On Mon, 3 Jan 2022 16:10:48 -0400, Eric D Rossman <edros...@us.ibm.com> wrote:
> >That's a really good question (and a complicated one). While the >recommendation is to terminate ICSF to allow for a clean shutdown of >tasks, I think a STOP ICSF can be (mostly) safely avoided. > >There are a few asynchronous tasks that ICSF cleans up when it terminates. >What comes to mind as being most relevant is data related to key usage/key >lifecycle and reference dates. Instead of recording every piece as it >happens, we queue up and periodically record it, both to SMF records >(usage/lifecycle) and in the CKDS/PKDS/TKDS records (reference dates, if >using KDSR format). > >If SMF is already stopped, ICSF SMF records related to key usage and key >lifecycle won't get recorded, so perhaps the best option would be to use >the operator commands to tell ICSF to stop recording both key >usage/lifecycle and reference dates and flush everything it has cached for >both categories. If you do that, both the SMF records and ICSF KDS updates >will happen immediately. Then, you can safely issue the Z EOD to harden >the SMF records. > >I cannot say that it's perfect (obviously, none of the actively after the >operator commands will get recorded), but at that point, you have already >terminated just about everything anyway, so you are unlikely to miss much. > Thanks again Eric. I'd like to see IBM "clean up" that last little bit of housekeeping and really make ICSF task a "hands off" task with regards to starting/stopping. Its going to get more difficult to run without anyway. For me, losing those last few SMF records or last used updates on key records is less of an issue than not being able to serve the encrypt/decrypt request at all. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
