I think you have the right idea. You want ICSF started as early as possible and ended as late as possible.
You likely want to use early ICSF which will run ICSF under the MASTER address space instead of JES (either via the ICSFPROC and ICSF system parameters [preferred] or via COMMNDxx using S CSF,SUB=MSTR) and configure ARM to restart ICSF. I don't recall the details but I believe that ARM will not work for system address spaces (like ICSF when started under MASTER) on older z/OS releases. I know for sure that it works for system address spaces on V2R5. Ensure that the P CSF is done after all exploiters are stopped (definitely after Z EOD). As for PAGENT, I'm not an expert (so someone can correct me if I misspeak). Anything that calls ICSF directly would fail, but if past the handshake stage, it's quite possible that the the derived transport key would be able to used in a software provider or via CPACF directly (I don't recall all the details, but I do know that System SSL can fall back if ICSF is not available). One thing to note: you can bounce ICSF without failing requests by using the dynamic service functionality we introduced in HCR77D0 (SETICSF PAUSE). That will allow ICSF to finish requests in process, then suspend new callers. This is best paired with either ARM or some other automation to restart ICSF, at which point the suspended callers will be resumed and continue on processing. Eric Rossman, CISSPĀ® ICSF Cryptographic Security Development z/OS Enabling Technologies [email protected] "IBM Mainframe Discussion List" <[email protected]> wrote on 01/01/2022 06:25:31 PM: > From: "Radoslaw Skorupka" <[email protected]> > To: [email protected] > Date: 01/01/2022 06:25 PM > Subject: [EXTERNAL] ICSF and Z EOD (and Pervasive Encryption) > Sent by: "IBM Mainframe Discussion List" <[email protected]> > > I have a question about recommended ICSF started task start and stop > sequence. > > In the old days I started is just before the application and ended after > the application was shut down. > Nowadays we can have encrypted spool so ICSF should (must?) be started > before JES2. > And before access to encrypted datasets. > However, as far as I know, also SMF records can be encrypted - so ICSF > should be active as long as SMF recording is active. That would mean "P > CSF" command should be issued after "Z EOD". > > Am I right with the above? > > > Another questions: what would happen with PAGENT when ICSF is > accidentally closed? All terminal connectivity (TLS/SSL) would be lost? ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
