Re: ICSF on z890?

---

• From: mark.zelden@xxxxxxxxxxxx (Mark Zelden)
• Date: 27 Mar 2007 06:38:06 -0700

---

On Mon, 26 Mar 2007 13:04:17 -0500, McKown, John
<John.Mckown@xxxxxxxxxxxxxxxxx> wrote:

-----Original Message-----
From: IBM Mainframe Discussion List
[mailto:IBM-MAIN@xxxxxxxxxxx] On Behalf Of Schramm, Rob
Sent: Monday, March 26, 2007 12:55 PM
To: IBM-MAIN@xxxxxxxxxxx
Subject: Re: ICSF on z890?


If you are just trying to get up and running for testing..
just use the
PassPhrase init. "6 PPINIT - Pass Phrase Master Key/CKDS
Initialization".. it is very easy. I don't think it is recommended to
stay in that mode for production.. but it is a sysprog dream when you
are just trying to get a handle on everything and get it up
and running
the first time.

I did that for the tire-kicking and some initial testing
before heading
down some of the more difficult issues.

I tried. I get 'OPTION NOT AVAILABLE'. Yes, I have the CSF started task
going.

(Sorry for the delayed response... just got back from a DR drill... surprised
R.S. hasn't jumped in as he knows this stuff well).

John,

You can't get there from here. You (and people trying to help you)
are trying to initialize hardware you don't have. No crypto hardware
means no master keys to load and no need for a PKDS/CKDS.
(BTW, the ICSF sysprog guide documents how to do this and there are
samples in SYS1.SAMPLIB). As you saw.. you have ICSF active and
you can still use some clear key functions.

I think something similar to this exec has been posted before. It will
test clear key. It performance the same function as the ENCODE option
of UTILITY in the ICSF ISPF dialogs:

/* REXX - PROGRAM REXXCSF */
/***************************************************************/
/* See if ICSF is active/online by doing a test CSNBECO call */
/***************************************************************/

return_code = '00000000'x
reason_code = '00000000'x
exit_data_length = '00000000'x
exit_data = ''
clear_key = 'C1C2C3C4F1F2F3F4'x
clear_text = '4321000000001234'x
cipher_text = '0000000000000000'x
Address LINKPGM "CSNBECO return_code reason_code exit_data_length",
"exit_data clear_key clear_text cipher_text"

If rc = 0 then do
Say 'ICSF is active and working!'
Say ' '
Say 'The data below should match the ICSF utility ENCODE panel:'
Say ' '
Say 'Clear Key ===> C1C2C3C4F1F2F3F4'
Say 'Plaintext ===> 4321000000001234'
Say 'Ciphertext :' C2x(cipher_text)
End
Else Say 'ICSF is kaput, RC=' rc


I'm pretty sure I've posted this in the past, but if you want to understand
what hardware you have and what options there are some good
white papers and red books. Search the archives.

Here are some of the books / papers I have save... which unfortunately
are old at this point but should be helpful (hopfully a search of IBM techdocs
and redbooks will get you them if you want):

White Papers:

Secure Key or Clear Key:
Application Migration & Crypto Hardware on z990
or
The Basics of What You Need to Understand about
zSeries Crypto Hardware and Applications

zSeries z990 Hardware Cryptography Considerations

-----------------------------

Redbooks (oldest to newest):

zSeries Crypto Guide Update
IBM eserver zSeries 990 (z990) Cryptography Implementation
z9-109 Crypto and TKE V5 Update


HTH. If you want to contact me off list, feel free to do so.

Mark
--
Mark Zelden
Sr. Software and Systems Architect - z/OS Team Lead
Zurich North America / Farmers Insurance Group: G-ITO
mailto:mark.zelden@xxxxxxxxxxxx
z/OS and OS390 expert at http://searchDataCenter.com/ateExperts/
Systems Programming expert at http://expertanswercenter.techtarget.com/
Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to listserv@xxxxxxxxxxx with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
.

---

• Prev by Date: RE: Need for small machines was Re: Macro List/Execute Forms (Was: Need help with Assembler ...)
• Next by Date: ISPF Limitations (was: Need for small machines ... )
• Previous by thread: RE: ICSF on z890?
• Next by thread: Linux/ zVM question
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: z9 Crypto Express2 usage ... the crypto coprocessors may not show as 'online' ... While setting up ICSF may be trivial, ... I reviewed the archives and found a pointer to Red Book SG24-7123 z9-109 ... I also am reviewing several ICSF manuals. ... (bit.listserv.ibm-main) Re: ICSF First-time Startup ... it looks like your LPAR does not have any ... crypto hardware as part of its configuration or there is no domain assigned to ... Subject: ICSF First-time Startup ... $HASP100 CSF ON STCINRDR ... (bit.listserv.ibm-main) Re: ICSF First-time Startup ... I should have mentioned in my last post that you need to define the CRYPTO ... environment for the LPAR in the HMC CRYPTO window to define the DOMAIN ... all the steps necessary to get ICSF up and running. ... $HASP100 CSF ON STCINRDR ... (bit.listserv.ibm-main) Re: File encryption ... It uses AES ... I never tried it without Crypto hardware, ... Subject: File encryption ... Nope, it's a 7060-H30, we definitely don't have a crypto on it. ... (bit.listserv.ibm-main) Re: Running ICSF with NO Crypto Features? ... Integrated Cryptographic Services Facility (ICSF) on a z9 that has NONE ... I didn't know that the crypto engines on the Z9 could be disabled. ... In any case, without buying a CEX2C board, ICSF won't initialize ... So you can't use ICSF without buying the CEX2C board. ... (bit.listserv.ibm-main)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

newsgroups.derkeiler.com  > Archive  > Comp  > bit.listserv.ibm-main  > 2007-03