ICSF: Detect TKDS objects that are too large for the new record format in HCR77A1

Description

In ICSF FMID HCR77A1, ICSF is introducing a common key data set record format for CCA key tokens and PKCS #11 tokens and objects. This new record format adds new fields for key utilization and metadata. Because of the size of the new fields, some existing PKCS #11 objects in the TKDS might cause ICSF to fail. If you do not have a Token Data Set (TKDS) with PKDS #11 objects in it, there is no need to run this check.

The problem exists for TKDS object records with large objects. The User data field in the existing record will cause the TKDS not be to loaded if the object size is greater that 32,520 bytes. The TKDSREC_LEN field in the record has the size of the object. If the User data field is not empty and the size of the object is greater than 32,520 bytes, the TKDS cannot be loaded.

Note that ICSF does not provide any interface to modify the User data field in the TKDS object record. A field can be created using IDCAMS. Check the contents of the User data field and determine if the information in the field is valuable. If you want to preserve the data, consider how the information can be stored other than in the object record. The field can only be modified by editing the record. For information about the TKDS object record, seez/OS Cryptographic Services ICSF System Programmer's Guide. The IBM Health Checker migration check, ICSFMIG77A1_TKDS_OBJECT detects any TKDS object that is too large to allow the TKDS is read into storage during ICSF initialization starting with ICSF FMID HCR77A1. This migration check is available for HCR7770, HR7780, HCR7790, and HCR77A0 through APAR OA42011

Table 1 provides more details about this migration action. Use this information to plan your changes to the system.

Table 1. Information about this migration action
Element or feature:	Cryptographic Services
When change was introduced:	Cryptographic Support for z/OS V1R13 – z/OS V2R1 web deliverable (FMID HCR77A1), which installs on z/OS V1R12, z/OS V1R13 or z/OS V2R1.
Applies to migration from:	z/OS V2R1 and z/OS V1R13, both without the Cryptographic Support for z/OS V1R13 - z/OS V2R1 web deliverable (FMID HCR77A1) installed.
Timing:	Before installing z/OS V2R2.
Is the migration action required?	Yes, if you affected by the record format changes.
Target system hardware requirements:	None.
Target system software requirements:	None.
Other system (coexistence or fallback) requirements:	None.
Restrictions:	None.
System impacts:	None.
Related IBM Health Checker for z/OS check:	Use the IBM Health Checker migration check ICSFMIG77A1_TKDS_OBJECT to detect any TKDS object with a value in the `User data` field that is too large to preserve in the `User data` field of the new format record. This migration check is available for HCR7770, HR7780, HCR7790, and HCR77A0 through APAR OA42011.

Steps to take

Run the migration check ICSFMIG77A1_TKDS_OBJECT to detect if TKDS objects are too large for the new record format in HCR77A1.

Note: ICSF does not provide any interface to modify the User data field in the TKDS object record. A flat file can be created using IDCAMS. Check the contents of the User data field and determine if the information in the field is valuable. If you want to preserve the data, consider how the information can be stored other than in the object record. The field can only be modified by editing the record. For information about the TKDS object record, see z/OS Cryptographic Services ICSF System Programmer's Guide.

Reference information

For more information, see the following references:

For information about TKDS, see z/OS Cryptographic Services ICSF System Programmer's Guide.
For information about IBM Health Checker, see IBM Health Checker for z/OS User's Guide.