System SSL (aka TLS) will work without ICSF being active and without CEX cards being available. You may not like the performance and some functions (i.e. specifically ECC) may not work. Elliptic Curve (ECC) requires that CEX cards are available and ICSF is active, to drive those operations to the card.
Keep in mind that TLS (and System SSL) have two phases: The handshake phase performs authentication and requires public/private keys which relies on either CEX cards or software routines. A low number of handshakes per second can be handled in software, but if you have any volume, having the cards can provide a significant savings in MIPS as well as helping performance. Handshakes also do some hashing, which is done on the CPACF (ICSF is not required on the latest versions of z/OS). The record phase uses symmetric encryption to protect the data and hashing for integrity. The symmetric encryption is done on the CPACF, if you are using DES/TDES or AES (if that is what is negotiated). Long ago, ICSF had to be active to do AES, if you were running on a machine that didn't support AES on the CPACF hardware ... circa z/890 and z990. But ICSF is not required on the latest versions of z/OS, System SSL uses the native crypto instructions on the CPACF. Hashing for the record phase is also done on the CPACF (no ICSF required, on current versions of z/OS) if you are using SHA-1, SHA-2. Greg Boyd Mainframe Crypto www.mainframecrypto.com On Fri, 8 Nov 2019 01:05:42 -0600, Barbara Nitz <[email protected]> wrote: >> Do we need ICSF to be running while implementing ATTLS ? >I ran AT-TLS on a 2.1 RDT system *without* ICSF without a problem. And it was >for more than just TN3270 traffic at TLS 1.2. I haven't tried at a higher z/OS >level, but I don't think you need ICSF. > >Regards, Barbara > >---------------------------------------------------------------------- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
