This was announced by IBM last August. “With the PTFs for APAR OA55437, customers on z/OS V2.2 and V2.3 can now generate true random numbers via /dev/random when running on the IBM z14™ family of servers, without needing to set up the Integrated Cryptographic Service Facility (ICSF). This new support is significant for users of OpenSSH, who may now use functions such as sftp and ssh without needing to set up ICSF, especially when using the new function introduced last year in APAR OA54299 (also for z/OS V2.2 and V2.3) allowing OpenSSH to use the CPACF instructions, when present, directly for certain ciphers and MACs
Regards, Gary Sent from Mail for Windows 10 From: Kirk Wolf Sent: Saturday, 19 January 2019 10:30 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: ICSF and z/OS 2.3 ICSF is currently required if you want to use the Unix /dev/random and /dev/urandom devices. These might be required by Unix apps (or jobs/stcs that use z/OS Unix System services). For exampe: IBM OpenSSH server will not work without ICSF and /dev/random available. On Fri, Jan 18, 2019 at 5:24 PM Greg Boyd <gregb...@mainframecrypto.com> wrote: > ICSF is only required if you want to use the ICSF APIs, so it depends on > what, if anything in your shop might be using the APIs. System SSL (TLS) > will certainly leverage the APIs if you have Crypto Express cards available > and that might provide some CPU relief. The Guardium Database Encryption > Tool requires it if you want to encrypt IMS segments or DB2 tables at the > row level. > > Pervasive is getting a lot of attention and if you're going that route, I > would highly recommend that ICSF be active everywhere. You don't want one > system writing ciphertext to a file and another system thinking that the > file is cleartext. IBM is also recommending that ICSF be 'always up'. > They have made a number of changes to the component so that it will come up > earlier in the IPL and it should be one of the last tasks running. > > Given the growth in crypto workload, I take 'always up' to also mean > 'running everywhere'. There are simply more things that can leverage ICSF, > some optionally and some require it. > > I'm not sure why DFSMShsm would need ICSF active, unless they were using > the Encryption Facility for z/OS with the DFSMSdss feature. > > Greg Boyd > Mainframe Crypto > www.mainframecrypto.com > > > > On Fri, 18 Jan 2019 18:16:37 +0000, Mary Kay Tubello <mtube...@humana.com> > wrote: > > >Hello all, > > > >Does anyone know if z/os 2.3 requires ICSF to be installed on each LPAR? > > > >Thanks, > >Mary Kay > > > >Large Systems Engineering > >IT Infrastructure > >Humana > >123 E. Main St. 40202 (CT6) > >502-476-2772 > >mtube...@humana.com<mailto:mtube...@humana.com> > > > > > > > > > >---------------------------------------------------------------------- > >For IBM-MAIN subscribe / signoff / archive access instructions, > >send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
