Re: Implementing ICSF - FOTS1949 PRNG is not seeded
Gil, ssh-rand-helper is no longer supported as of P.T. OpenSSH 1.3, or z/OS OpenSSH 2.2. Kirk Wolf Dovetailed Technologies http://dovetail.com On Wed, Oct 19, 2016 at 11:10 AM, Paul Gilmartin < 000433f07816-dmarc-requ...@listserv.ua.edu> wrote: > On Wed, 19 Oct 2016 10:20:16 -0500, Kirk Wolf wrote: > > >Right. I've never seen this particular error caused by a missing CPACF > >feature. > >More likely either ICSF is not started or the correct userids do not have > >access to the necessary ICSF features via SAF/RACF. > > > Ouch! But there's a widespread belief that availability of encryption is a > security threat. > > I used to read that France much restricted use of encryption. Nowadays > that would seem to prohibit iPhones and much limit E-commerce. > > Is ssh-rand-helper now thoroughly deprecated? I used to wonder about > its message to the effect that sufficient entropy was unavailable. That > would seem to be an undecidable proposition. > > >On Wed, Oct 19, 2016 at 10:13 AM, R.S. wrote: > > > >>> Isn't it enabled by default for all customers except North Korea ? ;-) > >> > Others? I used to understand that ITAR excused only USA and Canada. > > -- gil > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Implementing ICSF - FOTS1949 PRNG is not seeded
For a long time, you would have been well advised to start ICSF with CPACF in order to get a working /dev/random device on z/OS. Many years ago you had to have a card to get /dev/random, but thankfully this was fixed and z/OS has a great secure random number facility (if you start ICSF with CPACF). If you don't do this, OpenSSH through release 1.2 would still work, but it wastes lots of time and CPU during startup of each connection, and you get a crappy random number to boot. Starting with Ported Tools OpenSSH 1.3, you MUST have /dev/random working in order to use the product. Kirk Wolf Dovetailed Technologies http://dovetail.com On Wed, Oct 19, 2016 at 10:38 AM, Tom Brennan wrote: > Thanks - I think I need to read that! One client I work with has CPACF > installed with no crypto cards, but no ICSF running. They run SSH uploads > hundreds or maybe thousands of times per day, and every day there are a few > timeout failures (on their pretty slow z114) while initializing the SSH > connection. > > My theory is this is because crypto work is all being done in software, > and maybe some work could be offloaded to CPACF if I can figure out how to > get ICSF running to use it. > > Kirk Wolf wrote: > >> Have you looked at our Quick Start guide for installing and tuning z/OS >> 2.2 >> OpenSSH? >> https://dovetail.com/docs/pt-quick-inst/index.html >> >> your question I believe is covered in section "1.6 Using ICSF and >> /dev/random" >> > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Implementing ICSF - FOTS1949 PRNG is not seeded
On 21 October 2016 at 08:11, R.S. wrote: > 1. Chinese algorithm > Is is some new algorithm or just device with backdoor for Chinesese Three > Letter Agency? > What's so REGIONAL in the algorithm or crypto device? Why there are no > REGIONAL disks, CPUs, RAM DIMMs, etc? :-))) I take your point, of course. But there *were* other regional devices back in the Bad Old Days. Each country had its own (usually monopoly) telecom carrier(s), and very many of those had non-standard (or rather, local standard) interfaces of their own invention. So in the 1960s-70s there were endless regional feature codes for the 37x5 comms controllers to connect to these different lines. Even somewhat more recently, North America used the "T1 interface, at 1.544 Mb/s which can carry 24 voice calls at 64 kb/s, while Europe and most of the Rest Of World (ROW) used "E1" at 2.048 Mb/s to carry usually 30 phone channels. T1 and E1 also have different and incompatible protocols at several levels, so there was no question of just plugging in like an Ethernet cable, and each end negotiates the best connection. Very amusing to see an IBM box with a connector labelled "customer equipment" plugged into a Telco box connector also labelled "customer equipment". All in one's point of view. I digress, but it's Friday. Tony H. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: +Embargoed countries and cryptography was Re: Implementing ICSF - FOTS1949 PRNG is not seeded
W dniu 2016-10-23 o 03:01, Clark Morris pisze: I would assume that if the country is embargoed, there is no legal way to get a z series. If the country can get a z series, I suspect that it can steal the microcode. That's why before 1989 we were buying second hand machines. :-) Our comrades in Moscow even had source code for OCO things. Trade of the hardware was managed by gentlemen from Three Letter Agency. A lot of strange stories... -- Radoslaw Skorupka Lodz, Poland --- Tre tej wiadomoci moe zawiera informacje prawnie chronione Banku przeznaczone wycznie do uytku subowego adresata. Odbiorc moe by jedynie jej adresat z wyczeniem dostpu osób trzecich. Jeeli nie jeste adresatem niniejszej wiadomoci lub pracownikiem upowanionym do jej przekazania adresatowi, informujemy, e jej rozpowszechnianie, kopiowanie, rozprowadzanie lub inne dziaanie o podobnym charakterze jest prawnie zabronione i moe by karalne. Jeeli otrzymae t wiadomo omykowo, prosimy niezwocznie zawiadomi nadawc wysyajc odpowied oraz trwale usun t wiadomo wczajc w to wszelkie jej kopie wydrukowane lub zapisane na dysku. This e-mail may contain legally privileged information of the Bank and is intended solely for business use of the addressee. This e-mail may only be received by the addressee and may not be disclosed to any third parties. If you are not the intended addressee of this e-mail or the employee authorized to forward it to the addressee, be advised that any dissemination, copying, distribution or any other similar activity is legally prohibited and may be punishable. If you received this e-mail by mistake please advise the sender immediately by using the reply facility in your e-mail software and delete permanently this e-mail including any copies of it either printed or saved to hard drive. mBank S.A. z siedzib w Warszawie, ul. Senatorska 18, 00-950 Warszawa, www.mBank.pl, e-mail: kont...@mbank.pl Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, nr rejestru przedsibiorców KRS 025237, NIP: 526-021-50-88. Wedug stanu na dzie 01.01.2016 r. kapita zakadowy mBanku S.A. (w caoci wpacony) wynosi 168.955.696 zotych. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
+Embargoed countries and cryptography was Re: Implementing ICSF - FOTS1949 PRNG is not seeded
[Default] On 21 Oct 2016 04:46:57 -0700, in bit.listserv.ibm-main gregb...@mainframecrypto.com (Greg Boyd) wrote: >Lots of good discussion! Pulling some of it together: > >IBM CPACF hardware is not a feature, it comes standard with your z hardware. >That is, if you order a 6-way z13, each of those 6 CPs has a CPACF. However, >because of export restrictions, that device is not enabled until you order and >install the necessary microcode, FC #3863. If your address is North Korea, >don't bother trying to order this FC. IBM can't ship it to you because of >export restrictions. I would assume that if the country is embargoed, there is no legal way to get a z series. If the country can get a z series, I suspect that it can steal the microcode. Clark Moris > >> much snipped > >Greg Boyd >Mainframe Crypto >www.mainframecrypto.com > >-- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Implementing ICSF - FOTS1949 PRNG is not seeded
My interpretation was based on the ICSF doc. The ICSF SPG (SC14-7507-04) says on p. 113: Open cryptographic servers are separate, standalone devices that perform geography-specific cryptography. They are marketed and serviced by third party vendors. Currently, the only geography-specific cryptography supported by these devices is the Chinese SMx family of algorithms. The devices are secure key hardware security modules (HSMs) that operate similar to IBM's PKCS #11 secure coprocessors (CEXnP). Secure keys are stored in the TKDS and are protected by the open cryptography server master key (OCS-MK). and on p. 49 you define these devices to ICSF in the Options dataset via the REMOTEDEVICE statement: REMOTEDEVICE(index-number, ip-addr-or-hostname, port-number, number-sockets) The fact that this is referenced by an ip-addr-or-hostname made me think that it was an IP connected device. Other vendors provide devices that can be IP connected to System z and I thought IBM might be embracing a similar technique to support this family of algorithms. But you may be right, IBM might be expanding what can be installed in the I/O cage using PCIe. Greg Boyd Mainframe Crypto www.mainframecrypto.com P.S. It's been awhile since I posted and now 'Quote Original Message' is adding hex instead of the actual text. It looks like I've got another 'todo' today, to figure out what's going on with that. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Implementing ICSF - FOTS1949 PRNG is not seeded
BTW: FC #3863 is 'no charge'. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Implementing ICSF - FOTS1949 PRNG is not seeded
W dniu 2016-10-21 o 13:24, Greg Boyd pisze: Radoslaw, The RCE support is currently only for Chinese algorithms. As I wrote in my April newsletter: "Another potentially significant capability is the new Remote Device support. There is a new ICSF Option, REMOTEDEVICE, which allows you to define ‘standalone devices that perform geography-specific cryptography’. You can define up to 16 of these remote devices, via IP address and port number. Basically this allows you to route work, from ICSF, to a specialized device delivering a unique algorithm. Currently the support is only for devices that provide the ‘Chinese SMx family of algorithms’. I suspect that this is not a new direction for IBM, allowing ICSF to route work to distributed devices, but more an acknowledgement of the realities of supporting crypto in China." 1. Chinese algorithm Is is some new algorithm or just device with backdoor for Chinesese Three Letter Agency? What's so REGIONAL in the algorithm or crypto device? Why there are no REGIONAL disks, CPUs, RAM DIMMs, etc? :-))) 2. Connection Greg, you write about IP connection, but RCE is defined in HCD as an PCIe FUNCTION, occupying a slot in I/O cage (PCHID, etc.) I van imagine external box connected via IP, but this picture does not fit to HCD definitions. Maybe it is a card in I/O cage with cable to external box Regards -- Radoslaw Skorupka Lodz, Poland --- Treść tej wiadomości może zawierać informacje prawnie chronione Banku przeznaczone wyłącznie do użytku służbowego adresata. Odbiorcą może być jedynie jej adresat z wyłączeniem dostępu osób trzecich. Jeżeli nie jesteś adresatem niniejszej wiadomości lub pracownikiem upoważnionym do jej przekazania adresatowi, informujemy, że jej rozpowszechnianie, kopiowanie, rozprowadzanie lub inne działanie o podobnym charakterze jest prawnie zabronione i może być karalne. Jeżeli otrzymałeś tę wiadomość omyłkowo, prosimy niezwłocznie zawiadomić nadawcę wysyłając odpowiedź oraz trwale usunąć tę wiadomość włączając w to wszelkie jej kopie wydrukowane lub zapisane na dysku. This e-mail may contain legally privileged information of the Bank and is intended solely for business use of the addressee. This e-mail may only be received by the addressee and may not be disclosed to any third parties. If you are not the intended addressee of this e-mail or the employee authorized to forward it to the addressee, be advised that any dissemination, copying, distribution or any other similar activity is legally prohibited and may be punishable. If you received this e-mail by mistake please advise the sender immediately by using the reply facility in your e-mail software and delete permanently this e-mail including any copies of it either printed or saved to hard drive. mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 Warszawa, www.mBank.pl, e-mail: kont...@mbank.pl Sąd Rejonowy dla m. st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, nr rejestru przedsiębiorców KRS 025237, NIP: 526-021-50-88. Według stanu na dzień 01.01.2016 r. kapitał zakładowy mBanku S.A. (w całości wpłacony) wynosi 168.955.696 złotych. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Implementing ICSF - FOTS1949 PRNG is not seeded
Lots of good discussion! Pulling some of it together: IBM CPACF hardware is not a feature, it comes standard with your z hardware. That is, if you order a 6-way z13, each of those 6 CPs has a CPACF. However, because of export restrictions, that device is not enabled until you order and install the necessary microcode, FC #3863. If your address is North Korea, don't bother trying to order this FC. IBM can't ship it to you because of export restrictions. The 'D M=CPU' shows the CPs, it just doesn't mention the CPACF. Think of the CPACF as just some additional real estate on the general purpose engines ... it simply provides additional instructions (see Message Security Assist in the POPs manual), but you can't use those instructions without the microcode feature. Ten years ago, it was not uncommon that customers did not install that microcode. Today, with all the focus on crypto, most customers have it installed ... unless they are in one of the embargoed countries. To check, look at the System Details from the SE and in the lower right corner, look for 'CP Assist for Crypto functions: Installed'. If it says 'Not Installed' call IBM to order the feature code. You don't have to have ICSF active to use the CPACF hardware. You can write assembler code that uses these MSA instructions. However, if ICSF is active, then it provides APIs that will in turn invoke those same instructions. It becomes a question of how the product implements crypto. If it uses assembler code and the MSA instructions, then ICSF does not need to be active. If it invokes the ICSF APIs, then ICSF must be active. System SSL has code that will query the environment and branch to routines that use the native instructions, or the APIs or its own software to perform the needed function. The CPACF device is separate and distinct from the Crypto Express cards, however FC #3863 is a pre-req for the Crypto Express. (Same logic, you can't use encryption technology if you're in an embargoed country.) Note that the CEX cards provide a hardware random number generator (RNG). The CPACF provides a Pseudo Random Number Generator (PRNG). I suspect that the OpenSSH product will use whichever is available, maybe Kirk can confirm? The later versions of ICSF provide some RNG enhancements, specifically a cache of random numbers, instead of making a call to the card every time a random number is needed. And the z13 implements RNGs that conform to the latest NIST standards. As Radoslaw mentioned you can dynamically configure the LPARs to assign Crypto Express cards. (There is no config work to assign the CPACF to the LPAR, if the microcode is installed and the CP is assigned, then the CPACF is available to the LPAR.) In the LPAR Activation Profile, you must assign the CEX cards in the online list and candidate list and assign the Usage Domain (where the LPAR looks for a master key when it needs one). The Control Domain is associated with the use of a TKE. And starting with the z10s this configuration could be done dynamically. (This dynamic configuration support isn't just for crypto, but applies to other hardware resources as well.) Starting with the z10 you could update the LPAR Activation profile, or temporarily add it to the currently active LPAR or both. See the PR/SM Planning Guide for your machine.) Loading the master keys only applies if you have CEX cards installed, and as has been pointed out, can be done from the ICSF panels or from the TKE. I don't recommend using Passphrase Initialization for your production environment. That's a great way to get up and running, but not secure enough for a production environment. If you have master keys installed in your production environment, then those same production master keys will need to be available on the DR machine. Whatever method you used in production, you'll have to use the same method on the DR machine. However, it also depends on the DR environment (cold site, warm site, hot site). As David Jousma pointed out, you can use a TKE to load master keys in advance, but if it's a push-pull you can't load master keys until the CEX hardware is available, and you'll need at least one z/OS LPAR to connect to the TKE. The other alternative is to use a driver z/OS system and stop and restart ICSF, pointing to each domain, to load the appropriate master keys into each Usage Domain on the DR hardware. Cumbersome, but doable. Greg Boyd Mainframe Crypto www.mainframecrypto.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Implementing ICSF - FOTS1949 PRNG is not seeded
Radoslaw, The RCE support is currently only for Chinese algorithms. As I wrote in my April newsletter: "Another potentially significant capability is the new Remote Device support. There is a new ICSF Option, REMOTEDEVICE, which allows you to define ‘standalone devices that perform geography-specific cryptography’. You can define up to 16 of these remote devices, via IP address and port number. Basically this allows you to route work, from ICSF, to a specialized device delivering a unique algorithm. Currently the support is only for devices that provide the ‘Chinese SMx family of algorithms’. I suspect that this is not a new direction for IBM, allowing ICSF to route work to distributed devices, but more an acknowledgement of the realities of supporting crypto in China." Greg Boyd Mainframe Crypto www.mainframecrypto.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Implementing ICSF - FOTS1949 PRNG is not seeded
Yes, no articles in Polish.A tendency for those who have no actual exposure to English to pronounce every letter in every word. And the entirely obtuse proposition of pronouncing all the letter "r"s in English words. And you think that's an "L" in Radoslav's name? In the town he works in? In the name of the currency? I first came across the Zloty (last currency in our alphabetic table) in 1986, used it a lot in testing. Discovered only recently that I've spent 30 years pronouncing it authoratively, but incorrectly. And cases? You want to confuse English speakers? Get them to learn a language with cases. English don't got no cases. Actually, search-engineing supports something from the back of my mind, but that is really, really, minor, and doesn't really count. Although, now, alll of a sudden, I understand Polish cases a bit better :-) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Implementing ICSF - FOTS1949 PRNG is not seeded
David, Now it's clear for me. It's matter of language - in Polish there is no such gismo like article (a, an, the). Yes, you are right, *assuming proper setiing* it is possiblem to control other domains from a TKE. AFAIK, it's not possible to do it from z/OS. However there's a trick: changing usage domain (or just have an LPAR with several domains) and restart ICSF with another domain ID. From the otheer hand it's IMHO better to explain something to someone, than sho the things are more complex. Some simplifications are sometimes justified ;-) BTW: Has anybody heard about RCE? Regional Crypto Enablement. A card, defined in HCD as a function. Available in z13 GA2. Regards -- Radoslaw Skorupka Lodz, Poland W dniu 2016-10-20 o 20:06, Jousma, David pisze: RS, I should have elaborated more. You need *a* system up and running on the box, but not *the* system. For example we use TKE, and connect to a TECH system on the box that is running. That tech system IMAGE profile is setup to be able to administer all crypto domains. So when we bring in a new box, we ipl a tech system onto it, and then we can reload MK's for all domains, including systems that are not yet operational. If there is a new MK waiting to load in the crypto card register, ICSF will load that MK automatically upon initialization. I don't believe that there is a way to load MK's for other domains via the ISPF panels, but I could be wrong. _ Dave Jousma Manager Mainframe Engineering, Assistant Vice President david.jou...@53.com 1830 East Paris, Grand Rapids, MI 49546 MD RSCB2H p 616.653.8429 f 616.653.2717 -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of R.S. Sent: Thursday, October 20, 2016 12:34 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Implementing ICSF - FOTS1949 PRNG is not seeded Well, again, this is straightforward approach: you have your own (or dedicated) DR machine. You prepare your system for DR, part of preparation can be MK entry. That means *some* z/OS system IPL-ed, preferrably a copy of your prod system. @David, AFAIK even with TKE station you have to IPL the z/OS... Of course, if the machine is to be reused by other company, then leaving MK is not the best idea. -- Radoslaw Skorupka Lodz, Poland W dniu 2016-10-20 o 17:18, Jousma, David pisze: If you have a TKE, then you can load it in advance. If not then your only option is to use the ISPF based ICSF panels. _ Dave Jousma Manager Mainframe Engineering, Assistant Vice President david.jou...@53.com 1830 East Paris, Grand Rapids, MI 49546 MD RSCB2H p 616.653.8429 f 616.653.2717 -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Jesse 1 Robinson Sent: Thursday, October 20, 2016 11:06 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Implementing ICSF - FOTS1949 PRNG is not seeded Thanks. I'm on board except for this statement. "You can do [the Master Key] in advance or during DR IPL." What is "in advance"? These systems are IPLed only in DR (test) mode. Is there any alternative to actual IPL? --- Tre tej wiadomoci moe zawiera informacje prawnie chronione Banku przeznaczone wycznie do uytku subowego adresata. Odbiorc moe by jedynie jej adresat z wyczeniem dostpu osób trzecich. Jeeli nie jeste adresatem niniejszej wiadomoci lub pracownikiem upowanionym do jej przekazania adresatowi, informujemy, e jej rozpowszechnianie, kopiowanie, rozprowadzanie lub inne dziaanie o podobnym charakterze jest prawnie zabronione i moe by karalne. Jeeli otrzymae t wiadomo omykowo, prosimy niezwocznie zawiadomi nadawc wysyajc odpowied oraz trwale usun t wiadomo wczajc w to wszelkie jej kopie wydrukowane lub zapisane na dysku. This e-mail may contain legally privileged information of the Bank and is intended solely for business use of the addressee. This e-mail may only be received by the addressee and may not be disclosed to any third parties. If you are not the intended addressee of this e-mail or the employee authorized to forward it to the addressee, be advised that any dissemination, copying, distribution or any other similar activity is legally prohibited and may be punishable. If you received this e-mail by mistake please advise the sender immediately by using the reply facility in your e-mail software and delete permanently this e-mail including any copies of it either printed or saved to hard drive. mBank S.A. z siedzib w Warszawie, ul. Senatorska 18, 00-950 Warszawa, www.mBank.pl, e-mail: kont...@mbank.pl Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, nr rejestru przedsibiorców KRS 025237, NIP: 526-021-50-
Re: Implementing ICSF - FOTS1949 PRNG is not seeded
RS, I should have elaborated more. You need *a* system up and running on the box, but not *the* system. For example we use TKE, and connect to a TECH system on the box that is running. That tech system IMAGE profile is setup to be able to administer all crypto domains. So when we bring in a new box, we ipl a tech system onto it, and then we can reload MK's for all domains, including systems that are not yet operational. If there is a new MK waiting to load in the crypto card register, ICSF will load that MK automatically upon initialization. I don't believe that there is a way to load MK's for other domains via the ISPF panels, but I could be wrong. _ Dave Jousma Manager Mainframe Engineering, Assistant Vice President david.jou...@53.com 1830 East Paris, Grand Rapids, MI 49546 MD RSCB2H p 616.653.8429 f 616.653.2717 -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of R.S. Sent: Thursday, October 20, 2016 12:34 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Implementing ICSF - FOTS1949 PRNG is not seeded Well, again, this is straightforward approach: you have your own (or dedicated) DR machine. You prepare your system for DR, part of preparation can be MK entry. That means *some* z/OS system IPL-ed, preferrably a copy of your prod system. @David, AFAIK even with TKE station you have to IPL the z/OS... Of course, if the machine is to be reused by other company, then leaving MK is not the best idea. -- Radoslaw Skorupka Lodz, Poland W dniu 2016-10-20 o 17:18, Jousma, David pisze: > If you have a TKE, then you can load it in advance. If not then your only > option is to use the ISPF based ICSF panels. > > _ > Dave Jousma > Manager Mainframe Engineering, Assistant Vice President > david.jou...@53.com > 1830 East Paris, Grand Rapids, MI 49546 MD RSCB2H > p 616.653.8429 > f 616.653.2717 > > > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Jesse 1 Robinson > Sent: Thursday, October 20, 2016 11:06 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: Implementing ICSF - FOTS1949 PRNG is not seeded > > Thanks. I'm on board except for this statement. "You can do [the Master Key] > in advance or during DR IPL." What is "in advance"? These systems are IPLed > only in DR (test) mode. Is there any alternative to actual IPL? --- Tre tej wiadomoci moe zawiera informacje prawnie chronione Banku przeznaczone wycznie do uytku subowego adresata. Odbiorc moe by jedynie jej adresat z wyczeniem dostpu osób trzecich. Jeeli nie jeste adresatem niniejszej wiadomoci lub pracownikiem upowanionym do jej przekazania adresatowi, informujemy, e jej rozpowszechnianie, kopiowanie, rozprowadzanie lub inne dziaanie o podobnym charakterze jest prawnie zabronione i moe by karalne. Jeeli otrzymae t wiadomo omykowo, prosimy niezwocznie zawiadomi nadawc wysyajc odpowied oraz trwale usun t wiadomo wczajc w to wszelkie jej kopie wydrukowane lub zapisane na dysku. This e-mail may contain legally privileged information of the Bank and is intended solely for business use of the addressee. This e-mail may only be received by the addressee and may not be disclosed to any third parties. If you are not the intended addressee of this e-mail or the employee authorized to forward it to the addressee, be advised that any dissemination, copying, distribution or any other similar activity is legally prohibited and may be punishable. If you received this e-mail by mistake please advise the sender immediately by using the reply facility in your e-mail software and delete permanently this e-mail including any copies of it either printed or saved to hard drive. mBank S.A. z siedzib w Warszawie, ul. Senatorska 18, 00-950 Warszawa, www.mBank.pl, e-mail: kont...@mbank.pl Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, nr rejestru przedsibiorców KRS 025237, NIP: 526-021-50-88. Wedug stanu na dzie 01.01.2016 r. kapita zakadowy mBanku S.A. (w caoci wpacony) wynosi 168.955.696 zotych. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited.
Re: Implementing ICSF - FOTS1949 PRNG is not seeded
Well, again, this is straightforward approach: you have your own (or dedicated) DR machine. You prepare your system for DR, part of preparation can be MK entry. That means *some* z/OS system IPL-ed, preferrably a copy of your prod system. @David, AFAIK even with TKE station you have to IPL the z/OS... Of course, if the machine is to be reused by other company, then leaving MK is not the best idea. -- Radoslaw Skorupka Lodz, Poland W dniu 2016-10-20 o 17:18, Jousma, David pisze: If you have a TKE, then you can load it in advance. If not then your only option is to use the ISPF based ICSF panels. _ Dave Jousma Manager Mainframe Engineering, Assistant Vice President david.jou...@53.com 1830 East Paris, Grand Rapids, MI 49546 MD RSCB2H p 616.653.8429 f 616.653.2717 -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Jesse 1 Robinson Sent: Thursday, October 20, 2016 11:06 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Implementing ICSF - FOTS1949 PRNG is not seeded Thanks. I'm on board except for this statement. "You can do [the Master Key] in advance or during DR IPL." What is "in advance"? These systems are IPLed only in DR (test) mode. Is there any alternative to actual IPL? --- Tre tej wiadomoci moe zawiera informacje prawnie chronione Banku przeznaczone wycznie do uytku subowego adresata. Odbiorc moe by jedynie jej adresat z wyczeniem dostpu osób trzecich. Jeeli nie jeste adresatem niniejszej wiadomoci lub pracownikiem upowanionym do jej przekazania adresatowi, informujemy, e jej rozpowszechnianie, kopiowanie, rozprowadzanie lub inne dziaanie o podobnym charakterze jest prawnie zabronione i moe by karalne. Jeeli otrzymae t wiadomo omykowo, prosimy niezwocznie zawiadomi nadawc wysyajc odpowied oraz trwale usun t wiadomo wczajc w to wszelkie jej kopie wydrukowane lub zapisane na dysku. This e-mail may contain legally privileged information of the Bank and is intended solely for business use of the addressee. This e-mail may only be received by the addressee and may not be disclosed to any third parties. If you are not the intended addressee of this e-mail or the employee authorized to forward it to the addressee, be advised that any dissemination, copying, distribution or any other similar activity is legally prohibited and may be punishable. If you received this e-mail by mistake please advise the sender immediately by using the reply facility in your e-mail software and delete permanently this e-mail including any copies of it either printed or saved to hard drive. mBank S.A. z siedzib w Warszawie, ul. Senatorska 18, 00-950 Warszawa, www.mBank.pl, e-mail: kont...@mbank.pl Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, nr rejestru przedsibiorców KRS 025237, NIP: 526-021-50-88. Wedug stanu na dzie 01.01.2016 r. kapita zakadowy mBanku S.A. (w caoci wpacony) wynosi 168.955.696 zotych. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Implementing ICSF - FOTS1949 PRNG is not seeded
If you have a TKE, then you can load it in advance. If not then your only option is to use the ISPF based ICSF panels. _ Dave Jousma Manager Mainframe Engineering, Assistant Vice President david.jou...@53.com 1830 East Paris, Grand Rapids, MI 49546 MD RSCB2H p 616.653.8429 f 616.653.2717 -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Jesse 1 Robinson Sent: Thursday, October 20, 2016 11:06 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Implementing ICSF - FOTS1949 PRNG is not seeded Thanks. I'm on board except for this statement. "You can do [the Master Key] in advance or during DR IPL." What is "in advance"? These systems are IPLed only in DR (test) mode. Is there any alternative to actual IPL? . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-302-7535 Office robin...@sce.com -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of R.S. Sent: Thursday, October 20, 2016 1:33 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: (External):Re: Implementing ICSF - FOTS1949 PRNG is not seeded W dniu 2016-10-19 o 23:22, Jesse 1 Robinson pisze: > Thanks to Stuart for pointing me to his doc. ;-) > > Radoslaw, you said in one post that the whole thing can be done ahead of > time, but your latest post mentions only LPAR Image profile setup on HMC. > Mike Ward (and Stuart's doc) refer to ICSF, which requires an OS, that is, > IPL. Ours is a push-pull installation. New box cannot even be cabled up until > the old one is brought down. It should not take long to run ICSF on each > LPAR, but I'd prefer to take care of it in advance if possible. Otherwise it > will just have to be part of the install. To clarify: Typical scenario is the following: CPACF is enabled by IBM Sysprog decide in what mode the crypto cards should work. There 3 modes: Accelerator, CCA coprocessor and EP11 coprocessor. Sysprog create Image (LPAR) profiles on HMC, with unique domains. That's all from H/W point of view. Now you can IPL the system and all remaining activity to customize ICSF do not require IPL. Things may be more complex if you didn't do the H/W preparation and have running systems. > One extra complication. This is our DR machine. There are a few LPARs that > run all the time, but most come up only during DR testing. I take it we need > to bring up DR systems for ICSF master key... For the DR system the simplest approach is to enter the same Master Key. You can do it in advance or during DR IPL. HTH -- Radoslaw Skorupka Lodz, Poland -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Implementing ICSF - FOTS1949 PRNG is not seeded
Thanks. I'm on board except for this statement. "You can do [the Master Key] in advance or during DR IPL." What is "in advance"? These systems are IPLed only in DR (test) mode. Is there any alternative to actual IPL? . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-302-7535 Office robin...@sce.com -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of R.S. Sent: Thursday, October 20, 2016 1:33 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: (External):Re: Implementing ICSF - FOTS1949 PRNG is not seeded W dniu 2016-10-19 o 23:22, Jesse 1 Robinson pisze: > Thanks to Stuart for pointing me to his doc. ;-) > > Radoslaw, you said in one post that the whole thing can be done ahead of > time, but your latest post mentions only LPAR Image profile setup on HMC. > Mike Ward (and Stuart's doc) refer to ICSF, which requires an OS, that is, > IPL. Ours is a push-pull installation. New box cannot even be cabled up until > the old one is brought down. It should not take long to run ICSF on each > LPAR, but I'd prefer to take care of it in advance if possible. Otherwise it > will just have to be part of the install. To clarify: Typical scenario is the following: CPACF is enabled by IBM Sysprog decide in what mode the crypto cards should work. There 3 modes: Accelerator, CCA coprocessor and EP11 coprocessor. Sysprog create Image (LPAR) profiles on HMC, with unique domains. That's all from H/W point of view. Now you can IPL the system and all remaining activity to customize ICSF do not require IPL. Things may be more complex if you didn't do the H/W preparation and have running systems. > One extra complication. This is our DR machine. There are a few LPARs that > run all the time, but most come up only during DR testing. I take it we need > to bring up DR systems for ICSF master key... For the DR system the simplest approach is to enter the same Master Key. You can do it in advance or during DR IPL. HTH -- Radoslaw Skorupka Lodz, Poland -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Implementing ICSF - FOTS1949 PRNG is not seeded
W dniu 2016-10-19 o 23:22, Jesse 1 Robinson pisze: Thanks to Stuart for pointing me to his doc. ;-) Radoslaw, you said in one post that the whole thing can be done ahead of time, but your latest post mentions only LPAR Image profile setup on HMC. Mike Ward (and Stuart's doc) refer to ICSF, which requires an OS, that is, IPL. Ours is a push-pull installation. New box cannot even be cabled up until the old one is brought down. It should not take long to run ICSF on each LPAR, but I'd prefer to take care of it in advance if possible. Otherwise it will just have to be part of the install. To clarify: Typical scenario is the following: CPACF is enabled by IBM Sysprog decide in what mode the crypto cards should work. There 3 modes: Accelerator, CCA coprocessor and EP11 coprocessor. Sysprog create Image (LPAR) profiles on HMC, with unique domains. That's all from H/W point of view. Now you can IPL the system and all remaining activity to customize ICSF do not require IPL. Things may be more complex if you didn't do the H/W preparation and have running systems. One extra complication. This is our DR machine. There are a few LPARs that run all the time, but most come up only during DR testing. I take it we need to bring up DR systems for ICSF master key... For the DR system the simplest approach is to enter the same Master Key. You can do it in advance or during DR IPL. HTH -- Radoslaw Skorupka Lodz, Poland --- Tre tej wiadomoci moe zawiera informacje prawnie chronione Banku przeznaczone wycznie do uytku subowego adresata. Odbiorc moe by jedynie jej adresat z wyczeniem dostpu osób trzecich. Jeeli nie jeste adresatem niniejszej wiadomoci lub pracownikiem upowanionym do jej przekazania adresatowi, informujemy, e jej rozpowszechnianie, kopiowanie, rozprowadzanie lub inne dziaanie o podobnym charakterze jest prawnie zabronione i moe by karalne. Jeeli otrzymae t wiadomo omykowo, prosimy niezwocznie zawiadomi nadawc wysyajc odpowied oraz trwale usun t wiadomo wczajc w to wszelkie jej kopie wydrukowane lub zapisane na dysku. This e-mail may contain legally privileged information of the Bank and is intended solely for business use of the addressee. This e-mail may only be received by the addressee and may not be disclosed to any third parties. If you are not the intended addressee of this e-mail or the employee authorized to forward it to the addressee, be advised that any dissemination, copying, distribution or any other similar activity is legally prohibited and may be punishable. If you received this e-mail by mistake please advise the sender immediately by using the reply facility in your e-mail software and delete permanently this e-mail including any copies of it either printed or saved to hard drive. mBank S.A. z siedzib w Warszawie, ul. Senatorska 18, 00-950 Warszawa, www.mBank.pl, e-mail: kont...@mbank.pl Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, nr rejestru przedsibiorców KRS 025237, NIP: 526-021-50-88. Wedug stanu na dzie 01.01.2016 r. kapita zakadowy mBanku S.A. (w caoci wpacony) wynosi 168.955.696 zotych. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Implementing ICSF - FOTS1949 PRNG is not seeded
On Wed, 19 Oct 2016 18:28:23 -0400, Tony Harminc wrote: > >OT, but the "You are now in France" attack, followed by the "You are >still in France" attack, was a hot topic in 1998-1999. > Thanks for the interesting OT info, until now new to me. >http://catless.ncl.ac.uk/Risks/19/74#subj8 You are now in France >http://catless.ncl.ac.uk/Risks/20/17#subj1 France allows strong crypto - - To supplement the current legal framework by the introduction of obligations, together with penal sanctions, concerning the handing-over to the legal authorities, when they require it, of the cleartext version of encrypted documents. ... Yeah, right. How did that work in San Bernardino? ... At the same time, the technical skills of the public authorities will be significantly improved. The skill of breaking strong encryption would be highly marketable, even to the point of being an incentive to defect. >http://catless.ncl.ac.uk/Risks/20/20#subj8 You are still in France -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Implementing ICSF - FOTS1949 PRNG is not seeded
On 19 October 2016 at 12:10, Paul Gilmartin <000433f07816-dmarc-requ...@listserv.ua.edu> wrote: > Ouch! But there's a widespread belief that availability of encryption is a > security threat. > > I used to read that France much restricted use of encryption. Nowadays > that would seem to prohibit iPhones and much limit E-commerce. OT, but the "You are now in France" attack, followed by the "You are still in France" attack, was a hot topic in 1998-1999. http://catless.ncl.ac.uk/Risks/19/74#subj8 You are now in France http://catless.ncl.ac.uk/Risks/20/17#subj1 France allows strong crypto http://catless.ncl.ac.uk/Risks/20/20#subj8 You are still in France Tony H. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Implementing ICSF - FOTS1949 PRNG is not seeded
Once the ICSF Master Keys are entered into the crypto domain after the first IPL of each system, they'll be there and ready when you IPL your DR system in the future. If you've changed the keys on the production side, you have to keep them in sync with the DR box too. Mark Jacobs Jesse 1 Robinson <mailto:jesse1.robin...@sce.com> October 19, 2016 at 5:22 PM Thanks to Stuart for pointing me to his doc. ;-) Radoslaw, you said in one post that the whole thing can be done ahead of time, but your latest post mentions only LPAR Image profile setup on HMC. Mike Ward (and Stuart's doc) refer to ICSF, which requires an OS, that is, IPL. Ours is a push-pull installation. New box cannot even be cabled up until the old one is brought down. It should not take long to run ICSF on each LPAR, but I'd prefer to take care of it in advance if possible. Otherwise it will just have to be part of the install. One extra complication. This is our DR machine. There are a few LPARs that run all the time, but most come up only during DR testing. I take it we need to bring up DR systems for ICSF master key... . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-302-7535 Office robin...@sce.com -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of R.S. Sent: Wednesday, October 19, 2016 1:12 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: (External):Re: Implementing ICSF - FOTS1949 PRNG is not seeded Well, Customize Activation Profiles, LPAR profile, Crypto tab. You have to set up some values for two things: Crypto Domain. Assign one "Control and Usage domain". Unique one. Use the same domain if CSFPRMxx (or just leave it default). Assigned Cryptos Assign all existing CryptoExpress cards as Candidate and Online. Note: this is simple configuration, one of many possible. Details are more complex and depend on many factors. When teaching this I spent few hours on that. :-) -- Radoslaw Skorupka Lodz, Poland -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN Please be alert for any emails that may ask you for login information or directs you to login via a link. If you believe this message is a phish or aren't sure whether this message is trustworthy, please send the original message as an attachment to 'phish...@timeinc.com'. -- Mark Jacobs Time Customer Service Global Technology Services The standard you walk past is the standard you accept. Lt. Gen. David Morrison -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Implementing ICSF - FOTS1949 PRNG is not seeded
Thanks to Stuart for pointing me to his doc. ;-) Radoslaw, you said in one post that the whole thing can be done ahead of time, but your latest post mentions only LPAR Image profile setup on HMC. Mike Ward (and Stuart's doc) refer to ICSF, which requires an OS, that is, IPL. Ours is a push-pull installation. New box cannot even be cabled up until the old one is brought down. It should not take long to run ICSF on each LPAR, but I'd prefer to take care of it in advance if possible. Otherwise it will just have to be part of the install. One extra complication. This is our DR machine. There are a few LPARs that run all the time, but most come up only during DR testing. I take it we need to bring up DR systems for ICSF master key... . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-302-7535 Office robin...@sce.com -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of R.S. Sent: Wednesday, October 19, 2016 1:12 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: (External):Re: Implementing ICSF - FOTS1949 PRNG is not seeded W dniu 2016-10-19 o 20:36, Dazzo, Matt pisze: > RS, what do you mean by 'setup lpar in advance?' We will be doing a scheduled > IPL this weekend so I have an opportunity should I need to make a config > change. > Well, Customize Activation Profiles, LPAR profile, Crypto tab. You have to set up some values for two things: Crypto Domain. Assign one "Control and Usage domain". Unique one. Use the same domain if CSFPRMxx (or just leave it default). Assigned Cryptos Assign all existing CryptoExpress cards as Candidate and Online. Note: this is simple configuration, one of many possible. Details are more complex and depend on many factors. When teaching this I spent few hours on that. :-) -- Radoslaw Skorupka Lodz, Poland -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Implementing ICSF - FOTS1949 PRNG is not seeded
W dniu 2016-10-19 o 20:36, Dazzo, Matt pisze: RS, what do you mean by 'setup lpar in advance?' We will be doing a scheduled IPL this weekend so I have an opportunity should I need to make a config change. Well, Customize Activation Profiles, LPAR profile, Crypto tab. You have to set up some values for two things: Crypto Domain. Assign one "Control and Usage domain". Unique one. Use the same domain if CSFPRMxx (or just leave it default). Assigned Cryptos Assign all existing CryptoExpress cards as Candidate and Online. Note: this is simple configuration, one of many possible. Details are more complex and depend on many factors. When teaching this I spent few hours on that. :-) -- Radoslaw Skorupka Lodz, Poland --- Tre tej wiadomoci moe zawiera informacje prawnie chronione Banku przeznaczone wycznie do uytku subowego adresata. Odbiorc moe by jedynie jej adresat z wyczeniem dostpu osób trzecich. Jeeli nie jeste adresatem niniejszej wiadomoci lub pracownikiem upowanionym do jej przekazania adresatowi, informujemy, e jej rozpowszechnianie, kopiowanie, rozprowadzanie lub inne dziaanie o podobnym charakterze jest prawnie zabronione i moe by karalne. Jeeli otrzymae t wiadomo omykowo, prosimy niezwocznie zawiadomi nadawc wysyajc odpowied oraz trwale usun t wiadomo wczajc w to wszelkie jej kopie wydrukowane lub zapisane na dysku. This e-mail may contain legally privileged information of the Bank and is intended solely for business use of the addressee. This e-mail may only be received by the addressee and may not be disclosed to any third parties. If you are not the intended addressee of this e-mail or the employee authorized to forward it to the addressee, be advised that any dissemination, copying, distribution or any other similar activity is legally prohibited and may be punishable. If you received this e-mail by mistake please advise the sender immediately by using the reply facility in your e-mail software and delete permanently this e-mail including any copies of it either printed or saved to hard drive. mBank S.A. z siedzib w Warszawie, ul. Senatorska 18, 00-950 Warszawa, www.mBank.pl, e-mail: kont...@mbank.pl Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, nr rejestru przedsibiorców KRS 025237, NIP: 526-021-50-88. Wedug stanu na dzie 01.01.2016 r. kapita zakadowy mBanku S.A. (w caoci wpacony) wynosi 168.955.696 zotych. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Implementing ICSF - FOTS1949 PRNG is not seeded
Master Key set is done through ICSF. -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Jesse 1 Robinson Sent: Wednesday, October 19, 2016 10:42 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Implementing ICSF - FOTS1949 PRNG is not seeded We are installing a z13s and going through preliminary setup. When selecting the Crypto tab in an Image profile, I was a bit alarmed by this message: Attention: You must install the 'IBM CP Assist for Cryptographic Functions' (CPACF) feature if a cryptographic candidate is selected from the list box. Otherwise, some functions of Integrated Cryptographic Service Facility (ICSF) may fail. I spoke to the person who created and placed the order. He assured me that CPACF had been ordered and that no one he talked to believed that it requires explicit 'activation'. So I went to a z12 that has been in service for years. I see the same warning message on the Crypto tab. So it appears to be standard boilerplate that does not reflect the status of CPACF. We’re still exploring how to set the Master Key. We had thought that it was an HCM task, but now we're led to believe that it's done through ICSF. Which means that we have to IPL (each?) LPAR in order to set it. The guy who did this for years is gone. . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-302-7535 Office robin...@sce.com -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Kirk Wolf Sent: Wednesday, October 19, 2016 8:20 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: (External):Re: Implementing ICSF - FOTS1949 PRNG is not seeded Right. I've never seen this particular error caused by a missing CPACF feature. More likely either ICSF is not started or the correct userids do not have access to the necessary ICSF features via SAF/RACF. Kirk Wolf Dovetailed Technologies http://dovetail.com On Wed, Oct 19, 2016 at 10:13 AM, R.S. wrote: > W dniu 2016-10-19 o 17:05, John Eells pisze: > >> R.S. wrote: >> >> >>> Double click on CPC icon. Instance Information tab, bottom right >>> corner "CP Assist for Crypto functions: >>> Installed". >>> >> >> Note also that CPACF is a feature, so if it's not installed >> (enabled), you need to order the feature to get it installed. >> (Whether its enablement or lack thereof matters in this context, I >> have no clue.) >> >> Isn't it enabled by default for all customers except North Korea ? >> ;-) > > -- > Radoslaw Skorupka > Lodz, Poland -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN == This email, and any files transmitted with it, is confidential and intended solely for the use of the individual or entity to which it is addressed. If you have received this email in error, please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this message by mistake and delete this e-mail from your system. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Implementing ICSF - FOTS1949 PRNG is not seeded
RS, what do you mean by 'setup lpar in advance?' We will be doing a scheduled IPL this weekend so I have an opportunity should I need to make a config change. Thanks Matt -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of R.S. Sent: Wednesday, October 19, 2016 12:18 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Implementing ICSF - FOTS1949 PRNG is not seeded Whole ICSF setup, including Master Key introduction can be done without IPL. However you have to set up the LPAR in advance. Those changes can be done dynamically or ...Activate will be required. In the last case IPL is a result. -- Radoslaw Skorupka Lodz, Poland W dniu 2016-10-19 o 17:46, Mark Jacobs - Listserv pisze: > Unless you have a TKE, you will have to use the ICSF panels to enter > the master keys. So yes, you'll need to IPL each image to do so. Just > a heads up that if you perform ICSF Master Key changes (recommended), > you might have to first enter the previous set of keys, then the > current set. I can elaborate on why if you'd like. > > Mark Jacobs > >> Jesse 1 Robinson <mailto:jesse1.robin...@sce.com> >> October 19, 2016 at 11:41 AM >> We are installing a z13s and going through preliminary setup. When >> selecting the Crypto tab in an Image profile, I was a bit alarmed by >> this message: >> >> Attention: You must install the 'IBM CP Assist for Cryptographic >> Functions' >> (CPACF) feature if a cryptographic candidate is selected from the >> list box. >> Otherwise, some functions of Integrated Cryptographic Service >> Facility (ICSF) may fail. >> >> I spoke to the person who created and placed the order. He assured me >> that CPACF had been ordered and that no one he talked to believed >> that it requires explicit 'activation'. So I went to a z12 that has >> been in service for years. I see the same warning message on the >> Crypto tab. So it appears to be standard boilerplate that does not >> reflect the status of CPACF. >> >> We're still exploring how to set the Master Key. We had thought that >> it was an HCM task, but now we're led to believe that it's done >> through ICSF. Which means that we have to IPL (each?) LPAR in order >> to set it. The guy who did this for years is gone. >> >> . >> . >> J.O.Skip Robinson >> Southern California Edison Company >> Electric Dragon Team Paddler >> SHARE MVS Program Co-Manager >> 323-715-0595 Mobile >> 626-302-7535 Office >> robin...@sce.com >> >> >> -Original Message- >> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] >> On Behalf Of Kirk Wolf >> Sent: Wednesday, October 19, 2016 8:20 AM >> To: IBM-MAIN@LISTSERV.UA.EDU >> Subject: (External):Re: Implementing ICSF - FOTS1949 PRNG is not seeded >> >> Right. I've never seen this particular error caused by a missing >> CPACF feature. >> More likely either ICSF is not started or the correct userids do not >> have access to the necessary ICSF features via SAF/RACF. >> >> Kirk Wolf >> Dovetailed Technologies >> http://dovetail.com >> --- Tre tej wiadomoci moe zawiera informacje prawnie chronione Banku przeznaczone wycznie do uytku subowego adresata. Odbiorc moe by jedynie jej adresat z wyczeniem dostpu osób trzecich. Jeeli nie jeste adresatem niniejszej wiadomoci lub pracownikiem upowanionym do jej przekazania adresatowi, informujemy, e jej rozpowszechnianie, kopiowanie, rozprowadzanie lub inne dziaanie o podobnym charakterze jest prawnie zabronione i moe by karalne. Jeeli otrzymae t wiadomo omykowo, prosimy niezwocznie zawiadomi nadawc wysyajc odpowied oraz trwale usun t wiadomo wczajc w to wszelkie jej kopie wydrukowane lub zapisane na dysku. This e-mail may contain legally privileged information of the Bank and is intended solely for business use of the addressee. This e-mail may only be received by the addressee and may not be disclosed to any third parties. If you are not the intended addressee of this e-mail or the employee authorized to forward it to the addressee, be advised that any dissemination, copying, distribution or any other similar activity is legally prohibited and may be punishable. If you received this e-mail by mistake please advise the sender immediately by using the reply facility in your e-mail software and delete permanently this e-mail including any copies of it either printed or saved to hard drive. mBank S.A. z siedzib w Warszawie, ul. Senatorska 18, 00-950 Warszawa, www.mBank.pl, e-mail: kont...@mbank.pl Sd Rejonowy dla m. st
Re: Implementing ICSF - FOTS1949 PRNG is not seeded
Skip - Check the web pages I left behind. Instructions for setting the keys through the ICSF panels are in there. On 10/19/2016 08:41 AM, Jesse 1 Robinson wrote: > We are installing a z13s and going through preliminary setup. When selecting > the Crypto tab in an Image profile, I was a bit alarmed by this message: > > Attention: You must install the 'IBM CP Assist for Cryptographic Functions' > (CPACF) feature if a cryptographic candidate is selected from the list box. > Otherwise, some functions of Integrated Cryptographic Service Facility (ICSF) > may fail. > > I spoke to the person who created and placed the order. He assured me that > CPACF had been ordered and that no one he talked to believed that it requires > explicit 'activation'. So I went to a z12 that has been in service for years. > I see the same warning message on the Crypto tab. So it appears to be > standard boilerplate that does not reflect the status of CPACF. > > We’re still exploring how to set the Master Key. We had thought that it was > an HCM task, but now we're led to believe that it's done through ICSF. Which > means that we have to IPL (each?) LPAR in order to set it. The guy who did > this for years is gone. > > . > . > J.O.Skip Robinson > Southern California Edison Company > Electric Dragon Team Paddler > SHARE MVS Program Co-Manager > 323-715-0595 Mobile > 626-302-7535 Office > robin...@sce.com > > > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Kirk Wolf > Sent: Wednesday, October 19, 2016 8:20 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: (External):Re: Implementing ICSF - FOTS1949 PRNG is not seeded > > Right. I've never seen this particular error caused by a missing CPACF > feature. > More likely either ICSF is not started or the correct userids do not have > access to the necessary ICSF features via SAF/RACF. > > Kirk Wolf > Dovetailed Technologies > http://dovetail.com > > On Wed, Oct 19, 2016 at 10:13 AM, R.S. > wrote: > >> W dniu 2016-10-19 o 17:05, John Eells pisze: >> >>> R.S. wrote: >>> >>> >>>> Double click on CPC icon. Instance Information tab, bottom right >>>> corner "CP Assist for Crypto functions: >>>> Installed". >>>> >>> Note also that CPACF is a feature, so if it's not installed >>> (enabled), you need to order the feature to get it installed. >>> (Whether its enablement or lack thereof matters in this context, I >>> have no clue.) >>> >>> Isn't it enabled by default for all customers except North Korea ? >>> ;-) >> -- >> Radoslaw Skorupka >> Lodz, Poland > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Implementing ICSF - FOTS1949 PRNG is not seeded
Whole ICSF setup, including Master Key introduction can be done without IPL. However you have to set up the LPAR in advance. Those changes can be done dynamically or ...Activate will be required. In the last case IPL is a result. -- Radoslaw Skorupka Lodz, Poland W dniu 2016-10-19 o 17:46, Mark Jacobs - Listserv pisze: Unless you have a TKE, you will have to use the ICSF panels to enter the master keys. So yes, you'll need to IPL each image to do so. Just a heads up that if you perform ICSF Master Key changes (recommended), you might have to first enter the previous set of keys, then the current set. I can elaborate on why if you'd like. Mark Jacobs Jesse 1 Robinson <mailto:jesse1.robin...@sce.com> October 19, 2016 at 11:41 AM We are installing a z13s and going through preliminary setup. When selecting the Crypto tab in an Image profile, I was a bit alarmed by this message: Attention: You must install the 'IBM CP Assist for Cryptographic Functions' (CPACF) feature if a cryptographic candidate is selected from the list box. Otherwise, some functions of Integrated Cryptographic Service Facility (ICSF) may fail. I spoke to the person who created and placed the order. He assured me that CPACF had been ordered and that no one he talked to believed that it requires explicit 'activation'. So I went to a z12 that has been in service for years. I see the same warning message on the Crypto tab. So it appears to be standard boilerplate that does not reflect the status of CPACF. We’re still exploring how to set the Master Key. We had thought that it was an HCM task, but now we're led to believe that it's done through ICSF. Which means that we have to IPL (each?) LPAR in order to set it. The guy who did this for years is gone. . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-302-7535 Office robin...@sce.com -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Kirk Wolf Sent: Wednesday, October 19, 2016 8:20 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: (External):Re: Implementing ICSF - FOTS1949 PRNG is not seeded Right. I've never seen this particular error caused by a missing CPACF feature. More likely either ICSF is not started or the correct userids do not have access to the necessary ICSF features via SAF/RACF. Kirk Wolf Dovetailed Technologies http://dovetail.com --- Tre tej wiadomoci moe zawiera informacje prawnie chronione Banku przeznaczone wycznie do uytku subowego adresata. Odbiorc moe by jedynie jej adresat z wyczeniem dostpu osób trzecich. Jeeli nie jeste adresatem niniejszej wiadomoci lub pracownikiem upowanionym do jej przekazania adresatowi, informujemy, e jej rozpowszechnianie, kopiowanie, rozprowadzanie lub inne dziaanie o podobnym charakterze jest prawnie zabronione i moe by karalne. Jeeli otrzymae t wiadomo omykowo, prosimy niezwocznie zawiadomi nadawc wysyajc odpowied oraz trwale usun t wiadomo wczajc w to wszelkie jej kopie wydrukowane lub zapisane na dysku. This e-mail may contain legally privileged information of the Bank and is intended solely for business use of the addressee. This e-mail may only be received by the addressee and may not be disclosed to any third parties. If you are not the intended addressee of this e-mail or the employee authorized to forward it to the addressee, be advised that any dissemination, copying, distribution or any other similar activity is legally prohibited and may be punishable. If you received this e-mail by mistake please advise the sender immediately by using the reply facility in your e-mail software and delete permanently this e-mail including any copies of it either printed or saved to hard drive. mBank S.A. z siedzib w Warszawie, ul. Senatorska 18, 00-950 Warszawa, www.mBank.pl, e-mail: kont...@mbank.pl Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, nr rejestru przedsibiorców KRS 025237, NIP: 526-021-50-88. Wedug stanu na dzie 01.01.2016 r. kapita zakadowy mBanku S.A. (w caoci wpacony) wynosi 168.955.696 zotych. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Implementing ICSF - FOTS1949 PRNG is not seeded
On Wed, 19 Oct 2016 10:20:16 -0500, Kirk Wolf wrote: >Right. I've never seen this particular error caused by a missing CPACF >feature. >More likely either ICSF is not started or the correct userids do not have >access to the necessary ICSF features via SAF/RACF. > Ouch! But there's a widespread belief that availability of encryption is a security threat. I used to read that France much restricted use of encryption. Nowadays that would seem to prohibit iPhones and much limit E-commerce. Is ssh-rand-helper now thoroughly deprecated? I used to wonder about its message to the effect that sufficient entropy was unavailable. That would seem to be an undecidable proposition. >On Wed, Oct 19, 2016 at 10:13 AM, R.S. wrote: > >>> Isn't it enabled by default for all customers except North Korea ? ;-) >> Others? I used to understand that ITAR excused only USA and Canada. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Implementing ICSF - FOTS1949 PRNG is not seeded
The message you saw: Attention: You must install the 'IBM CP Assist for Cryptographic Functions' (CPACF) feature if a cryptographic candidate is selected from the list box. Otherwise, some functions of Integrated Cryptographic Service Facility (ICSF) may fail. Is really a hint or reminder rather than an error message. It is just reminding you that you may have additional setup to do before you can really use ICSF. Tom Mathias SE/HMC Development Team -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Implementing ICSF - FOTS1949 PRNG is not seeded
If you're not creating any data encryption keys in the CKDS, then a one cylinder database is plenty of sapce. Mark Jacobs Dazzo, Matt <mailto:00a854d4f854-dmarc-requ...@listserv.ua.edu> October 19, 2016 at 11:46 AM RS, Kirk thanks. I was able to confirm from the SE that CPACF is enabled. I have started configuring ICSF and trying to determine the size of the CKDS. For now ICSF will be used for SSH-ftp, I am not sure if a lot of keys are dynamically created or is just the master key going to be in there? From reading ICSF programmers guide I take it that it depends on what ICSF will be used for will determine if a lot of keys are created. I rather not create a CKDS too large if I don't have to. Any comments would be helpful. Thanks Matt -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Kirk Wolf Sent: Wednesday, October 19, 2016 11:20 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Implementing ICSF - FOTS1949 PRNG is not seeded Right. I've never seen this particular error caused by a missing CPACF feature. More likely either ICSF is not started or the correct userids do not have access to the necessary ICSF features via SAF/RACF. Kirk Wolf Dovetailed Technologies http://dovetail.com On Wed, Oct 19, 2016 at 10:13 AM, R.S. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN Please be alert for any emails that may ask you for login information or directs you to login via a link. If you believe this message is a phish or aren't sure whether this message is trustworthy, please send the original message as an attachment to 'phish...@timeinc.com'. Kirk Wolf <mailto:k...@dovetail.com> October 19, 2016 at 11:20 AM Right. I've never seen this particular error caused by a missing CPACF feature. More likely either ICSF is not started or the correct userids do not have access to the necessary ICSF features via SAF/RACF. Kirk Wolf Dovetailed Technologies http://dovetail.com On Wed, Oct 19, 2016 at 10:13 AM, R.S. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN Please be alert for any emails that may ask you for login information or directs you to login via a link. If you believe this message is a phish or aren't sure whether this message is trustworthy, please send the original message as an attachment to 'phish...@timeinc.com'. R.S. <mailto:r.skoru...@bremultibank.com.pl> October 19, 2016 at 11:13 AM Isn't it enabled by default for all customers except North Korea ? ;-) -- Radoslaw Skorupka Lodz, Poland --- Tre tej wiadomoci moe zawiera informacje prawnie chronione Banku przeznaczone wycznie do uytku subowego adresata. Odbiorc moe by jedynie jej adresat z wyczeniem dostpu osób trzecich. Jeeli nie jeste adresatem niniejszej wiadomoci lub pracownikiem upowanionym do jej przekazania adresatowi, informujemy, e jej rozpowszechnianie, kopiowanie, rozprowadzanie lub inne dziaanie o podobnym charakterze jest prawnie zabronione i moe by karalne. Jeeli otrzymae t wiadomo omykowo, prosimy niezwocznie zawiadomi nadawc wysyajc odpowied oraz trwale usun t wiadomo wczajc w to wszelkie jej kopie wydrukowane lub zapisane na dysku. This e-mail may contain legally privileged information of the Bank and is intended solely for business use of the addressee. This e-mail may only be received by the addressee and may not be disclosed to any third parties. If you are not the intended addressee of this e-mail or the employee authorized to forward it to the addressee, be advised that any dissemination, copying, distribution or any other similar activity is legally prohibited and may be punishable. If you received this e-mail by mistake please advise the sender immediately by using the reply facility in your e-mail software and delete permanently this e-mail including any copies of it either printed or saved to hard drive. mBank S.A. z siedzib w Warszawie, ul. Senatorska 18, 00-950 Warszawa, www.mBank.pl, e-mail: kont...@mbank.pl Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, nr rejestru przedsibiorców KRS 025237, NIP: 526-021-50-88. Wedug stanu na dzie 01.01.2016 r. kapita zakadowy mBanku S.A. (w caoci wpacony) wynosi 168.955.696 zotych. -- For IBM-MA
Re: Implementing ICSF - FOTS1949 PRNG is not seeded
Unless you have a TKE, you will have to use the ICSF panels to enter the master keys. So yes, you'll need to IPL each image to do so. Just a heads up that if you perform ICSF Master Key changes (recommended), you might have to first enter the previous set of keys, then the current set. I can elaborate on why if you'd like. Mark Jacobs Jesse 1 Robinson <mailto:jesse1.robin...@sce.com> October 19, 2016 at 11:41 AM We are installing a z13s and going through preliminary setup. When selecting the Crypto tab in an Image profile, I was a bit alarmed by this message: Attention: You must install the 'IBM CP Assist for Cryptographic Functions' (CPACF) feature if a cryptographic candidate is selected from the list box. Otherwise, some functions of Integrated Cryptographic Service Facility (ICSF) may fail. I spoke to the person who created and placed the order. He assured me that CPACF had been ordered and that no one he talked to believed that it requires explicit 'activation'. So I went to a z12 that has been in service for years. I see the same warning message on the Crypto tab. So it appears to be standard boilerplate that does not reflect the status of CPACF. We’re still exploring how to set the Master Key. We had thought that it was an HCM task, but now we're led to believe that it's done through ICSF. Which means that we have to IPL (each?) LPAR in order to set it. The guy who did this for years is gone. . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-302-7535 Office robin...@sce.com -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Kirk Wolf Sent: Wednesday, October 19, 2016 8:20 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: (External):Re: Implementing ICSF - FOTS1949 PRNG is not seeded Right. I've never seen this particular error caused by a missing CPACF feature. More likely either ICSF is not started or the correct userids do not have access to the necessary ICSF features via SAF/RACF. Kirk Wolf Dovetailed Technologies http://dovetail.com On Wed, Oct 19, 2016 at 10:13 AM, R.S. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN Please be alert for any emails that may ask you for login information or directs you to login via a link. If you believe this message is a phish or aren't sure whether this message is trustworthy, please send the original message as an attachment to 'phish...@timeinc.com'. -- Mark Jacobs Time Customer Service Global Technology Services The standard you walk past is the standard you accept. Lt. Gen. David Morrison -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Implementing ICSF - FOTS1949 PRNG is not seeded
RS, Kirk thanks. I was able to confirm from the SE that CPACF is enabled. I have started configuring ICSF and trying to determine the size of the CKDS. For now ICSF will be used for SSH-ftp, I am not sure if a lot of keys are dynamically created or is just the master key going to be in there? From reading ICSF programmers guide I take it that it depends on what ICSF will be used for will determine if a lot of keys are created. I rather not create a CKDS too large if I don't have to. Any comments would be helpful. Thanks Matt -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Kirk Wolf Sent: Wednesday, October 19, 2016 11:20 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Implementing ICSF - FOTS1949 PRNG is not seeded Right. I've never seen this particular error caused by a missing CPACF feature. More likely either ICSF is not started or the correct userids do not have access to the necessary ICSF features via SAF/RACF. Kirk Wolf Dovetailed Technologies http://dovetail.com On Wed, Oct 19, 2016 at 10:13 AM, R.S. wrote: > W dniu 2016-10-19 o 17:05, John Eells pisze: > >> R.S. wrote: >> >> >>> Double click on CPC icon. Instance Information tab, bottom right >>> corner "CP Assist for Crypto functions: >>> Installed". >>> >> >> Note also that CPACF is a feature, so if it's not installed >> (enabled), you need to order the feature to get it installed. >> (Whether its enablement or lack thereof matters in this context, I >> have no clue.) >> >> Isn't it enabled by default for all customers except North Korea ? >> ;-) > > -- > Radoslaw Skorupka > Lodz, Poland > > > > > > > --- > Tre tej wiadomo ci mo e zawiera informacje prawnie chronione Banku > przeznaczone wy cznie do u ytku s u bowego adresata. Odbiorc mo e by > jedynie jej adresat z wy czeniem dost pu osób trzecich. Je eli nie > jeste adresatem niniejszej wiadomo ci lub pracownikiem upowa nionym do > jej przekazania adresatowi, informujemy, e jej rozpowszechnianie, > kopiowanie, rozprowadzanie lub inne dzia anie o podobnym charakterze jest > prawnie > zabronione i mo e by karalne. Je eli otrzyma e t wiadomo omy kowo, > prosimy niezw ocznie zawiadomi nadawc wysy aj c odpowied oraz trwale > usun t wiadomo w czaj c w to wszelkie jej kopie wydrukowane lub > zapisane na dysku. > > This e-mail may contain legally privileged information of the Bank and > is intended solely for business use of the addressee. This e-mail may > only be received by the addressee and may not be disclosed to any > third parties. If you are not the intended addressee of this e-mail or > the employee authorized to forward it to the addressee, be advised > that any dissemination, copying, distribution or any other similar > activity is legally prohibited and may be punishable. If you received > this e-mail by mistake please advise the sender immediately by using > the reply facility in your e-mail software and delete permanently this > e-mail including any copies of it either printed or saved to hard drive. > > mBank S.A. z siedzib w Warszawie, ul. Senatorska 18, 00-950 Warszawa, > www.mBank.pl, e-mail: kont...@mbank.pl S d Rejonowy dla m. st. > Warszawy XII Wydzia Gospodarczy Krajowego Rejestru S dowego, nr > rejestru przedsi biorców KRS 025237, NIP: > 526-021-50-88. Wed ug stanu na dzie 01.01.2016 r. kapita zak adowy > mBanku S.A. (w ca o ci wp acony) wynosi 168.955.696 z otych. > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Implementing ICSF - FOTS1949 PRNG is not seeded
We are installing a z13s and going through preliminary setup. When selecting the Crypto tab in an Image profile, I was a bit alarmed by this message: Attention: You must install the 'IBM CP Assist for Cryptographic Functions' (CPACF) feature if a cryptographic candidate is selected from the list box. Otherwise, some functions of Integrated Cryptographic Service Facility (ICSF) may fail. I spoke to the person who created and placed the order. He assured me that CPACF had been ordered and that no one he talked to believed that it requires explicit 'activation'. So I went to a z12 that has been in service for years. I see the same warning message on the Crypto tab. So it appears to be standard boilerplate that does not reflect the status of CPACF. We’re still exploring how to set the Master Key. We had thought that it was an HCM task, but now we're led to believe that it's done through ICSF. Which means that we have to IPL (each?) LPAR in order to set it. The guy who did this for years is gone. . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-302-7535 Office robin...@sce.com -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Kirk Wolf Sent: Wednesday, October 19, 2016 8:20 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: (External):Re: Implementing ICSF - FOTS1949 PRNG is not seeded Right. I've never seen this particular error caused by a missing CPACF feature. More likely either ICSF is not started or the correct userids do not have access to the necessary ICSF features via SAF/RACF. Kirk Wolf Dovetailed Technologies http://dovetail.com On Wed, Oct 19, 2016 at 10:13 AM, R.S. wrote: > W dniu 2016-10-19 o 17:05, John Eells pisze: > >> R.S. wrote: >> >> >>> Double click on CPC icon. Instance Information tab, bottom right >>> corner "CP Assist for Crypto functions: >>> Installed". >>> >> >> Note also that CPACF is a feature, so if it's not installed >> (enabled), you need to order the feature to get it installed. >> (Whether its enablement or lack thereof matters in this context, I >> have no clue.) >> >> Isn't it enabled by default for all customers except North Korea ? >> ;-) > > -- > Radoslaw Skorupka > Lodz, Poland -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Implementing ICSF - FOTS1949 PRNG is not seeded
Thanks - I think I need to read that! One client I work with has CPACF installed with no crypto cards, but no ICSF running. They run SSH uploads hundreds or maybe thousands of times per day, and every day there are a few timeout failures (on their pretty slow z114) while initializing the SSH connection. My theory is this is because crypto work is all being done in software, and maybe some work could be offloaded to CPACF if I can figure out how to get ICSF running to use it. Kirk Wolf wrote: Have you looked at our Quick Start guide for installing and tuning z/OS 2.2 OpenSSH? https://dovetail.com/docs/pt-quick-inst/index.html your question I believe is covered in section "1.6 Using ICSF and /dev/random" -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Implementing ICSF - FOTS1949 PRNG is not seeded
When IBM or a business partner orders a new mainframe, CPACF is enabled by default only if the machine has Crypto cards. Otherwise, it's a no-charge feature code so it would make sense to be sure the person ordering the mainframe knows to enable it, even if you don't need it right away. R.S. wrote: Isn't it enabled by default for all customers except North Korea ? ;-) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Implementing ICSF - FOTS1949 PRNG is not seeded
Right. I've never seen this particular error caused by a missing CPACF feature. More likely either ICSF is not started or the correct userids do not have access to the necessary ICSF features via SAF/RACF. Kirk Wolf Dovetailed Technologies http://dovetail.com On Wed, Oct 19, 2016 at 10:13 AM, R.S. wrote: > W dniu 2016-10-19 o 17:05, John Eells pisze: > >> R.S. wrote: >> >> >>> Double click on CPC icon. Instance Information tab, bottom right corner >>> "CP Assist for Crypto functions: >>> Installed". >>> >> >> Note also that CPACF is a feature, so if it's not installed (enabled), >> you need to order the feature to get it installed. (Whether its enablement >> or lack thereof matters in this context, I have no clue.) >> >> Isn't it enabled by default for all customers except North Korea ? ;-) > > -- > Radoslaw Skorupka > Lodz, Poland > > > > > > > --- > Tre tej wiadomo ci mo e zawiera informacje prawnie chronione Banku > przeznaczone wy cznie do u ytku s u bowego adresata. Odbiorc mo e by > jedynie jej adresat z wy czeniem dost pu osób trzecich. Je eli nie jeste > adresatem niniejszej wiadomo ci lub pracownikiem upowa nionym do jej > przekazania adresatowi, informujemy, e jej rozpowszechnianie, kopiowanie, > rozprowadzanie lub inne dzia anie o podobnym charakterze jest prawnie > zabronione i mo e by karalne. Je eli otrzyma e t wiadomo omy kowo, > prosimy niezw ocznie zawiadomi nadawc wysy aj c odpowied oraz trwale > usun t wiadomo w czaj c w to wszelkie jej kopie wydrukowane lub > zapisane na dysku. > > This e-mail may contain legally privileged information of the Bank and is > intended solely for business use of the addressee. This e-mail may only be > received by the addressee and may not be disclosed to any third parties. If > you are not the intended addressee of this e-mail or the employee > authorized to forward it to the addressee, be advised that any > dissemination, copying, distribution or any other similar activity is > legally prohibited and may be punishable. If you received this e-mail by > mistake please advise the sender immediately by using the reply facility in > your e-mail software and delete permanently this e-mail including any > copies of it either printed or saved to hard drive. > > mBank S.A. z siedzib w Warszawie, ul. Senatorska 18, 00-950 Warszawa, > www.mBank.pl, e-mail: kont...@mbank.pl > S d Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego > Rejestru S dowego, nr rejestru przedsi biorców KRS 025237, NIP: > 526-021-50-88. Wed ug stanu na dzie 01.01.2016 r. kapita zak adowy mBanku > S.A. (w ca o ci wp acony) wynosi 168.955.696 z otych. > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Implementing ICSF - FOTS1949 PRNG is not seeded
W dniu 2016-10-19 o 17:05, John Eells pisze: R.S. wrote: Double click on CPC icon. Instance Information tab, bottom right corner "CP Assist for Crypto functions: Installed". Note also that CPACF is a feature, so if it's not installed (enabled), you need to order the feature to get it installed. (Whether its enablement or lack thereof matters in this context, I have no clue.) Isn't it enabled by default for all customers except North Korea ? ;-) -- Radoslaw Skorupka Lodz, Poland --- Tre tej wiadomoci moe zawiera informacje prawnie chronione Banku przeznaczone wycznie do uytku subowego adresata. Odbiorc moe by jedynie jej adresat z wyczeniem dostpu osób trzecich. Jeeli nie jeste adresatem niniejszej wiadomoci lub pracownikiem upowanionym do jej przekazania adresatowi, informujemy, e jej rozpowszechnianie, kopiowanie, rozprowadzanie lub inne dziaanie o podobnym charakterze jest prawnie zabronione i moe by karalne. Jeeli otrzymae t wiadomo omykowo, prosimy niezwocznie zawiadomi nadawc wysyajc odpowied oraz trwale usun t wiadomo wczajc w to wszelkie jej kopie wydrukowane lub zapisane na dysku. This e-mail may contain legally privileged information of the Bank and is intended solely for business use of the addressee. This e-mail may only be received by the addressee and may not be disclosed to any third parties. If you are not the intended addressee of this e-mail or the employee authorized to forward it to the addressee, be advised that any dissemination, copying, distribution or any other similar activity is legally prohibited and may be punishable. If you received this e-mail by mistake please advise the sender immediately by using the reply facility in your e-mail software and delete permanently this e-mail including any copies of it either printed or saved to hard drive. mBank S.A. z siedzib w Warszawie, ul. Senatorska 18, 00-950 Warszawa, www.mBank.pl, e-mail: kont...@mbank.pl Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, nr rejestru przedsibiorców KRS 025237, NIP: 526-021-50-88. Wedug stanu na dzie 01.01.2016 r. kapita zakadowy mBanku S.A. (w caoci wpacony) wynosi 168.955.696 zotych. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Implementing ICSF - FOTS1949 PRNG is not seeded
R.S. wrote: Double click on CPC icon. Instance Information tab, bottom right corner "CP Assist for Crypto functions: Installed". Note also that CPACF is a feature, so if it's not installed (enabled), you need to order the feature to get it installed. (Whether its enablement or lack thereof matters in this context, I have no clue.) -- John Eells IBM Poughkeepsie ee...@us.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Implementing ICSF - FOTS1949 PRNG is not seeded
W dniu 2016-10-19 o 16:19, Dazzo, Matt pisze: This is totally new world for me so bear with me. Been reading for several hours on trying to determine what I need to satisfy the support of 'OpenSSH requires that a working /dev/random device' as I got the error 'FOTS1949 PRNG is not seeded' when testing SSH-FTP on my newly installed zos2.2 system. I determined that ICSF has to be implemented (started) but does CPACF have to be enabled ? From reading the archives I found in a thread that displaying the CPU would show if the CPACF is enabled? Below is a display of our CPU, appears the CPACF is not enabled? Does this require an IPL? D M=CPU IEE174I 09.46.57 DISPLAY M 216 PROCESSOR STATUS ID CPU SERIAL 00 + 024E7E2828 01 + 024E7E2828 02 +I024E7E2828 03 NI 04 NI 05 NI Thanks Matt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN In order to start ICSF (some simplification here) you have to have CPACF enabled. How to check it? Logon on Support Element. Not to be confused with HMC. The same action on HMC will NOT give you the answer. Double click on CPC icon. Instance Information tab, bottom right corner "CP Assist for Crypto functions: Installed". HTH -- Radoslaw Skorupka Lodz, Poland --- Tre tej wiadomoci moe zawiera informacje prawnie chronione Banku przeznaczone wycznie do uytku subowego adresata. Odbiorc moe by jedynie jej adresat z wyczeniem dostpu osób trzecich. Jeeli nie jeste adresatem niniejszej wiadomoci lub pracownikiem upowanionym do jej przekazania adresatowi, informujemy, e jej rozpowszechnianie, kopiowanie, rozprowadzanie lub inne dziaanie o podobnym charakterze jest prawnie zabronione i moe by karalne. Jeeli otrzymae t wiadomo omykowo, prosimy niezwocznie zawiadomi nadawc wysyajc odpowied oraz trwale usun t wiadomo wczajc w to wszelkie jej kopie wydrukowane lub zapisane na dysku. This e-mail may contain legally privileged information of the Bank and is intended solely for business use of the addressee. This e-mail may only be received by the addressee and may not be disclosed to any third parties. If you are not the intended addressee of this e-mail or the employee authorized to forward it to the addressee, be advised that any dissemination, copying, distribution or any other similar activity is legally prohibited and may be punishable. If you received this e-mail by mistake please advise the sender immediately by using the reply facility in your e-mail software and delete permanently this e-mail including any copies of it either printed or saved to hard drive. mBank S.A. z siedzib w Warszawie, ul. Senatorska 18, 00-950 Warszawa, www.mBank.pl, e-mail: kont...@mbank.pl Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, nr rejestru przedsibiorców KRS 025237, NIP: 526-021-50-88. Wedug stanu na dzie 01.01.2016 r. kapita zakadowy mBanku S.A. (w caoci wpacony) wynosi 168.955.696 zotych. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Implementing ICSF - FOTS1949 PRNG is not seeded
Have you looked at our Quick Start guide for installing and tuning z/OS 2.2 OpenSSH? https://dovetail.com/docs/pt-quick-inst/index.html your question I believe is covered in section "1.6 Using ICSF and /dev/random" Kirk Wolf Dovetailed Technologies http://dovetail.com On Wed, Oct 19, 2016 at 9:19 AM, Dazzo, Matt < 00a854d4f854-dmarc-requ...@listserv.ua.edu> wrote: > This is totally new world for me so bear with me. Been reading for > several hours on trying to determine what I need to satisfy the support of > 'OpenSSH requires that a working /dev/random device' as I got the error > 'FOTS1949 PRNG is not seeded' when testing SSH-FTP on my newly installed > zos2.2 system. > > I determined that ICSF has to be implemented (started) but does CPACF > have to be enabled ? From reading the archives I found in a thread that > displaying the CPU would show if the CPACF is enabled? > > Below is a display of our CPU, appears the CPACF is not enabled? Does this > require an IPL? > > D M=CPU > IEE174I 09.46.57 DISPLAY M 216 > PROCESSOR STATUS > ID CPU SERIAL > 00 + 024E7E2828 > 01 + 024E7E2828 > 02 +I024E7E2828 > 03 NI > 04 NI > 05 NI > > > Thanks Matt > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Implementing ICSF - FOTS1949 PRNG is not seeded
This is totally new world for me so bear with me. Been reading for several hours on trying to determine what I need to satisfy the support of 'OpenSSH requires that a working /dev/random device' as I got the error 'FOTS1949 PRNG is not seeded' when testing SSH-FTP on my newly installed zos2.2 system. I determined that ICSF has to be implemented (started) but does CPACF have to be enabled ? From reading the archives I found in a thread that displaying the CPU would show if the CPACF is enabled? Below is a display of our CPU, appears the CPACF is not enabled? Does this require an IPL? D M=CPU IEE174I 09.46.57 DISPLAY M 216 PROCESSOR STATUS ID CPU SERIAL 00 + 024E7E2828 01 + 024E7E2828 02 +I024E7E2828 03 NI 04 NI 05 NI Thanks Matt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN