Dave Jousma wrote on 01/03/2022 at 02:43 PM: > On Sat, 1 Jan 2022 21:01:06 -0400, Eric D Rossman <edros...@us.ibm.com> wrote: > > >I think you have the right idea. > > > >You want ICSF started as early as possible and ended as late as possible. > > > >You likely want to use early ICSF which will run ICSF under the MASTER > >address space instead of JES (either via the ICSFPROC and ICSF system > >parameters [preferred] or via COMMNDxx using S CSF,SUB=MSTR) and configure > >ARM to restart ICSF. I don't recall the details but I believe that ARM > >will not work for system address spaces (like ICSF when started under > >MASTER) on older z/OS releases. I know for sure that it works for system > >address spaces on V2R5. > > > >Ensure that the P CSF is done after all exploiters are stopped (definitely > >after Z EOD). > > Eric, thanks for responding from IBM. We run with early ICSF > started under master from IEASYS00 settings. Is it even necessary > to shutdown CSF on system shutdown? I ask because with so many > things using encryption now, including CF structures, etc, there is > likely a window for problems?
That's a really good question (and a complicated one). While the recommendation is to terminate ICSF to allow for a clean shutdown of tasks, I think a STOP ICSF can be (mostly) safely avoided. There are a few asynchronous tasks that ICSF cleans up when it terminates. What comes to mind as being most relevant is data related to key usage/key lifecycle and reference dates. Instead of recording every piece as it happens, we queue up and periodically record it, both to SMF records (usage/lifecycle) and in the CKDS/PKDS/TKDS records (reference dates, if using KDSR format). If SMF is already stopped, ICSF SMF records related to key usage and key lifecycle won't get recorded, so perhaps the best option would be to use the operator commands to tell ICSF to stop recording both key usage/lifecycle and reference dates and flush everything it has cached for both categories. If you do that, both the SMF records and ICSF KDS updates will happen immediately. Then, you can safely issue the Z EOD to harden the SMF records. I cannot say that it's perfect (obviously, none of the actively after the operator commands will get recorded), but at that point, you have already terminated just about everything anyway, so you are unlikely to miss much. Eric Rossman, CISSPĀ® ICSF Cryptographic Security Development z/OS Enabling Technologies edros...@us.ibm.com ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
