ICSFMIG77A1_COPROCESSOR

Description:

Detects cryptographic coprocessors that will not become active when starting HCR77A1. This checks compares the coprocessor master keys against the CKDS and PKDS.

This check is inactive by default – in order to use this check you must activate it. You should run this check on your system before installing the HCR77A1 release of ICSF.

Reason for check:

A coprocessor that has master keys that do not match the CKDS and PKDS will not become active when ICSF FMID HCR77A1 is started. This will affect the availability of coprocessors for cryptographic work. The method to decide which coprocessors become active changed for HCR77A1 and later.

z/OS® releases the check applies to:

ICSF FMID HCR7770 or later running on z/OS V1R9, z/OS V1R10, z/OS V1R11, z/OS V1R12, z/OS V1R13 or z/OS V2R1 with PTFs for APAR OA42011 applied.

Type of check (local or remote):

Local

User override of IBM® values:

The following shows keywords you can use to override check values on either a POLICY statement in the HZSPRMxx parmlib member or on a MODIFY command. This statement may be copied and modified to override the check defaults:

UPDATE
CHECK(IBMICSF,ICSFMIG77A1_COPROCESSOR_ACTIVE)
INACTIVE
SEVERITY(MEDIUM) INTERVAL(ONETIME) DATE('date_of_the_change')
REASON('Your reason for making the update.'))

Parameters accepted:

No.

Verbose support:

Debug support:

Reference:

For more information see z/OS Cryptographic Services ICSF Administrator's Guide.

Messages:

This check issues the following exception messages:

CSFH0020E
CSFH0021E

See in z/OS Cryptographic Services ICSF Messages.

SECLABEL recommended for multilevel security users:

SYSLOW - see z/OS Planning for Multilevel Security and the Common Criteria for information on using SECLABELs.