If you don't have a crypto coprocessor (CEX2 or PCIXCC) installed, then you won't have master keys and you can't store keys in the CKDS or PKDS. ICSF will still start, and a few APIs are available, but on the CPACF based machines (z890/z990 and later) most of the APIs require the secure coprocessor. You must have a secure coprocessor to store symmetric keys in the CKDS and asymmetric (public/private) keys in the PKDS.
And ICSF does not 'switch' to software encryption if it can't find the hardware. The only encryption that ICSF will do in software is AES when running on a server that does not provide AES in hardware (AES-128 is supported on the CPACF in the z9, and AES-128, AES-192 and AES-256 in the CPACF on the z10). You're probably thinking of System SSL which does provide software routines to perform encryption if ICSF or the appropriate hardware is not available. For System SSL, PKA (public/private) keys are used to authenticate the parties and those keys may come from the PKDS. After authentication, data is exchanged using a symmetric key established during the handshake, but those symmetric keys are not stored in the CKDS. You might review some of the crypto related documents on the IBM TechDocs website (www.ibm.com/support/techdocs and search on Crypto). Consider that a shameless plug, since I wrote some of those documents :-) Greg Boyd IBM WSC, System z Crypto ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
