ICSF: Detect any coprocessor that will not become active when HCR77A1 or later is started
Description
For ICSF FMIDS HCR7780, HCR7790, and HCR77A0, the activation procedure was designed to maximize the number of active coprocessors by selecting the set of master keys that are available on the majority of coprocessors. A DES master key is no longer required in order for a coprocessor to become active. Instead, any one of four master keys – the DES master key, the AES master key, the RSA master key (which in earlier releases was called the asymmetric master key), or the ECC master key – is enough for a coprocessor to become active. However, because the goal is to select the combination of master keys that will maximize the number of active coprocessors, if a certain master key is not set on all the same coprocessors, that master key support will not be available.
Starting with FMID HCR77A1, the activation procedure now uses the master key verification patterns (MKVP) in the header record of the CKDS and PKDS to determine which coprocessors become active. If the MKVP of a master key is in the CKDS or PKDS, that master key must be loaded and the verification pattern of the current master key register must match the MKVP in the CKDS or PKDS. If all of the MKVPs in the CKDS and PKDS match the current master key registers, the coprocessor will become active. Otherwise, the status is master keys incorrect. This applies to all master keys that the coprocessor supports. When there is a MKVP in the CKDS or PKDS and the coprocessor does not support that master key, it is ignored. When a MKVP is not in the CKDS or PKDS, the master key is ignored.
If there are no MKVPs in the CKDS and PKDS, the coprocessor will be active. If the CKDS is initialized without any MKVPs, the CKDS cannot be used on a system that has cryptographic features installed.
Table 1 provides more details about this migration action. Use this information to plan your changes to the system.
| Element or feature: | Cryptographic Services |
|---|---|
| When change was introduced: | Cryptographic Support for z/OS V1R13 - z/OS V2R1 web deliverable (FMID HCR77A1), which installs on z/OS V1R13 or z/OS V2R1. |
| Applies to migration from: | z/OS V2R1 and z/OS V1R13, both without the Cryptographic Support for z/OS V1R13 - z/OS V2R1 web deliverable (FMID HCR77A1) or a later ICSF web deliverable installed. |
| Timing: | Before installing z/OS V2R2. |
| Is the migration action required? | Yes, if you are affected by the change in the way master keys are processed to determine which coprocessors become active. |
| Target system hardware requirements: | None. |
| Target system software requirements: | None. |
| Other system (coexistence or fallback) requirements: | None. |
| Restrictions: | None. |
| System impacts: | None. |
| Related IBM Health Checker for z/OS check: | Use check ICSFMIG77A1_COPROCESSOR_ACTIVE to determine which coprocessors will not become active when Cryptographic Support for z/OS V1R13 - z/OS V2R1 Web Deliverable (FMID HCR77A1) is started. This check is delivered in APAR OA42011 available for ICSF FMIDs HCR7770, HCR7780, HCR7790 and HCR77A0. |
Steps to take
Run the migration check ICSFMIG77A1_COPROCESSOR_ACTIVE to find any coprocessors that will not become active when you start HCR77A1 or a later ICSF web deliverable.
Reference information
- See the chapter on migration in
- For information about IBM Health Checker, see IBM Health Checker for z/OS User's Guide.