along with the return code in General Register 15. The following list describes the meaning of the reason codes. If a particular reason code is not listed, refer to the listing of ICSF and TSS return and reason codes in the z/OS Cryptographic Services ICSF Application Programmer’s Guide.

Return code 0 has these reason codes:

Reason Code

Meaning

36132

CKDS reencipher/Change MK processed only tokens encrypted under the DES master key.

36136

CKDS reencipher/Change MK processed only tokens encrypted under the AES master key.

36140

CKDS reencipher/Change MK processed tokens encrypted under the DES and AES master key.

Return code 8 has these reason codes:

Reason Code

Meaning

3114

Another refresh utility request is executing, and this utility request will not be allowed to run.

16000

Invoker has insufficient RACF access authority to perform function.

Return code 12 has these reason codes:

Reason Code

Meaning

36000

Unable to change master key. Check hardware status.

36008

Crypto master key register(s) in improper state.

36020

Input CKDS is empty or not initialized (authentication pattern in the control record is invalid).

36036

The new master key register for Coprocessor 1 (C1) is not full, but C0 is ready and the current master key is valid.

36040

The new master key register for C0 is not full, but C1 is ready and the current master key is valid.

36044

The master key authentication pattern for the CKDS does not match the authentication pattern of the coprocessors, which are not equal.

36048

The master key authentication pattern for the CKDS does not match the authentication pattern of either of the coprocessors, which are not equal.

36052

A valid new master key is present in C0, but its authentication pattern does not match that of C1 or the CKDS, which are equal.

36056

A valid new master key is present in C1, but its authentication pattern does not match that of C0 or the CKDS, which are equal.

36060

The new master key register(s) is/are not full.

36064

Both new master key registers are full but not equal.

36068

The input KDS is not enciphered under the current master key.

36076

The new master key register for C0 is not full, but the CPUs are online.

36080

The new master key register for C1 is not full, but the CPUs are online.

36084

The master key register cannot be changed since ICSF is running in compatibility mode.

36104

Option not available. There were no Cryptographic Coprocessors available to perform the service that was attempted.

36108

PKA callable services are enabled, and the PKDS is the active PKDS as specified in the options data set.

36120

The CKDS is unusable. The CKDS does not support record level authentication.

36124

The CKDS is unusable. The CKDS only supports encrypted AES keys and encrypted DES support is required.

36128

The CKDS is unusable. The CKDS does not support encrypted DES keys which is required.

36160

The attempt to reencipher the CKDS failed because there is an enhanced token in the CKDS.

36001

A variable-length record format CKDS cannot be used on a system with a Cryptographic Coprocessor Feature.

36168

The LRECL attribute of the input CKDS doesn't match the LRECL of the output CKDS.

Return code 72 or 104 has these reason codes:

Reason Code

Meaning

6008

A service routine has failed.

The service routines that may be called are:

CSFMGN

MAC generation

CSFMVR

MAC verification

CSFMKVR

Master key verification

6012

The single-record, read-write installation exit (CSFSRRW) returned a return code greater than 4.

6016

An I/O error occurred reading or writing the CKDS.

6020

The CSFSRRW installation exit abended and the installation options EXIT keyword specifies that the invoking service should end.

6024

The CSFSRRW installation exit abended and the installation options EXIT keyword specifies that ICSF should end.

6028

The CKDS access routine could not establish the ESTAE environment.

6040

The CSFSRRW installation exit could not be loaded and is required.

6044

Information necessary to set up CSFSRRW installation exit processing could not be obtained.

6048

The system keys cannot be found while attempting to write a complete CKDS data set.

6052

For a write CKDS record request, the current master key verification pattern (MKVP) does not match the CKDS header record MKVP.

6056

The output CKDS is not empty.

36001

A variable-length record format CKDS cannot be used on a system with a Cryptographic Coprocessor Feature.

36168

The LRECL attribute of the input CKDS doesn't match the LRECL of the output CKDS.