Discussion:
ICSF Again
Add Reply
Steely.Mark
2017-05-10 16:49:58 UTC
Reply
Permalink
Raw Message
I was trying to rename a key in the CKDS. I was using PGM=CSFKGUP,PARM=('SSM').

I received this error:

The master key verification patterns in the CKDS do not match the
verification patterns of the active DES and AES master keys.

We do not have any crypto hardware and no coprocessor's defined.
We do not have an active TKDS. CSF has no error message and starts successfully.
This is not causing an operational issue - but from the error message something is not in sync.
Also I was able to perform this function on our sandbox system - so the JCL is correct.

This is the answer from IBM:

The following information should help to get you started. Your displays
show that you have no active cryptographic coprocessors. Unless your
target CKDS (specified by "CSFCKDS" value in your KGUP data definition
statement) is configured as a clear-key CKDS, you will need to load and
set the appropriate Master Keys (DES and/or AES) under which your CKDS
is encrypted to access and alter its contents. This requires the use of
cryptographic hardware. (Which we don't have)

This doesn't help me at all. I still don't have any idea's how to start. I am just a rookie with ICSF.
How do I display the master key verification patterns ?
Where is this ? specified by "CSFCKDS" value in your KGUP data definition statement

We are z/OS V2.2.

Any help would be appreciated.

Thanks






----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Dan Little
2017-05-10 22:15:32 UTC
Reply
Permalink
Raw Message
Can you show the job output?    And are you able to get into ICSF panels?

What are your installation options?

Dan


--------------------------------------------------
I was trying to rename a key in the CKDS. I was using PGM=CSFKGUP,PARM=('SSM').
The master key verification patterns in the CKDS do not match the
verification patterns of the active DES and AES master keys.
We do not have any crypto hardware and no coprocessor's defined.
We do not have an active TKDS. CSF has no error message and starts successfully.
This is not causing an operational issue - but from the error message something is not in sync.
Also I was able to perform this function on our sandbox system - so the JCL is correct.
The following information should help to get you started. Your displays
show that you have no active cryptographic coprocessors. Unless your
target CKDS (specified by "CSFCKDS" value in your KGUP data definition
statement) is configured as a clear-key CKDS, you will need to load and
set the appropriate Master Keys (DES and/or AES) under which your CKDS
is encrypted to access and alter its contents. This requires the use of
cryptographic hardware. (Which we don't have)
This doesn't help me at all. I still don't have any idea's how to start. I am just a rookie with ICSF.
How do I display the master key verification patterns ?
Where is this ? specified by "CSFCKDS" value in your KGUP data definition statement
We are z/OS V2.2.
Any help would be appreciated.
Thanks
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Steely.Mark
2017-05-10 22:29:49 UTC
Reply
Permalink
Raw Message
Dan - IBM sent my SR to their Q&A group. IBM is already had our options and wants dumps of the CKDS and the keys.
Hopefully they will have an answer for me.

Thanks

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of Dan Little
Sent: Wednesday, May 10, 2017 5:09 PM
To: IBM-***@LISTSERV.UA.EDU
Subject: Re: ICSF Again

Can you show the job output?    And are you able to get into ICSF panels?

What are your installation options?

Dan


--------------------------------------------------
I was trying to rename a key in the CKDS. I was using PGM=CSFKGUP,PARM=('SSM').
The master key verification patterns in the CKDS do not match the
verification patterns of the active DES and AES master keys.
We do not have any crypto hardware and no coprocessor's defined.
We do not have an active TKDS. CSF has no error message and starts successfully.
This is not causing an operational issue - but from the error message something is not in sync.
Also I was able to perform this function on our sandbox system - so the JCL is correct.
The following information should help to get you started. Your
displays show that you have no active cryptographic coprocessors.
Unless your target CKDS (specified by "CSFCKDS" value in your KGUP
data definition
statement) is configured as a clear-key CKDS, you will need to load
and set the appropriate Master Keys (DES and/or AES) under which your
CKDS is encrypted to access and alter its contents. This requires the
use of cryptographic hardware. (Which we don't have)
This doesn't help me at all. I still don't have any idea's how to start. I am just a rookie with ICSF.
How do I display the master key verification patterns ?
Where is this ? specified by "CSFCKDS" value in your KGUP data
definition statement
We are z/OS V2.2.
Any help would be appreciated.
Thanks
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Loading...