For a long time, you would have been well advised to start ICSF with CPACF in order to get a working /dev/random device on z/OS. Many years ago you had to have a card to get /dev/random, but thankfully this was fixed and z/OS has a great secure random number facility (if you start ICSF with CPACF).
If you don't do this, OpenSSH through release 1.2 would still work, but it wastes lots of time and CPU during startup of each connection, and you get a crappy random number to boot. Starting with Ported Tools OpenSSH 1.3, you MUST have /dev/random working in order to use the product. Kirk Wolf Dovetailed Technologies http://dovetail.com On Wed, Oct 19, 2016 at 10:38 AM, Tom Brennan <[email protected]> wrote: > Thanks - I think I need to read that! One client I work with has CPACF > installed with no crypto cards, but no ICSF running. They run SSH uploads > hundreds or maybe thousands of times per day, and every day there are a few > timeout failures (on their pretty slow z114) while initializing the SSH > connection. > > My theory is this is because crypto work is all being done in software, > and maybe some work could be offloaded to CPACF if I can figure out how to > get ICSF running to use it. > > Kirk Wolf wrote: > >> Have you looked at our Quick Start guide for installing and tuning z/OS >> 2.2 >> OpenSSH? >> https://dovetail.com/docs/pt-quick-inst/index.html >> >> your question I believe is covered in section "1.6 Using ICSF and >> /dev/random" >> > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
