|
- Description:
- Detects cryptographic coprocessors that will not become active
when starting HCR77A1. This checks compares the coprocessor master
keys against the CKDS and PKDS.
This check is inactive by default
– in order to use this check you must activate it. You should run
this check on your system before installing the HCR77A1 release of
ICSF.
- Reason for check:
- A coprocessor that has master keys that do not match the CKDS
and PKDS will not become active when ICSF FMID HCR77A1 is started.
This will affect the availability of coprocessors for cryptographic
work. The method to decide which coprocessors become active changed
for HCR77A1 and later.
- z/OS® releases the check
applies to:
- ICSF FMID HCR7770 or later running on z/OS V1R9, z/OS V1R10,
z/OS V1R11, z/OS V1R12, z/OS V1R13
or z/OS V2R1 with PTFs for
APAR OA42011 applied.
- Type of check (local or remote):
- Local
- User override of IBM® values:
- The following shows keywords you can use to override check values
on either a POLICY statement in the HZSPRMxx parmlib member or on
a MODIFY command. This statement may be copied and modified to override
the check defaults:
UPDATE
CHECK(IBMICSF,ICSFMIG77A1_COPROCESSOR_ACTIVE)
INACTIVE
SEVERITY(MEDIUM) INTERVAL(ONETIME) DATE('date_of_the_change')
REASON('Your reason for making the update.'))
- Parameters accepted:
- No.
- Verbose support:
- No
- Debug support:
- No
- Reference:
- For more information see z/OS Cryptographic Services ICSF Administrator's Guide.
- Messages:
- This check issues the following exception messages:
See in z/OS Cryptographic Services ICSF Messages.
- SECLABEL recommended for multilevel security users:
- SYSLOW - see z/OS Planning for Multilevel Security and the Common Criteria for
information on using SECLABELs.
|