"Never!" (says the ICSF Architect). In all seriousness, those messages look good. David, were those the "good" case or the "bad"?
If the bad, was ICSF up yet? Eric Rossman --------------------------------- ICSF Security Architect z/OS Security --------------------------------- -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of ITschak Mugzach Sent: Monday, April 14, 2025 2:54 PM To: [email protected] Subject: [EXTERNAL] Re: GSK question looks like an ICSF (CSF) issue. ITschak Mugzach *|** IronSphere Platform* *|* *Information Security Continuous Monitoring for z/OS, x/Linux & IBM I **| z/VM coming soon * nbsp; *|* On Mon, Apr 14, 2025 at 9:24 PM Jousma, David < [email protected]> wrote: > Look at the pre-IPL TCPIP STC output, and compare to current. > > It was the messages in and around here that were bad > > System SSL: SHA-1 crypto assist is available System SSL: SHA-224 > crypto assist is available System SSL: SHA-256 crypto assist is > available System SSL: SHA-384 crypto assist is available System SSL: > SHA-512 crypto assist is available System SSL: DES crypto assist is > available System SSL: DES3 crypto assist is available System SSL: AES > 128-bit crypto assist is available System SSL: AES 256-bit crypto > assist is available System SSL: AES-GCM crypto assist is available > System SSL: Cryptographic accelerator is not available System SSL: > Cryptographic coprocessor is available System SSL: Public key hardware > support is available System SSL: Max RSA key sizes in hardware - > signature 4096, encryption 4096, verification 4096 System SSL: ECC > secure key support is available. Maximum key size 521 System SSL: ICSF > Secure key PKCS11 support is not available System SSL: ICSF FMID is > HCR77E0 EZZ0162I HOST NAME FOR TCPIP IS hmsystk2 > > Dave Jousma > Vice President | Director, Technology Engineering > > > > > > From: IBM Mainframe Discussion List <[email protected]> on > behalf of Phil Smith III <[email protected]> > Date: Monday, April 14, 2025 at 2:17 PM > To: [email protected] <[email protected]> > Subject: Re: GSK question > > > > Thanks. This might be the answer, though I may not be able to tell. > > > > -----Original Message----- > > From: IBM Mainframe Discussion List <[email protected]> On > Behalf Of Jousma, David > > Sent: Monday, April 14, 2025 2:11 PM > > To: [email protected] > > Subject: Re: GSK question > > > > AFAIK, there is no shutting off SYSTEM SSL. > > > > Years ago, and a few generations of Crypto adapters ago, we IPL’d > before Crypto adapters were fully initialized (there is a time factor > when installing MCL’s), and System SSL was “broken” from a TCPIP perspective. > The fix was to recycle TCPIP, we elected to IPL, because the cycle of > TCPIP was just about as invasive. This caused us all kinds of problems > and it took a bit to track down that TCPIP came up before crypto was > available. > > > > I have no idea if this exposure still exists, but to this day, we > still wait for crypto adapters to be fully initialized before we IPL anything. > > > > Dave Jousma > > Vice President | Director, Technology Engineering > > > > > > > > > > > > From: IBM Mainframe Discussion List <[email protected]> on > behalf of Phil Smith III <[email protected]> > > Date: Monday, April 14, 2025 at 1:55 PM > > To: [email protected] <[email protected]> > > Subject: GSK question > > > > > > > > Is there a way to turn off GSK (System SSL)? We have a customer who > had a problem where our STC suddenly wouldn't start: it would try to > connect (to a server off z/OS) and that would fail. Connectivity > SEEMED ok otherwise, and of course "nothing has changed". A gsktrace > produced nothing. After some back-and-forth, they reIPLed and now it's > fine. (Which I 50% wish they hadn't done, so we could get more info; > and am 50% glad they did, of course, since it fixed the problem!) > > > > > > > > All I can think is that GSK was broken somehow. If there was a > GSKsomething STC I'd kill that and try, see if I got the same > symptoms, but there isn't. Is it just baked into TCP/IP? Any other > ideas about something I can kill that would break GSK? I can do > anything I want on our system and then reIPL if needed. > > > > > > > > Thanks for any ideas. > > > > > > > > ---------------------------------------------------------------------- > > > > For IBM-MAIN subscribe / signoff / archive access instructions, > > > > send email to [email protected] with the message: INFO IBM-MAIN > > > > This e-mail transmission contains information that is confidential and may > be privileged. It is intended only for the addressee(s) named above. If > you receive this e-mail in error, please do not read, copy or > disseminate it in any manner. If you are not the intended recipient, > any disclosure, copying, distribution or use of the contents of this > information is prohibited. Please reply to the message immediately by > informing the sender that the message was misdirected. After replying, > please erase it from your computer system. Your assistance in correcting this > error is appreciated. > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to [email protected] with the message: INFO IBM-MAIN > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to [email protected] with the message: INFO IBM-MAIN > > This e-mail transmission contains information that is confidential and may > be privileged. It is intended only for the addressee(s) named above. If > you receive this e-mail in error, please do not read, copy or > disseminate it in any manner. If you are not the intended recipient, > any disclosure, copying, distribution or use of the contents of this > information is prohibited. Please reply to the message immediately by > informing the sender that the message was misdirected. After replying, > please erase it from your computer system. Your assistance in correcting this > error is appreciated. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
