John, The steps to enable and verify are documented in: http://www-03.ibm.com/systems/resources/fotza501.pdf See: "Setting up OpenSSH to use ICSF ciphers and MAC algorithms"
So, at a high level, the steps are: 1) make sure ICSF is started 2) Update your ssh_config and sshd_config to prefer (or if you want, only allow) ciphers and MACs that are ICSF enabled (which varies based on the CPACF facilities in your machine). (Note: there is also user-specific version of the client config file: ~/.ssh/zos_user_ssh_config) Its not clear in the IBM manual, but the ciphers and macs are negotiated between the SSH client and SSHD server based on the following rule: pick the first algorithm in the client's list that appears anywhere in the server's list. 3) update zos_ssh_config and zos_sshd_config to add: CiphersSource any MACsSource any 4) test/verify operation using the ssh client (with -vv option). Verifying sshd is a little trickier - you would have to start up a debug version I guess. But just watching the CPU during a large transfer is usually convincing ;-) BTW: "ssh -vv" will also print out a table of your CPACF capabilities. Kirk Wolf Dovetailed Technologies http://dovetail.com PS> If you have a crypto coprocessor card, also see the User's Guide: "Using hardware support to generate random numbers". This avoids the crappy ssh-rand-helper and saves time and resources during connection startup. On Tue, Jul 10, 2012 at 10:47 AM, Rob Schramm <[email protected]> wrote: > Did you add the statements > > CiphersSource ICSF > MACsSource ICSF > > in the /etc/ssh/zos_sshd_config > > Rob Schramm > Senior Systems Consultant > Imperium Group > > > > On Tue, Jul 10, 2012 at 11:18 AM, McKown, John < > [email protected]> wrote: > > > I just installed PTF UA63842 on my sandbox system. I also got ICSF > > running. The messages from the CSF started task are: > > > > CSFO0230 CKDSN(TSSTV.CSF.CKDS) > > CSFO0230 PKDSN(TSSTV.CSF.PKDS) > > CSFO0230 COMPAT(NO) > > CSFO0230 SSM(YES) > > CSFO0230 KEYAUTH(NO) /* WAS YES */ > > CSFO0230 CHECKAUTH(NO) > > CSFO0230 TRACEENTRY(599) > > CSFO0220 TRACEENTRY VALUE NOT IN RANGE. > > CSFO0230 USERPARM(USERPARM) > > CSFO0230 COMPENC(DES) > > CSFO0212 COMPENC KEYWORD NO LONGER SUPPORTED. > > CSFO0230 REASONCODES(ICSF) > > CSFO0230 PKDSCACHE(64) > > CSFO0212 PKDSCACHE KEYWORD NO LONGER SUPPORTED. > > CSFO0166 DEFAULT CICS WAIT LIST WILL BE USED. > > CSFM607I A CKDS KEY STORE POLICY IS NOT DEFINED. > > CSFM607I A PKDS KEY STORE POLICY IS NOT DEFINED. > > CSFM610I GRANULAR KEYLABEL ACCESS CONTROL IS DISABLED. > > CSFM611I XCSFKEY EXPORT CONTROL FOR AES IS DISABLED. > > CSFM611I XCSFKEY EXPORT CONTROL FOR DES IS DISABLED. > > CSFM612I PKA KEY EXTENSIONS CONTROL IS DISABLED. > > CSFM101E PKA KEY DATA SET, TSSTV.CSF.PKDS IS NOT INITIALIZED. > > CSFM100E CRYPTOGRAPHIC KEY DATA SET, TSSTV.CSF.CKDS IS NOT INITIALIZED. > > CSFM507I CRYPTOGRAPHY - THERE ARE NO CRYPTOGRAPHIC COPROCESSORS ONLINE. > > CSFM508I CRYPTOGRAPHY - THERE ARE NO CRYPTOGRAPHIC ACCELERATORS ONLINE. > > *CSFM122I PKA SERVICES WERE NOT ENABLED DURING ICSF INITIALIZATION. > > CSFM001I ICSF INITIALIZATION COMPLETE > > CSFM126I CRYPTOGRAPHY - FULL CPU-BASED SERVICES ARE AVAILABLE. > > > > I think this last message means that ICSF is using the CPACF facilities > on > > the CPU. True? > > > > I then recycled the SSHD daemon. How do I know that SSHD is actually > using > > the CPACF instead of the older method for its encryption?. Is there any > > message anywhere that I could look at? I see some messages in > > /var/log/auth, but nothing "in depth". > > > > -- > > John McKown > > Systems Engineer IV > > IT > > > > Administrative Services Group > > > > HealthMarkets(r) > > > > 9151 Boulevard 26 * N. Richland Hills * TX 76010 > > (817) 255-3225 phone * > > [email protected] * www.HealthMarkets.com > > > > Confidentiality Notice: This e-mail message may contain confidential or > > proprietary information. If you are not the intended recipient, please > > contact the sender by reply e-mail and destroy all copies of the original > > message. HealthMarkets(r) is the brand name for products underwritten and > > issued by the insurance subsidiaries of HealthMarkets, Inc. -The > Chesapeake > > Life Insurance Company(r), Mid-West National Life Insurance Company of > > TennesseeSM and The MEGA Life and Health Insurance Company.SM > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to [email protected] with the message: INFO IBM-MAIN > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
