subject:"Implementing ICSF \- FOTS1949 PRNG is not seeded"

Re: Implementing ICSF - FOTS1949 PRNG is not seeded

2016-10-28 Thread Kirk Wolf

Gil,

ssh-rand-helper is no longer supported as of P.T. OpenSSH 1.3, or z/OS
OpenSSH 2.2.

Kirk Wolf
Dovetailed Technologies
http://dovetail.com

On Wed, Oct 19, 2016 at 11:10 AM, Paul Gilmartin <
000433f07816-dmarc-requ...@listserv.ua.edu> wrote:

> On Wed, 19 Oct 2016 10:20:16 -0500, Kirk Wolf wrote:
>
> >Right.  I've never seen this particular error caused by a missing CPACF
> >feature.
> >More likely either ICSF is not started or the correct userids do not have
> >access to the necessary ICSF features via SAF/RACF.
> >
> Ouch!  But there's a widespread belief that availability of encryption is a
> security threat.
>
> I used to read that France much restricted use of encryption.  Nowadays
> that would seem to prohibit iPhones and much limit E-commerce.
>
> Is ssh-rand-helper now thoroughly deprecated?  I used to wonder about
> its message to the effect that sufficient entropy was unavailable.  That
> would seem to be an undecidable proposition.
>
> >On Wed, Oct 19, 2016 at 10:13 AM, R.S. wrote:
> >
> >>> Isn't it enabled by default for all customers except North Korea ? ;-)
> >>
> Others?  I used to understand that ITAR excused only USA and Canada.
>
> -- gil
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Implementing ICSF - FOTS1949 PRNG is not seeded

2016-10-28 Thread Kirk Wolf

For a long time, you would have been well advised to start ICSF with CPACF
in order to get a working /dev/random device on z/OS.   Many years ago you
had to have a card to get /dev/random, but thankfully this was fixed and
z/OS has a great secure random number facility (if you start ICSF with
CPACF).

If you don't do this, OpenSSH through release 1.2 would still work, but it
wastes lots of time and CPU during startup of each connection, and you get
a crappy random number to boot.

Starting with Ported Tools OpenSSH 1.3, you MUST have /dev/random working
in order to use the product.

Kirk Wolf
Dovetailed Technologies
http://dovetail.com

On Wed, Oct 19, 2016 at 10:38 AM, Tom Brennan 
wrote:

> Thanks - I think I need to read that!  One client I work with has CPACF
> installed with no crypto cards, but no ICSF running.  They run SSH uploads
> hundreds or maybe thousands of times per day, and every day there are a few
> timeout failures (on their pretty slow z114) while initializing the SSH
> connection.
>
> My theory is this is because crypto work is all being done in software,
> and maybe some work could be offloaded to CPACF if I can figure out how to
> get ICSF running to use it.
>
> Kirk Wolf wrote:
>
>> Have you looked at our Quick Start guide for installing and tuning z/OS
>> 2.2
>> OpenSSH?
>> https://dovetail.com/docs/pt-quick-inst/index.html
>>
>> your question I believe is covered in section "1.6 Using ICSF and
>> /dev/random"
>>
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Implementing ICSF - FOTS1949 PRNG is not seeded

2016-10-28 Thread Tony Harminc

On 21 October 2016 at 08:11, R.S.  wrote:
> 1. Chinese algorithm
> Is is some new algorithm or just device with backdoor for Chinesese Three 
> Letter Agency?
> What's so REGIONAL in the algorithm or crypto device? Why there are no
> REGIONAL disks, CPUs, RAM DIMMs, etc?  :-)))

I take your point, of course. But there *were* other regional devices
back in the Bad Old Days. Each country had its own (usually monopoly)
telecom carrier(s), and very many of those had non-standard (or
rather, local standard) interfaces of their own invention. So in the
1960s-70s there were endless regional feature codes for the 37x5 comms
controllers to connect to these different lines. Even somewhat more
recently, North America used the "T1 interface, at 1.544 Mb/s which
can carry 24 voice calls at 64 kb/s, while Europe and most of the Rest
Of World (ROW) used "E1" at 2.048 Mb/s to carry usually 30 phone
channels. T1 and E1 also have different and incompatible protocols at
several levels, so there was no question of just plugging in like an
Ethernet cable, and each end negotiates the best connection.

Very amusing to see an IBM box with a connector labelled "customer
equipment" plugged into a Telco box connector also labelled "customer
equipment". All in one's point of view. I digress, but it's Friday.

Tony H.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: +Embargoed countries and cryptography was Re: Implementing ICSF - FOTS1949 PRNG is not seeded

2016-10-23 Thread R.S.


W dniu 2016-10-23 o 03:01, Clark Morris pisze:

I would assume that if the country is embargoed, there is no legal way
to get a z series.  If the country can get a z series, I suspect that
it can steal the microcode.


That's why before 1989 we were buying second hand machines. :-)

Our comrades in Moscow even had source code for OCO things.
Trade of the hardware was managed by gentlemen from Three Letter Agency.
A lot of strange stories...

--
Radoslaw Skorupka
Lodz, Poland






---
Tre tej wiadomoci moe zawiera informacje prawnie chronione Banku 
przeznaczone wycznie do uytku subowego adresata. Odbiorc moe by jedynie 
jej adresat z wyczeniem dostpu osób trzecich. Jeeli nie jeste adresatem 
niniejszej wiadomoci lub pracownikiem upowanionym do jej przekazania 
adresatowi, informujemy, e jej rozpowszechnianie, kopiowanie, rozprowadzanie 
lub inne dziaanie o podobnym charakterze jest prawnie zabronione i moe by 
karalne. Jeeli otrzymae t wiadomo omykowo, prosimy niezwocznie 
zawiadomi nadawc wysyajc odpowied oraz trwale usun t wiadomo 
wczajc w to wszelkie jej kopie wydrukowane lub zapisane na dysku.

This e-mail may contain legally privileged information of the Bank and is 
intended solely for business use of the addressee. This e-mail may only be 
received by the addressee and may not be disclosed to any third parties. If you 
are not the intended addressee of this e-mail or the employee authorized to 
forward it to the addressee, be advised that any dissemination, copying, 
distribution or any other similar activity is legally prohibited and may be 
punishable. If you received this e-mail by mistake please advise the sender 
immediately by using the reply facility in your e-mail software and delete 
permanently this e-mail including any copies of it either printed or saved to 
hard drive.

mBank S.A. z siedzib w Warszawie, ul. Senatorska 18, 00-950 Warszawa, 
www.mBank.pl, e-mail: kont...@mbank.pl
Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru 
Sdowego, nr rejestru przedsibiorców KRS 025237, NIP: 526-021-50-88. 
Wedug stanu na dzie 01.01.2016 r. kapita zakadowy mBanku S.A. (w caoci 
wpacony) wynosi 168.955.696 zotych.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

+Embargoed countries and cryptography was Re: Implementing ICSF - FOTS1949 PRNG is not seeded

2016-10-22 Thread Clark Morris

[Default] On 21 Oct 2016 04:46:57 -0700, in bit.listserv.ibm-main
gregb...@mainframecrypto.com (Greg Boyd) wrote:

>Lots of good discussion!  Pulling some of it together:
>
>IBM CPACF hardware is not a feature, it comes standard with your z hardware.  
>That is, if you order a 6-way z13, each of those 6 CPs has a CPACF.  However, 
>because of export restrictions, that device is not enabled until you order and 
>install the necessary microcode, FC #3863.  If your address is North Korea, 
>don't bother trying to order this FC.  IBM can't ship it to you because of 
>export restrictions.

I would assume that if the country is embargoed, there is no legal way
to get a z series.  If the country can get a z series, I suspect that
it can steal the microcode.

Clark Moris
>
>> much snipped
>
>Greg Boyd
>Mainframe Crypto
>www.mainframecrypto.com
>
>--
>For IBM-MAIN subscribe / signoff / archive access instructions,
>send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Implementing ICSF - FOTS1949 PRNG is not seeded

2016-10-21 Thread Greg Boyd

My interpretation was based on the ICSF doc.  The ICSF SPG (SC14-7507-04) says 
on p. 113:

Open cryptographic servers are separate, standalone devices that perform 
geography-specific cryptography. They are marketed and serviced by third party 
vendors. Currently, the only geography-specific cryptography supported by these 
devices is the Chinese SMx family of algorithms. The devices are secure key 
hardware security modules (HSMs) that operate similar to IBM's PKCS #11 secure 
coprocessors (CEXnP). Secure keys are stored in the TKDS and are protected by 
the open cryptography server master key (OCS-MK).

and on p. 49 you define these devices to ICSF in the Options dataset via the 
REMOTEDEVICE statement:

REMOTEDEVICE(index-number, ip-addr-or-hostname, port-number,
number-sockets)

The fact that this is referenced by an ip-addr-or-hostname made me think that 
it was an IP connected device.

Other vendors provide devices that can be IP connected to System z and I 
thought IBM might be embracing a similar technique to support this family of 
algorithms.  But you may be right, IBM might be expanding what can be installed 
in the I/O cage using PCIe.

Greg Boyd
Mainframe Crypto
www.mainframecrypto.com

P.S.  It's been awhile since I posted and now 'Quote Original Message' is 
adding hex instead of the actual text.  It looks like I've got another 'todo' 
today, to figure out what's going on with that.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Implementing ICSF - FOTS1949 PRNG is not seeded

2016-10-21 Thread Parwez Hamid

BTW: FC #3863 is 'no charge'.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Implementing ICSF - FOTS1949 PRNG is not seeded

2016-10-21 Thread R.S.


W dniu 2016-10-21 o 13:24, Greg Boyd pisze:

Radoslaw,
The RCE support is currently only for Chinese algorithms.  As I wrote in my 
April newsletter:

"Another potentially significant capability is the new Remote Device support.  
There is a new ICSF Option,
REMOTEDEVICE, which allows you to define ‘standalone devices that perform 
geography-specific cryptography’.
You can define up to 16 of these remote devices, via IP address and port 
number.  Basically this allows you to
route work, from ICSF, to a specialized device delivering a unique algorithm.

Currently the support is only for devices that provide the ‘Chinese SMx family 
of algorithms’.  I suspect that
this is not a new direction for IBM, allowing ICSF to route work to distributed 
devices, but more an
acknowledgement of the realities of supporting crypto in China."


1. Chinese algorithm
Is is some new algorithm or just device with backdoor for Chinesese 
Three Letter Agency?
What's so REGIONAL in the algorithm or crypto device? Why there are no 
REGIONAL disks, CPUs, RAM DIMMs, etc?

:-)))

2. Connection
Greg, you write about IP connection, but RCE is defined in HCD as an 
PCIe FUNCTION, occupying a slot in I/O cage (PCHID, etc.)
I van imagine external box connected via IP, but this picture does not 
fit to HCD definitions. Maybe it is a card in I/O cage with cable to 
external box



Regards
--
Radoslaw Skorupka
Lodz, Poland






---
Treść tej wiadomości może zawierać informacje prawnie chronione Banku 
przeznaczone wyłącznie do użytku służbowego adresata. Odbiorcą może być jedynie 
jej adresat z wyłączeniem dostępu osób trzecich. Jeżeli nie jesteś adresatem 
niniejszej wiadomości lub pracownikiem upoważnionym do jej przekazania 
adresatowi, informujemy, że jej rozpowszechnianie, kopiowanie, rozprowadzanie 
lub inne działanie o podobnym charakterze jest prawnie zabronione i może być 
karalne. Jeżeli otrzymałeś tę wiadomość omyłkowo, prosimy niezwłocznie 
zawiadomić nadawcę wysyłając odpowiedź oraz trwale usunąć tę wiadomość 
włączając w to wszelkie jej kopie wydrukowane lub zapisane na dysku.

This e-mail may contain legally privileged information of the Bank and is 
intended solely for business use of the addressee. This e-mail may only be 
received by the addressee and may not be disclosed to any third parties. If you 
are not the intended addressee of this e-mail or the employee authorized to 
forward it to the addressee, be advised that any dissemination, copying, 
distribution or any other similar activity is legally prohibited and may be 
punishable. If you received this e-mail by mistake please advise the sender 
immediately by using the reply facility in your e-mail software and delete 
permanently this e-mail including any copies of it either printed or saved to 
hard drive.

mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 Warszawa, 
www.mBank.pl, e-mail: kont...@mbank.pl
Sąd Rejonowy dla m. st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru 
Sądowego, nr rejestru przedsiębiorców KRS 025237, NIP: 526-021-50-88. 
Według stanu na dzień 01.01.2016 r. kapitał zakładowy mBanku S.A. (w całości 
wpłacony) wynosi 168.955.696 złotych.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Implementing ICSF - FOTS1949 PRNG is not seeded

2016-10-21 Thread Greg Boyd

Lots of good discussion!  Pulling some of it together:

IBM CPACF hardware is not a feature, it comes standard with your z hardware.  
That is, if you order a 6-way z13, each of those 6 CPs has a CPACF.  However, 
because of export restrictions, that device is not enabled until you order and 
install the necessary microcode, FC #3863.  If your address is North Korea, 
don't bother trying to order this FC.  IBM can't ship it to you because of 
export restrictions.

The 'D M=CPU' shows the CPs, it just doesn't mention the CPACF.  Think of the 
CPACF as just some additional real estate on the general purpose engines ... it 
simply provides additional instructions (see Message Security Assist in the 
POPs manual), but you can't use those instructions without the microcode 
feature.

Ten years ago, it was not uncommon that customers did not install that 
microcode.  Today, with all the focus on crypto, most customers have it 
installed ... unless they are in one of the embargoed countries.  To check, 
look at the System Details from the SE and in the lower right corner, look for 
'CP Assist for Crypto functions:  Installed'. If it says 'Not Installed' call 
IBM to order the feature code.

You don't have to have ICSF active to use the CPACF hardware.  You can write 
assembler code that uses these MSA instructions.  However, if ICSF is active, 
then it provides APIs that will in turn invoke those same instructions.  It 
becomes a question of how the product implements crypto.  If it uses assembler 
code and the MSA instructions, then ICSF does not need to be active.  If it 
invokes the ICSF APIs, then ICSF must be active.  System SSL has code that will 
query the environment and branch to routines that use the native instructions, 
or the APIs or its own software to perform the needed function.

The CPACF device is separate and distinct from the Crypto Express cards, 
however FC #3863 is a pre-req for the Crypto Express.  (Same logic, you can't 
use encryption technology if you're in an embargoed country.)

Note that the CEX cards provide a hardware random number generator (RNG).  The 
CPACF provides a Pseudo Random Number Generator (PRNG).  I suspect that the 
OpenSSH product will use whichever is available, maybe Kirk can confirm?  The 
later versions of ICSF provide some RNG enhancements, specifically a cache of 
random numbers, instead of making a call to the card every time a random number 
is needed.  And the z13 implements RNGs that conform to the latest NIST 
standards.

As Radoslaw mentioned you can dynamically configure the LPARs to assign Crypto 
Express cards.  (There is no config work to assign the CPACF to the LPAR, if 
the microcode is installed and the CP is assigned, then the CPACF is available 
to the LPAR.) In the LPAR Activation Profile, you must assign the CEX cards in 
the online list and candidate list and assign the Usage Domain (where the LPAR 
looks for a master key when it needs one).  The Control Domain is
associated with the use of a TKE.  And starting with the z10s this  
configuration could be done dynamically.  (This dynamic configuration support 
isn't just for crypto, but applies to other hardware resources as well.)  
Starting with the z10 you could update the LPAR Activation profile, or 
temporarily add it to the currently active LPAR or both.  See the PR/SM 
Planning Guide for your machine.)

Loading the master keys only applies if you have CEX cards installed, and as 
has been pointed out, can be done from the ICSF panels or from the TKE.  I 
don't recommend using Passphrase Initialization for your production 
environment.  That's a great way to get up and running, but not secure enough 
for a production environment.

If you have master keys installed in your production environment, then those 
same production master keys will need to be available on the DR machine.  
Whatever method you used in production, you'll have to use the same method on 
the DR machine.  However, it also depends on the DR environment (cold site, 
warm site, hot site).  As David Jousma pointed out, you can use a TKE to load 
master keys in advance, but if it's a push-pull you can't load master keys 
until the CEX hardware is available, and you'll need at least one z/OS LPAR to 
connect to the TKE.  The other alternative is to use a driver z/OS system and 
stop and restart ICSF, pointing to each domain, to load the appropriate master 
keys into each Usage Domain on the DR hardware.  Cumbersome, but doable.

Greg Boyd
Mainframe Crypto
www.mainframecrypto.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Implementing ICSF - FOTS1949 PRNG is not seeded

2016-10-21 Thread Greg Boyd

Radoslaw,
The RCE support is currently only for Chinese algorithms.  As I wrote in my 
April newsletter:

"Another potentially significant capability is the new Remote Device support.  
There is a new ICSF Option, 
REMOTEDEVICE, which allows you to define ‘standalone devices that perform 
geography-specific cryptography’.  
You can define up to 16 of these remote devices, via IP address and port 
number.  Basically this allows you to 
route work, from ICSF, to a specialized device delivering a unique algorithm.

Currently the support is only for devices that provide the ‘Chinese SMx family 
of algorithms’.  I suspect that 
this is not a new direction for IBM, allowing ICSF to route work to distributed 
devices, but more an 
acknowledgement of the realities of supporting crypto in China."

Greg Boyd
Mainframe Crypto
www.mainframecrypto.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Implementing ICSF - FOTS1949 PRNG is not seeded

2016-10-21 Thread Bill Woodger

Yes, no articles in Polish.A tendency for those who have no actual exposure to 
English to pronounce every letter in every word. And the entirely obtuse 
proposition of pronouncing all the letter "r"s in English words.

And you think that's an "L" in Radoslav's name? In the town he works in? In the 
name of the currency? I first came across the Zloty (last currency in our 
alphabetic table) in 1986, used it a lot in testing. Discovered only recently 
that I've spent 30 years pronouncing it authoratively, but incorrectly.

And cases? You want to confuse English speakers? Get them to learn a language 
with cases. English don't got no cases. Actually, search-engineing supports 
something from the back of my mind, but that is really, really, minor, and 
doesn't really count. Although, now, alll of a sudden, I understand Polish 
cases a bit better :-)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Implementing ICSF - FOTS1949 PRNG is not seeded

2016-10-20 Thread R.S.


David,
Now it's clear for me.
It's matter of language - in Polish there is no such gismo like article 
(a, an, the).
Yes, you are right, *assuming proper setiing* it is possiblem to control 
other domains from a TKE.
AFAIK, it's not possible to do it from z/OS. However there's a trick: 
changing usage domain (or just have an LPAR with several domains) and 
restart ICSF with another domain ID.


From the otheer hand it's IMHO better to explain something to someone, 
than sho the things are more complex. Some simplifications are sometimes 
justified ;-)



BTW: Has anybody heard about RCE? Regional Crypto Enablement. A card, 
defined in HCD as a function. Available in z13 GA2.


Regards
--
Radoslaw Skorupka
Lodz, Poland








W dniu 2016-10-20 o 20:06, Jousma, David pisze:

RS,

I should have elaborated more.  You need *a* system up and running on the box, 
but not *the* system.   For example we use TKE, and connect to a TECH system on 
the box that is running.   That tech system IMAGE profile is setup to be able 
to administer all crypto domains.   So when we bring in a new box, we ipl a 
tech system onto it, and then we can reload MK's for all domains, including 
systems that are not yet operational.  If there is a new MK waiting to load in 
the crypto card register, ICSF will load that MK automatically upon 
initialization.

I don't believe that there is a way to load MK's for other domains via the ISPF 
panels, but I could be wrong.

_
Dave Jousma
Manager Mainframe Engineering, Assistant Vice President
david.jou...@53.com
1830 East Paris, Grand Rapids, MI  49546 MD RSCB2H
p 616.653.8429
f 616.653.2717


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of R.S.
Sent: Thursday, October 20, 2016 12:34 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Implementing ICSF - FOTS1949 PRNG is not seeded

Well, again, this is straightforward approach: you have your own (or
dedicated) DR machine. You prepare your system for DR, part of preparation can 
be MK entry. That means *some* z/OS system IPL-ed, preferrably a copy of your 
prod system.
@David, AFAIK even with TKE station you have to IPL the z/OS...

Of course, if the machine is to be reused by other company, then leaving MK is 
not the best idea.

--
Radoslaw Skorupka
Lodz, Poland







W dniu 2016-10-20 o 17:18, Jousma, David pisze:

If you have a TKE, then you can load it in advance.  If not then your only 
option is to use the ISPF based ICSF panels.

_
Dave Jousma
Manager Mainframe Engineering, Assistant Vice President
david.jou...@53.com
1830 East Paris, Grand Rapids, MI  49546 MD RSCB2H
p 616.653.8429
f 616.653.2717


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Jesse 1 Robinson
Sent: Thursday, October 20, 2016 11:06 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Implementing ICSF - FOTS1949 PRNG is not seeded

Thanks. I'm on board except for this statement. "You can do [the Master Key] in advance or 
during DR IPL." What is "in advance"? These systems are IPLed only in DR (test) 
mode. Is there any alternative to actual IPL?






---
Tre tej wiadomoci moe zawiera informacje prawnie chronione Banku 
przeznaczone wycznie do uytku subowego adresata. Odbiorc moe by jedynie 
jej adresat z wyczeniem dostpu osób trzecich. Jeeli nie jeste adresatem 
niniejszej wiadomoci lub pracownikiem upowanionym do jej przekazania 
adresatowi, informujemy, e jej rozpowszechnianie, kopiowanie, rozprowadzanie 
lub inne dziaanie o podobnym charakterze jest prawnie zabronione i moe by 
karalne. Jeeli otrzymae t wiadomo omykowo, prosimy niezwocznie 
zawiadomi nadawc wysyajc odpowied oraz trwale usun t wiadomo 
wczajc w to wszelkie jej kopie wydrukowane lub zapisane na dysku.

This e-mail may contain legally privileged information of the Bank and is 
intended solely for business use of the addressee. This e-mail may only be 
received by the addressee and may not be disclosed to any third parties. If you 
are not the intended addressee of this e-mail or the employee authorized to 
forward it to the addressee, be advised that any dissemination, copying, 
distribution or any other similar activity is legally prohibited and may be 
punishable. If you received this e-mail by mistake please advise the sender 
immediately by using the reply facility in your e-mail software and delete 
permanently this e-mail including any copies of it either printed or saved to 
hard drive.

mBank S.A. z siedzib w Warszawie, ul. Senatorska 18, 00-950 Warszawa, 
www.mBank.pl, e-mail: kont...@mbank.pl
Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru 
Sdowego, nr rejestru przedsibiorców KRS 025237, NIP: 526-021-50-

Re: Implementing ICSF - FOTS1949 PRNG is not seeded

2016-10-20 Thread Jousma, David

RS,

I should have elaborated more.  You need *a* system up and running on the box, 
but not *the* system.   For example we use TKE, and connect to a TECH system on 
the box that is running.   That tech system IMAGE profile is setup to be able 
to administer all crypto domains.   So when we bring in a new box, we ipl a 
tech system onto it, and then we can reload MK's for all domains, including 
systems that are not yet operational.  If there is a new MK waiting to load in 
the crypto card register, ICSF will load that MK automatically upon 
initialization.

I don't believe that there is a way to load MK's for other domains via the ISPF 
panels, but I could be wrong. 

_
Dave Jousma
Manager Mainframe Engineering, Assistant Vice President
david.jou...@53.com
1830 East Paris, Grand Rapids, MI  49546 MD RSCB2H
p 616.653.8429
f 616.653.2717


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of R.S.
Sent: Thursday, October 20, 2016 12:34 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Implementing ICSF - FOTS1949 PRNG is not seeded

Well, again, this is straightforward approach: you have your own (or
dedicated) DR machine. You prepare your system for DR, part of preparation can 
be MK entry. That means *some* z/OS system IPL-ed, preferrably a copy of your 
prod system.
@David, AFAIK even with TKE station you have to IPL the z/OS...

Of course, if the machine is to be reused by other company, then leaving MK is 
not the best idea.

--
Radoslaw Skorupka
Lodz, Poland







W dniu 2016-10-20 o 17:18, Jousma, David pisze:
> If you have a TKE, then you can load it in advance.  If not then your only 
> option is to use the ISPF based ICSF panels.
>
> _
> Dave Jousma
> Manager Mainframe Engineering, Assistant Vice President
> david.jou...@53.com
> 1830 East Paris, Grand Rapids, MI  49546 MD RSCB2H
> p 616.653.8429
> f 616.653.2717
>
>
> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On 
> Behalf Of Jesse 1 Robinson
> Sent: Thursday, October 20, 2016 11:06 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: Implementing ICSF - FOTS1949 PRNG is not seeded
>
> Thanks. I'm on board except for this statement. "You can do [the Master Key] 
> in advance or during DR IPL." What is "in advance"? These systems are IPLed 
> only in DR (test) mode. Is there any alternative to actual IPL?



---
Tre tej wiadomoci moe zawiera informacje prawnie chronione Banku 
przeznaczone wycznie do uytku subowego adresata. Odbiorc moe by jedynie 
jej adresat z wyczeniem dostpu osób trzecich. Jeeli nie jeste adresatem 
niniejszej wiadomoci lub pracownikiem upowanionym do jej przekazania 
adresatowi, informujemy, e jej rozpowszechnianie, kopiowanie, rozprowadzanie 
lub inne dziaanie o podobnym charakterze jest prawnie zabronione i moe by 
karalne. Jeeli otrzymae t wiadomo omykowo, prosimy niezwocznie 
zawiadomi nadawc wysyajc odpowied oraz trwale usun t wiadomo 
wczajc w to wszelkie jej kopie wydrukowane lub zapisane na dysku.

This e-mail may contain legally privileged information of the Bank and is 
intended solely for business use of the addressee. This e-mail may only be 
received by the addressee and may not be disclosed to any third parties. If you 
are not the intended addressee of this e-mail or the employee authorized to 
forward it to the addressee, be advised that any dissemination, copying, 
distribution or any other similar activity is legally prohibited and may be 
punishable. If you received this e-mail by mistake please advise the sender 
immediately by using the reply facility in your e-mail software and delete 
permanently this e-mail including any copies of it either printed or saved to 
hard drive.

mBank S.A. z siedzib w Warszawie, ul. Senatorska 18, 00-950 Warszawa, 
www.mBank.pl, e-mail: kont...@mbank.pl
Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru 
Sdowego, nr rejestru przedsibiorców KRS 025237, NIP: 526-021-50-88. 
Wedug stanu na dzie 01.01.2016 r. kapita zakadowy mBanku S.A. (w caoci 
wpacony) wynosi 168.955.696 zotych.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

This e-mail transmission contains information that is confidential and may be 
privileged.   It is intended only for the addressee(s) named above. If you 
receive this e-mail in error, please do not read, copy or disseminate it in any 
manner. If you are not the intended recipient, any disclosure, copying, 
distribution or use of the contents of this information is prohibited.

Re: Implementing ICSF - FOTS1949 PRNG is not seeded

2016-10-20 Thread R.S.

Well, again, this is straightforward approach: you have your own (or 
dedicated) DR machine. You prepare your system for DR, part of 
preparation can be MK entry. That means *some* z/OS system IPL-ed, 
preferrably a copy of your prod system.

@David, AFAIK even with TKE station you have to IPL the z/OS...

Of course, if the machine is to be reused by other company, then leaving 
MK is not the best idea.


--
Radoslaw Skorupka
Lodz, Poland







W dniu 2016-10-20 o 17:18, Jousma, David pisze:

If you have a TKE, then you can load it in advance.  If not then your only 
option is to use the ISPF based ICSF panels.

_
Dave Jousma
Manager Mainframe Engineering, Assistant Vice President
david.jou...@53.com
1830 East Paris, Grand Rapids, MI  49546 MD RSCB2H
p 616.653.8429
f 616.653.2717


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Jesse 1 Robinson
Sent: Thursday, October 20, 2016 11:06 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Implementing ICSF - FOTS1949 PRNG is not seeded

Thanks. I'm on board except for this statement. "You can do [the Master Key] in advance or 
during DR IPL." What is "in advance"? These systems are IPLed only in DR (test) 
mode. Is there any alternative to actual IPL?




---
Tre tej wiadomoci moe zawiera informacje prawnie chronione Banku 
przeznaczone wycznie do uytku subowego adresata. Odbiorc moe by jedynie 
jej adresat z wyczeniem dostpu osób trzecich. Jeeli nie jeste adresatem 
niniejszej wiadomoci lub pracownikiem upowanionym do jej przekazania 
adresatowi, informujemy, e jej rozpowszechnianie, kopiowanie, rozprowadzanie 
lub inne dziaanie o podobnym charakterze jest prawnie zabronione i moe by 
karalne. Jeeli otrzymae t wiadomo omykowo, prosimy niezwocznie 
zawiadomi nadawc wysyajc odpowied oraz trwale usun t wiadomo 
wczajc w to wszelkie jej kopie wydrukowane lub zapisane na dysku.

This e-mail may contain legally privileged information of the Bank and is 
intended solely for business use of the addressee. This e-mail may only be 
received by the addressee and may not be disclosed to any third parties. If you 
are not the intended addressee of this e-mail or the employee authorized to 
forward it to the addressee, be advised that any dissemination, copying, 
distribution or any other similar activity is legally prohibited and may be 
punishable. If you received this e-mail by mistake please advise the sender 
immediately by using the reply facility in your e-mail software and delete 
permanently this e-mail including any copies of it either printed or saved to 
hard drive.

mBank S.A. z siedzib w Warszawie, ul. Senatorska 18, 00-950 Warszawa, 
www.mBank.pl, e-mail: kont...@mbank.pl
Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru 
Sdowego, nr rejestru przedsibiorców KRS 025237, NIP: 526-021-50-88. 
Wedug stanu na dzie 01.01.2016 r. kapita zakadowy mBanku S.A. (w caoci 
wpacony) wynosi 168.955.696 zotych.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Implementing ICSF - FOTS1949 PRNG is not seeded

2016-10-20 Thread Jousma, David

If you have a TKE, then you can load it in advance.  If not then your only 
option is to use the ISPF based ICSF panels.  

_
Dave Jousma
Manager Mainframe Engineering, Assistant Vice President
david.jou...@53.com
1830 East Paris, Grand Rapids, MI  49546 MD RSCB2H
p 616.653.8429
f 616.653.2717


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Jesse 1 Robinson
Sent: Thursday, October 20, 2016 11:06 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Implementing ICSF - FOTS1949 PRNG is not seeded

Thanks. I'm on board except for this statement. "You can do [the Master Key] in 
advance or during DR IPL." What is "in advance"? These systems are IPLed only 
in DR (test) mode. Is there any alternative to actual IPL?

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-302-7535 Office
robin...@sce.com

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of R.S.
Sent: Thursday, October 20, 2016 1:33 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: (External):Re: Implementing ICSF - FOTS1949 PRNG is not seeded

W dniu 2016-10-19 o 23:22, Jesse 1 Robinson pisze:
> Thanks to Stuart for pointing me to his doc. ;-)
>
> Radoslaw, you said in one post that the whole thing can be done ahead of 
> time, but your latest post mentions only LPAR Image profile setup on HMC. 
> Mike Ward (and Stuart's doc) refer to ICSF, which requires an OS, that is, 
> IPL. Ours is a push-pull installation. New box cannot even be cabled up until 
> the old one is brought down. It should not take long to run ICSF on each 
> LPAR, but I'd prefer to take care of it in advance if possible. Otherwise it 
> will just have to be part of the install.
To clarify:
Typical scenario is the following:
CPACF is enabled by IBM
Sysprog decide in what mode the crypto cards should work. There 3 modes: 
Accelerator, CCA coprocessor and EP11 coprocessor.
Sysprog create Image (LPAR) profiles on HMC, with unique domains.
That's all from H/W point of view.
Now you can IPL the system and all remaining activity to customize ICSF do not 
require IPL.

Things may be more complex if you didn't do the H/W preparation and have 
running systems.

> One extra complication. This is our DR machine. There are a few LPARs that 
> run all the time, but most come up only during DR testing. I take it we need 
> to bring up DR systems for ICSF master key...

For the DR system the simplest approach is to enter the same Master Key. 
You can do it in advance or during DR IPL.


HTH

--
Radoslaw Skorupka
Lodz, Poland

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

This e-mail transmission contains information that is confidential and may be 
privileged.   It is intended only for the addressee(s) named above. If you 
receive this e-mail in error, please do not read, copy or disseminate it in any 
manner. If you are not the intended recipient, any disclosure, copying, 
distribution or use of the contents of this information is prohibited. Please 
reply to the message immediately by informing the sender that the message was 
misdirected. After replying, please erase it from your computer system. Your 
assistance in correcting this error is appreciated.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Implementing ICSF - FOTS1949 PRNG is not seeded

2016-10-20 Thread Jesse 1 Robinson

Thanks. I'm on board except for this statement. "You can do [the Master Key] in 
advance or during DR IPL." What is "in advance"? These systems are IPLed only 
in DR (test) mode. Is there any alternative to actual IPL?

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler 
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-302-7535 Office
robin...@sce.com

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of R.S.
Sent: Thursday, October 20, 2016 1:33 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: (External):Re: Implementing ICSF - FOTS1949 PRNG is not seeded

W dniu 2016-10-19 o 23:22, Jesse 1 Robinson pisze:
> Thanks to Stuart for pointing me to his doc. ;-)
>
> Radoslaw, you said in one post that the whole thing can be done ahead of 
> time, but your latest post mentions only LPAR Image profile setup on HMC. 
> Mike Ward (and Stuart's doc) refer to ICSF, which requires an OS, that is, 
> IPL. Ours is a push-pull installation. New box cannot even be cabled up until 
> the old one is brought down. It should not take long to run ICSF on each 
> LPAR, but I'd prefer to take care of it in advance if possible. Otherwise it 
> will just have to be part of the install.
To clarify:
Typical scenario is the following:
CPACF is enabled by IBM
Sysprog decide in what mode the crypto cards should work. There 3 modes: 
Accelerator, CCA coprocessor and EP11 coprocessor.
Sysprog create Image (LPAR) profiles on HMC, with unique domains.
That's all from H/W point of view.
Now you can IPL the system and all remaining activity to customize ICSF do not 
require IPL.

Things may be more complex if you didn't do the H/W preparation and have 
running systems.

> One extra complication. This is our DR machine. There are a few LPARs that 
> run all the time, but most come up only during DR testing. I take it we need 
> to bring up DR systems for ICSF master key...

For the DR system the simplest approach is to enter the same Master Key. 
You can do it in advance or during DR IPL.


HTH

--
Radoslaw Skorupka
Lodz, Poland

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Implementing ICSF - FOTS1949 PRNG is not seeded

2016-10-20 Thread R.S.


W dniu 2016-10-19 o 23:22, Jesse 1 Robinson pisze:

Thanks to Stuart for pointing me to his doc. ;-)

Radoslaw, you said in one post that the whole thing can be done ahead of time, 
but your latest post mentions only LPAR Image profile setup on HMC. Mike Ward 
(and Stuart's doc) refer to ICSF, which requires an OS, that is, IPL. Ours is a 
push-pull installation. New box cannot even be cabled up until the old one is 
brought down. It should not take long to run ICSF on each LPAR, but I'd prefer 
to take care of it in advance if possible. Otherwise it will just have to be 
part of the install.

To clarify:
Typical scenario is the following:
CPACF is enabled by IBM
Sysprog decide in what mode the crypto cards should work. There 3 modes: 
Accelerator, CCA coprocessor and EP11 coprocessor.

Sysprog create Image (LPAR) profiles on HMC, with unique domains.
That's all from H/W point of view.
Now you can IPL the system and all remaining activity to customize ICSF 
do not require IPL.


Things may be more complex if you didn't do the H/W preparation and have 
running systems.



One extra complication. This is our DR machine. There are a few LPARs that run 
all the time, but most come up only during DR testing. I take it we need to 
bring up DR systems for ICSF master key...


For the DR system the simplest approach is to enter the same Master Key. 
You can do it in advance or during DR IPL.



HTH

--
Radoslaw Skorupka
Lodz, Poland






---
Tre tej wiadomoci moe zawiera informacje prawnie chronione Banku 
przeznaczone wycznie do uytku subowego adresata. Odbiorc moe by jedynie 
jej adresat z wyczeniem dostpu osób trzecich. Jeeli nie jeste adresatem 
niniejszej wiadomoci lub pracownikiem upowanionym do jej przekazania 
adresatowi, informujemy, e jej rozpowszechnianie, kopiowanie, rozprowadzanie 
lub inne dziaanie o podobnym charakterze jest prawnie zabronione i moe by 
karalne. Jeeli otrzymae t wiadomo omykowo, prosimy niezwocznie 
zawiadomi nadawc wysyajc odpowied oraz trwale usun t wiadomo 
wczajc w to wszelkie jej kopie wydrukowane lub zapisane na dysku.

This e-mail may contain legally privileged information of the Bank and is 
intended solely for business use of the addressee. This e-mail may only be 
received by the addressee and may not be disclosed to any third parties. If you 
are not the intended addressee of this e-mail or the employee authorized to 
forward it to the addressee, be advised that any dissemination, copying, 
distribution or any other similar activity is legally prohibited and may be 
punishable. If you received this e-mail by mistake please advise the sender 
immediately by using the reply facility in your e-mail software and delete 
permanently this e-mail including any copies of it either printed or saved to 
hard drive.

mBank S.A. z siedzib w Warszawie, ul. Senatorska 18, 00-950 Warszawa, 
www.mBank.pl, e-mail: kont...@mbank.pl
Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru 
Sdowego, nr rejestru przedsibiorców KRS 025237, NIP: 526-021-50-88. 
Wedug stanu na dzie 01.01.2016 r. kapita zakadowy mBanku S.A. (w caoci 
wpacony) wynosi 168.955.696 zotych.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Implementing ICSF - FOTS1949 PRNG is not seeded

2016-10-19 Thread Paul Gilmartin

On Wed, 19 Oct 2016 18:28:23 -0400, Tony Harminc wrote:
>
>OT, but the "You are now in France" attack, followed by the "You are
>still in France" attack, was a hot topic in 1998-1999.
> 
Thanks for the interesting OT info, until now new to me.

>http://catless.ncl.ac.uk/Risks/19/74#subj8  You are now in France
>http://catless.ncl.ac.uk/Risks/20/17#subj1  France allows strong crypto

- - To supplement the current legal framework by the introduction of
obligations, together with penal sanctions, concerning the handing-over
to the legal authorities, when they require it, of the cleartext
version of encrypted documents. ...

Yeah, right.  How did that work in San Bernardino?

... At the same time, the technical
skills of the public authorities will be significantly improved.

The skill of breaking strong encryption would be highly marketable,
even to the point of being an incentive to defect.

>http://catless.ncl.ac.uk/Risks/20/20#subj8  You are still in France

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Implementing ICSF - FOTS1949 PRNG is not seeded

2016-10-19 Thread Tony Harminc

On 19 October 2016 at 12:10, Paul Gilmartin
<000433f07816-dmarc-requ...@listserv.ua.edu> wrote:

> Ouch!  But there's a widespread belief that availability of encryption is a 
> security threat.
>
> I used to read that France much restricted use of encryption.  Nowadays
> that would seem to prohibit iPhones and much limit E-commerce.

OT, but the "You are now in France" attack, followed by the "You are
still in France" attack, was a hot topic in 1998-1999.

http://catless.ncl.ac.uk/Risks/19/74#subj8  You are now in France
http://catless.ncl.ac.uk/Risks/20/17#subj1  France allows strong crypto
http://catless.ncl.ac.uk/Risks/20/20#subj8  You are still in France

Tony H.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Implementing ICSF - FOTS1949 PRNG is not seeded

2016-10-19 Thread Mark Jacobs - Listserv

Once the ICSF Master Keys are entered into the crypto domain after the 
first IPL of each system, they'll be there and ready when you IPL your 
DR system in the future. If you've changed the keys on the production 
side, you have to keep them in sync with the DR box too.


Mark Jacobs

Jesse 1 Robinson <mailto:jesse1.robin...@sce.com>
October 19, 2016 at 5:22 PM
Thanks to Stuart for pointing me to his doc. ;-)

Radoslaw, you said in one post that the whole thing can be done ahead 
of time, but your latest post mentions only LPAR Image profile setup 
on HMC. Mike Ward (and Stuart's doc) refer to ICSF, which requires an 
OS, that is, IPL. Ours is a push-pull installation. New box cannot 
even be cabled up until the old one is brought down. It should not 
take long to run ICSF on each LPAR, but I'd prefer to take care of it 
in advance if possible. Otherwise it will just have to be part of the 
install.


One extra complication. This is our DR machine. There are a few LPARs 
that run all the time, but most come up only during DR testing. I take 
it we need to bring up DR systems for ICSF master key...


.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-302-7535 Office
robin...@sce.com

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] 
On Behalf Of R.S.

Sent: Wednesday, October 19, 2016 1:12 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: (External):Re: Implementing ICSF - FOTS1949 PRNG is not seeded

Well,
Customize Activation Profiles, LPAR profile, Crypto tab.
You have to set up some values for two things:
Crypto Domain. Assign one "Control and Usage domain". Unique one.
Use the same domain if CSFPRMxx (or just leave it default).

Assigned Cryptos
Assign all existing CryptoExpress cards as Candidate and Online.

Note: this is simple configuration, one of many possible. Details are 
more complex and depend on many factors.

When teaching this I spent few hours on that. :-)

--
Radoslaw Skorupka
Lodz, Poland

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Please be alert for any emails that may ask you for login information 
or directs you to login via a link. If you believe this message is a 
phish or aren't sure whether this message is trustworthy, please send 
the original message as an attachment to 'phish...@timeinc.com'.




--

Mark Jacobs
Time Customer Service
Global Technology Services

The standard you walk past is the standard you accept.
Lt. Gen. David Morrison


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Implementing ICSF - FOTS1949 PRNG is not seeded

2016-10-19 Thread Jesse 1 Robinson

Thanks to Stuart for pointing me to his doc. ;-)

Radoslaw, you said in one post that the whole thing can be done ahead of time, 
but your latest post mentions only LPAR Image profile setup on HMC. Mike Ward 
(and Stuart's doc) refer to ICSF, which requires an OS, that is, IPL. Ours is a 
push-pull installation. New box cannot even be cabled up until the old one is 
brought down. It should not take long to run ICSF on each LPAR, but I'd prefer 
to take care of it in advance if possible. Otherwise it will just have to be 
part of the install. 

One extra complication. This is our DR machine. There are a few LPARs that run 
all the time, but most come up only during DR testing. I take it we need to 
bring up DR systems for ICSF master key...

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler 
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-302-7535 Office
robin...@sce.com

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of R.S.
Sent: Wednesday, October 19, 2016 1:12 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: (External):Re: Implementing ICSF - FOTS1949 PRNG is not seeded

W dniu 2016-10-19 o 20:36, Dazzo, Matt pisze:
> RS, what do you mean by 'setup lpar in advance?' We will be doing a scheduled 
> IPL this weekend so I have an opportunity should I need to make a config 
> change.
>

Well,
Customize Activation Profiles, LPAR profile, Crypto tab.
You have to set up some values for two things:
Crypto Domain. Assign one "Control and Usage domain". Unique one.
Use the same domain if CSFPRMxx (or just leave it default).

Assigned Cryptos
Assign all existing CryptoExpress cards as Candidate and Online.

Note: this is simple configuration, one of many possible. Details are more 
complex and depend on many factors.
When teaching this I spent few hours on that. :-)

--
Radoslaw Skorupka
Lodz, Poland

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Implementing ICSF - FOTS1949 PRNG is not seeded

2016-10-19 Thread R.S.


W dniu 2016-10-19 o 20:36, Dazzo, Matt pisze:

RS, what do you mean by 'setup lpar in advance?' We will be doing a scheduled 
IPL this weekend so I have an opportunity should I need to make a config change.



Well,
Customize Activation Profiles, LPAR profile, Crypto tab.
You have to set up some values for two things:
Crypto Domain. Assign one "Control and Usage domain". Unique one.
Use the same domain if CSFPRMxx (or just leave it default).

Assigned Cryptos
Assign all existing CryptoExpress cards as Candidate and Online.

Note: this is simple configuration, one of many possible. Details are 
more complex and depend on many factors.

When teaching this I spent few hours on that. :-)

--
Radoslaw Skorupka
Lodz, Poland






---
Tre tej wiadomoci moe zawiera informacje prawnie chronione Banku 
przeznaczone wycznie do uytku subowego adresata. Odbiorc moe by jedynie 
jej adresat z wyczeniem dostpu osób trzecich. Jeeli nie jeste adresatem 
niniejszej wiadomoci lub pracownikiem upowanionym do jej przekazania 
adresatowi, informujemy, e jej rozpowszechnianie, kopiowanie, rozprowadzanie 
lub inne dziaanie o podobnym charakterze jest prawnie zabronione i moe by 
karalne. Jeeli otrzymae t wiadomo omykowo, prosimy niezwocznie 
zawiadomi nadawc wysyajc odpowied oraz trwale usun t wiadomo 
wczajc w to wszelkie jej kopie wydrukowane lub zapisane na dysku.

This e-mail may contain legally privileged information of the Bank and is 
intended solely for business use of the addressee. This e-mail may only be 
received by the addressee and may not be disclosed to any third parties. If you 
are not the intended addressee of this e-mail or the employee authorized to 
forward it to the addressee, be advised that any dissemination, copying, 
distribution or any other similar activity is legally prohibited and may be 
punishable. If you received this e-mail by mistake please advise the sender 
immediately by using the reply facility in your e-mail software and delete 
permanently this e-mail including any copies of it either printed or saved to 
hard drive.

mBank S.A. z siedzib w Warszawie, ul. Senatorska 18, 00-950 Warszawa, 
www.mBank.pl, e-mail: kont...@mbank.pl
Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru 
Sdowego, nr rejestru przedsibiorców KRS 025237, NIP: 526-021-50-88. 
Wedug stanu na dzie 01.01.2016 r. kapita zakadowy mBanku S.A. (w caoci 
wpacony) wynosi 168.955.696 zotych.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Implementing ICSF - FOTS1949 PRNG is not seeded

2016-10-19 Thread Ward, Mike S

Master Key set is done through ICSF.

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Jesse 1 Robinson
Sent: Wednesday, October 19, 2016 10:42 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Implementing ICSF - FOTS1949 PRNG is not seeded

We are installing a z13s and going through preliminary setup. When selecting 
the Crypto tab in an Image profile, I was a bit alarmed by this message:

Attention: You must install the 'IBM CP Assist for Cryptographic Functions' 
(CPACF) feature if a cryptographic candidate is selected from the list box. 
Otherwise, some functions of Integrated Cryptographic Service Facility (ICSF) 
may fail.

I spoke to the person who created and placed the order. He assured me that 
CPACF had been ordered and that no one he talked to believed that it requires 
explicit 'activation'. So I went to a z12 that has been in service for years. I 
see the same warning message on the Crypto tab. So it appears to be standard 
boilerplate that does not reflect the status of CPACF.

We’re still exploring how to set the Master Key. We had thought that it was an 
HCM task, but now we're led to believe that it's done through ICSF. Which means 
that we have to IPL (each?) LPAR in order to set it. The guy who did this for 
years is gone.   

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler 
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-302-7535 Office
robin...@sce.com

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Kirk Wolf
Sent: Wednesday, October 19, 2016 8:20 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: (External):Re: Implementing ICSF - FOTS1949 PRNG is not seeded

Right.  I've never seen this particular error caused by a missing CPACF feature.
More likely either ICSF is not started or the correct userids do not have 
access to the necessary ICSF features via SAF/RACF.

Kirk Wolf
Dovetailed Technologies
http://dovetail.com

On Wed, Oct 19, 2016 at 10:13 AM, R.S. 
wrote:

> W dniu 2016-10-19 o 17:05, John Eells pisze:
>
>> R.S. wrote:
>> 
>>
>>> Double click on CPC icon. Instance Information tab, bottom right 
>>> corner "CP Assist for Crypto functions:
>>> Installed".
>>>
>>
>> Note also that CPACF is a feature, so if it's not installed 
>> (enabled), you need to order the feature to get it installed. 
>> (Whether its enablement or lack thereof matters in this context, I 
>> have no clue.)
>>
>> Isn't it enabled by default for all customers except North Korea ? 
>> ;-)
>
> --
> Radoslaw Skorupka
> Lodz, Poland

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

==
This email, and any files transmitted with it, is confidential and intended 
solely for the use of the individual or entity to which it is addressed. If you 
have received this email in error, please notify the system manager. This 
message contains confidential information and is intended only for the 
individual named. If you are not the named addressee, you should not 
disseminate, distribute or copy this e-mail. Please notify the sender 
immediately by e-mail if you have received this message by mistake and delete 
this e-mail from your system. If you are not the intended recipient, you are 
notified that disclosing, copying, distributing or taking any action in 
reliance on the contents of this information is strictly prohibited.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Implementing ICSF - FOTS1949 PRNG is not seeded

2016-10-19 Thread Dazzo, Matt

RS, what do you mean by 'setup lpar in advance?' We will be doing a scheduled 
IPL this weekend so I have an opportunity should I need to make a config 
change. 

Thanks Matt

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of R.S.
Sent: Wednesday, October 19, 2016 12:18 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Implementing ICSF - FOTS1949 PRNG is not seeded


Whole ICSF setup, including Master Key introduction can be done without IPL.

However you have to set up the LPAR in advance. Those changes can be done 
dynamically or ...Activate will be required. In the last case IPL is a result.

--
Radoslaw Skorupka
Lodz, Poland








W dniu 2016-10-19 o 17:46, Mark Jacobs - Listserv pisze:
> Unless you have a TKE, you will have to use the ICSF panels to enter 
> the master keys. So yes, you'll need to IPL each image to do so. Just 
> a heads up that if you perform ICSF Master Key changes (recommended), 
> you might have to first enter the previous set of keys, then the 
> current set. I can elaborate on why if you'd like.
>
> Mark Jacobs
>
>> Jesse 1 Robinson <mailto:jesse1.robin...@sce.com>
>> October 19, 2016 at 11:41 AM
>> We are installing a z13s and going through preliminary setup. When 
>> selecting the Crypto tab in an Image profile, I was a bit alarmed by 
>> this message:
>>
>> Attention: You must install the 'IBM CP Assist for Cryptographic 
>> Functions'
>> (CPACF) feature if a cryptographic candidate is selected from the 
>> list box.
>> Otherwise, some functions of Integrated Cryptographic Service 
>> Facility (ICSF) may fail.
>>
>> I spoke to the person who created and placed the order. He assured me 
>> that CPACF had been ordered and that no one he talked to believed 
>> that it requires explicit 'activation'. So I went to a z12 that has 
>> been in service for years. I see the same warning message on the 
>> Crypto tab. So it appears to be standard boilerplate that does not 
>> reflect the status of CPACF.
>>
>> We're still exploring how to set the Master Key. We had thought that 
>> it was an HCM task, but now we're led to believe that it's done 
>> through ICSF. Which means that we have to IPL (each?) LPAR in order 
>> to set it. The guy who did this for years is gone.
>>
>> .
>> .
>> J.O.Skip Robinson
>> Southern California Edison Company
>> Electric Dragon Team Paddler
>> SHARE MVS Program Co-Manager
>> 323-715-0595 Mobile
>> 626-302-7535 Office
>> robin...@sce.com
>>
>>
>> -Original Message-
>> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] 
>> On Behalf Of Kirk Wolf
>> Sent: Wednesday, October 19, 2016 8:20 AM
>> To: IBM-MAIN@LISTSERV.UA.EDU
>> Subject: (External):Re: Implementing ICSF - FOTS1949 PRNG is not seeded
>>
>> Right. I've never seen this particular error caused by a missing 
>> CPACF feature.
>> More likely either ICSF is not started or the correct userids do not 
>> have access to the necessary ICSF features via SAF/RACF.
>>
>> Kirk Wolf
>> Dovetailed Technologies
>> http://dovetail.com
>>



---
Tre tej wiadomoci moe zawiera informacje prawnie chronione Banku 
przeznaczone wycznie do uytku subowego adresata. Odbiorc moe by jedynie 
jej adresat z wyczeniem dostpu osób trzecich. Jeeli nie jeste adresatem 
niniejszej wiadomoci lub pracownikiem upowanionym do jej przekazania 
adresatowi, informujemy, e jej rozpowszechnianie, kopiowanie, rozprowadzanie 
lub inne dziaanie o podobnym charakterze jest prawnie zabronione i moe by 
karalne. Jeeli otrzymae t wiadomo omykowo, prosimy niezwocznie 
zawiadomi nadawc wysyajc odpowied oraz trwale usun t wiadomo 
wczajc w to wszelkie jej kopie wydrukowane lub zapisane na dysku.

This e-mail may contain legally privileged information of the Bank and is 
intended solely for business use of the addressee. This e-mail may only be 
received by the addressee and may not be disclosed to any third parties. If you 
are not the intended addressee of this e-mail or the employee authorized to 
forward it to the addressee, be advised that any dissemination, copying, 
distribution or any other similar activity is legally prohibited and may be 
punishable. If you received this e-mail by mistake please advise the sender 
immediately by using the reply facility in your e-mail software and delete 
permanently this e-mail including any copies of it either printed or saved to 
hard drive.

mBank S.A. z siedzib w Warszawie, ul. Senatorska 18, 00-950 Warszawa, 
www.mBank.pl, e-mail: kont...@mbank.pl
Sd Rejonowy dla m. st

Re: Implementing ICSF - FOTS1949 PRNG is not seeded

2016-10-19 Thread Stuart zseries

Skip - Check the web pages I left behind. Instructions for setting the 
keys through the ICSF panels are in there.


On 10/19/2016 08:41 AM, Jesse 1 Robinson wrote:
> We are installing a z13s and going through preliminary setup. When selecting 
> the Crypto tab in an Image profile, I was a bit alarmed by this message:
>
> Attention: You must install the 'IBM CP Assist for Cryptographic Functions'
> (CPACF) feature if a cryptographic candidate is selected from the list box.
> Otherwise, some functions of Integrated Cryptographic Service Facility (ICSF) 
> may fail.
>
> I spoke to the person who created and placed the order. He assured me that 
> CPACF had been ordered and that no one he talked to believed that it requires 
> explicit 'activation'. So I went to a z12 that has been in service for years. 
> I see the same warning message on the Crypto tab. So it appears to be 
> standard boilerplate that does not reflect the status of CPACF.
>
> We’re still exploring how to set the Master Key. We had thought that it was 
> an HCM task, but now we're led to believe that it's done through ICSF. Which 
> means that we have to IPL (each?) LPAR in order to set it. The guy who did 
> this for years is gone.
>
> .
> .
> J.O.Skip Robinson
> Southern California Edison Company
> Electric Dragon Team Paddler
> SHARE MVS Program Co-Manager
> 323-715-0595 Mobile
> 626-302-7535 Office
> robin...@sce.com
>
>
> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On 
> Behalf Of Kirk Wolf
> Sent: Wednesday, October 19, 2016 8:20 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: (External):Re: Implementing ICSF - FOTS1949 PRNG is not seeded
>
> Right.  I've never seen this particular error caused by a missing CPACF 
> feature.
> More likely either ICSF is not started or the correct userids do not have 
> access to the necessary ICSF features via SAF/RACF.
>
> Kirk Wolf
> Dovetailed Technologies
> http://dovetail.com
>
> On Wed, Oct 19, 2016 at 10:13 AM, R.S. 
> wrote:
>
>> W dniu 2016-10-19 o 17:05, John Eells pisze:
>>
>>> R.S. wrote:
>>> 
>>>
>>>> Double click on CPC icon. Instance Information tab, bottom right
>>>> corner "CP Assist for Crypto functions:
>>>> Installed".
>>>>
>>> Note also that CPACF is a feature, so if it's not installed
>>> (enabled), you need to order the feature to get it installed.
>>> (Whether its enablement or lack thereof matters in this context, I
>>> have no clue.)
>>>
>>> Isn't it enabled by default for all customers except North Korea ?
>>> ;-)
>> --
>> Radoslaw Skorupka
>> Lodz, Poland
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Implementing ICSF - FOTS1949 PRNG is not seeded

2016-10-19 Thread R.S.



Whole ICSF setup, including Master Key introduction can be done without IPL.

However you have to set up the LPAR in advance. Those changes can be 
done dynamically or ...Activate will be required. In the last case IPL 
is a result.


--
Radoslaw Skorupka
Lodz, Poland








W dniu 2016-10-19 o 17:46, Mark Jacobs - Listserv pisze:
Unless you have a TKE, you will have to use the ICSF panels to enter 
the master keys. So yes, you'll need to IPL each image to do so. Just 
a heads up that if you perform ICSF Master Key changes (recommended), 
you might have to first enter the previous set of keys, then the 
current set. I can elaborate on why if you'd like.


Mark Jacobs


Jesse 1 Robinson <mailto:jesse1.robin...@sce.com>
October 19, 2016 at 11:41 AM
We are installing a z13s and going through preliminary setup. When 
selecting the Crypto tab in an Image profile, I was a bit alarmed by 
this message:


Attention: You must install the 'IBM CP Assist for Cryptographic 
Functions'
(CPACF) feature if a cryptographic candidate is selected from the 
list box.
Otherwise, some functions of Integrated Cryptographic Service 
Facility (ICSF) may fail.


I spoke to the person who created and placed the order. He assured me 
that CPACF had been ordered and that no one he talked to believed 
that it requires explicit 'activation'. So I went to a z12 that has 
been in service for years. I see the same warning message on the 
Crypto tab. So it appears to be standard boilerplate that does not 
reflect the status of CPACF.


We’re still exploring how to set the Master Key. We had thought that 
it was an HCM task, but now we're led to believe that it's done 
through ICSF. Which means that we have to IPL (each?) LPAR in order 
to set it. The guy who did this for years is gone.


.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-302-7535 Office
robin...@sce.com


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] 
On Behalf Of Kirk Wolf

Sent: Wednesday, October 19, 2016 8:20 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: (External):Re: Implementing ICSF - FOTS1949 PRNG is not seeded

Right. I've never seen this particular error caused by a missing 
CPACF feature.
More likely either ICSF is not started or the correct userids do not 
have access to the necessary ICSF features via SAF/RACF.


Kirk Wolf
Dovetailed Technologies
http://dovetail.com





---
Tre tej wiadomoci moe zawiera informacje prawnie chronione Banku 
przeznaczone wycznie do uytku subowego adresata. Odbiorc moe by jedynie 
jej adresat z wyczeniem dostpu osób trzecich. Jeeli nie jeste adresatem 
niniejszej wiadomoci lub pracownikiem upowanionym do jej przekazania 
adresatowi, informujemy, e jej rozpowszechnianie, kopiowanie, rozprowadzanie 
lub inne dziaanie o podobnym charakterze jest prawnie zabronione i moe by 
karalne. Jeeli otrzymae t wiadomo omykowo, prosimy niezwocznie 
zawiadomi nadawc wysyajc odpowied oraz trwale usun t wiadomo 
wczajc w to wszelkie jej kopie wydrukowane lub zapisane na dysku.

This e-mail may contain legally privileged information of the Bank and is 
intended solely for business use of the addressee. This e-mail may only be 
received by the addressee and may not be disclosed to any third parties. If you 
are not the intended addressee of this e-mail or the employee authorized to 
forward it to the addressee, be advised that any dissemination, copying, 
distribution or any other similar activity is legally prohibited and may be 
punishable. If you received this e-mail by mistake please advise the sender 
immediately by using the reply facility in your e-mail software and delete 
permanently this e-mail including any copies of it either printed or saved to 
hard drive.

mBank S.A. z siedzib w Warszawie, ul. Senatorska 18, 00-950 Warszawa, 
www.mBank.pl, e-mail: kont...@mbank.pl
Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru 
Sdowego, nr rejestru przedsibiorców KRS 025237, NIP: 526-021-50-88. 
Wedug stanu na dzie 01.01.2016 r. kapita zakadowy mBanku S.A. (w caoci 
wpacony) wynosi 168.955.696 zotych.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Implementing ICSF - FOTS1949 PRNG is not seeded

2016-10-19 Thread Paul Gilmartin

On Wed, 19 Oct 2016 10:20:16 -0500, Kirk Wolf wrote:

>Right.  I've never seen this particular error caused by a missing CPACF
>feature.
>More likely either ICSF is not started or the correct userids do not have
>access to the necessary ICSF features via SAF/RACF.
> 
Ouch!  But there's a widespread belief that availability of encryption is a
security threat.

I used to read that France much restricted use of encryption.  Nowadays
that would seem to prohibit iPhones and much limit E-commerce.

Is ssh-rand-helper now thoroughly deprecated?  I used to wonder about
its message to the effect that sufficient entropy was unavailable.  That
would seem to be an undecidable proposition.

>On Wed, Oct 19, 2016 at 10:13 AM, R.S. wrote:
>
>>> Isn't it enabled by default for all customers except North Korea ? ;-)
>> 
Others?  I used to understand that ITAR excused only USA and Canada.

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Implementing ICSF - FOTS1949 PRNG is not seeded

2016-10-19 Thread Tom Mathias

The message you saw:

Attention: You must install the 'IBM CP Assist for Cryptographic Functions'  
(CPACF) feature if a cryptographic candidate is selected from the list box.  
Otherwise, some functions of Integrated Cryptographic Service Facility (ICSF) 
may fail. 

Is really a hint or reminder rather than an error message.  It is just 
reminding you that you may have additional setup to do before you can really 
use ICSF. 

Tom Mathias
SE/HMC Development Team

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Implementing ICSF - FOTS1949 PRNG is not seeded

2016-10-19 Thread Mark Jacobs - Listserv

If you're not creating any data encryption keys in the CKDS, then a one 
cylinder database is plenty of sapce.


Mark Jacobs


Dazzo, Matt <mailto:00a854d4f854-dmarc-requ...@listserv.ua.edu>
October 19, 2016 at 11:46 AM
RS, Kirk thanks.

I was able to confirm from the SE that CPACF is enabled.

I have started configuring ICSF and trying to determine the size of 
the CKDS. For now ICSF will be used for SSH-ftp, I am not sure if a 
lot of keys are dynamically created or is just the master key going to 
be in there? From reading ICSF programmers guide I take it that it 
depends on what ICSF will be used for will determine if a lot of keys 
are created. I rather not create a CKDS too large if I don't have to. 
Any comments would be helpful.


Thanks Matt





-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] 
On Behalf Of Kirk Wolf

Sent: Wednesday, October 19, 2016 11:20 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Implementing ICSF - FOTS1949 PRNG is not seeded

Right. I've never seen this particular error caused by a missing CPACF 
feature.
More likely either ICSF is not started or the correct userids do not 
have access to the necessary ICSF features via SAF/RACF.


Kirk Wolf
Dovetailed Technologies
http://dovetail.com

On Wed, Oct 19, 2016 at 10:13 AM, R.S. 

--
For IBM-MAIN subscribe / signoff / archive access instructions, send 
email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Please be alert for any emails that may ask you for login information 
or directs you to login via a link. If you believe this message is a 
phish or aren't sure whether this message is trustworthy, please send 
the original message as an attachment to 'phish...@timeinc.com'.


Kirk Wolf <mailto:k...@dovetail.com>
October 19, 2016 at 11:20 AM
Right. I've never seen this particular error caused by a missing CPACF
feature.
More likely either ICSF is not started or the correct userids do not have
access to the necessary ICSF features via SAF/RACF.

Kirk Wolf
Dovetailed Technologies
http://dovetail.com

On Wed, Oct 19, 2016 at 10:13 AM, R.S. 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Please be alert for any emails that may ask you for login information 
or directs you to login via a link. If you believe this message is a 
phish or aren't sure whether this message is trustworthy, please send 
the original message as an attachment to 'phish...@timeinc.com'.


R.S. <mailto:r.skoru...@bremultibank.com.pl>
October 19, 2016 at 11:13 AM

Isn't it enabled by default for all customers except North Korea ? ;-)

--
Radoslaw Skorupka
Lodz, Poland






---
Tre tej wiadomoci moe zawiera informacje prawnie chronione Banku 
przeznaczone wycznie do uytku subowego adresata. Odbiorc moe 
by jedynie jej adresat z wyczeniem dostpu osób trzecich. Jeeli 
nie jeste adresatem niniejszej wiadomoci lub pracownikiem 
upowanionym do jej przekazania adresatowi, informujemy, e jej 
rozpowszechnianie, kopiowanie, rozprowadzanie lub inne dziaanie o 
podobnym charakterze jest prawnie zabronione i moe by karalne. 
Jeeli otrzymae t wiadomo omykowo, prosimy niezwocznie 
zawiadomi nadawc wysyajc odpowied oraz trwale usun t 
wiadomo wczajc w to wszelkie jej kopie wydrukowane lub zapisane 
na dysku.


This e-mail may contain legally privileged information of the Bank and 
is intended solely for business use of the addressee. This e-mail may 
only be received by the addressee and may not be disclosed to any 
third parties. If you are not the intended addressee of this e-mail or 
the employee authorized to forward it to the addressee, be advised 
that any dissemination, copying, distribution or any other similar 
activity is legally prohibited and may be punishable. If you received 
this e-mail by mistake please advise the sender immediately by using 
the reply facility in your e-mail software and delete permanently this 
e-mail including any copies of it either printed or saved to hard drive.


mBank S.A. z siedzib w Warszawie, ul. Senatorska 18, 00-950 Warszawa, 
www.mBank.pl, e-mail: kont...@mbank.pl
Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego 
Rejestru Sdowego, nr rejestru przedsibiorców KRS 025237, NIP: 
526-021-50-88. Wedug stanu na dzie 01.01.2016 r. kapita zakadowy 
mBanku S.A. (w caoci wpacony) wynosi 168.955.696 zotych.



--
For IBM-MA

Re: Implementing ICSF - FOTS1949 PRNG is not seeded

2016-10-19 Thread Mark Jacobs - Listserv

Unless you have a TKE, you will have to use the ICSF panels to enter the 
master keys. So yes, you'll need to IPL each image to do so. Just a 
heads up that if you perform ICSF Master Key changes (recommended), you 
might have to first enter the previous set of keys, then the current 
set. I can elaborate on why if you'd like.


Mark Jacobs


Jesse 1 Robinson <mailto:jesse1.robin...@sce.com>
October 19, 2016 at 11:41 AM
We are installing a z13s and going through preliminary setup. When 
selecting the Crypto tab in an Image profile, I was a bit alarmed by 
this message:


Attention: You must install the 'IBM CP Assist for Cryptographic 
Functions'
(CPACF) feature if a cryptographic candidate is selected from the list 
box.
Otherwise, some functions of Integrated Cryptographic Service Facility 
(ICSF) may fail.


I spoke to the person who created and placed the order. He assured me 
that CPACF had been ordered and that no one he talked to believed that 
it requires explicit 'activation'. So I went to a z12 that has been in 
service for years. I see the same warning message on the Crypto tab. 
So it appears to be standard boilerplate that does not reflect the 
status of CPACF.


We’re still exploring how to set the Master Key. We had thought that 
it was an HCM task, but now we're led to believe that it's done 
through ICSF. Which means that we have to IPL (each?) LPAR in order to 
set it. The guy who did this for years is gone.


.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-302-7535 Office
robin...@sce.com


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] 
On Behalf Of Kirk Wolf

Sent: Wednesday, October 19, 2016 8:20 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: (External):Re: Implementing ICSF - FOTS1949 PRNG is not seeded

Right. I've never seen this particular error caused by a missing CPACF 
feature.
More likely either ICSF is not started or the correct userids do not 
have access to the necessary ICSF features via SAF/RACF.


Kirk Wolf
Dovetailed Technologies
http://dovetail.com

On Wed, Oct 19, 2016 at 10:13 AM, R.S. 


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Please be alert for any emails that may ask you for login information 
or directs you to login via a link. If you believe this message is a 
phish or aren't sure whether this message is trustworthy, please send 
the original message as an attachment to 'phish...@timeinc.com'.




--

Mark Jacobs
Time Customer Service
Global Technology Services

The standard you walk past is the standard you accept.
Lt. Gen. David Morrison


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Implementing ICSF - FOTS1949 PRNG is not seeded

2016-10-19 Thread Dazzo, Matt

RS, Kirk thanks. 

I was able to confirm from the SE that CPACF is enabled.

 I have started configuring ICSF and trying to determine the size of the CKDS. 
For now ICSF will be used for SSH-ftp,  I am not sure if a lot of keys are 
dynamically created or is just the master key going to be in there? From 
reading ICSF programmers guide I take it that it depends on what ICSF will be 
used for will determine if a lot of keys are created. I rather not create a 
CKDS too large if I don't have to. Any comments would be helpful. 

Thanks Matt





-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Kirk Wolf
Sent: Wednesday, October 19, 2016 11:20 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Implementing ICSF - FOTS1949 PRNG is not seeded

Right.  I've never seen this particular error caused by a missing CPACF feature.
More likely either ICSF is not started or the correct userids do not have 
access to the necessary ICSF features via SAF/RACF.

Kirk Wolf
Dovetailed Technologies
http://dovetail.com

On Wed, Oct 19, 2016 at 10:13 AM, R.S. 
wrote:

> W dniu 2016-10-19 o 17:05, John Eells pisze:
>
>> R.S. wrote:
>> 
>>
>>> Double click on CPC icon. Instance Information tab, bottom right 
>>> corner "CP Assist for Crypto functions:
>>> Installed".
>>>
>>
>> Note also that CPACF is a feature, so if it's not installed 
>> (enabled), you need to order the feature to get it installed. 
>> (Whether its enablement or lack thereof matters in this context, I 
>> have no clue.)
>>
>> Isn't it enabled by default for all customers except North Korea ? 
>> ;-)
>
> --
> Radoslaw Skorupka
> Lodz, Poland
>
>
>
>
>
>
> ---
> Tre   tej wiadomo ci mo e zawiera  informacje prawnie chronione Banku
> przeznaczone wy  cznie do u ytku s u bowego adresata. Odbiorc  mo e by 
> jedynie jej adresat z wy  czeniem dost pu osób trzecich. Je eli nie 
> jeste adresatem niniejszej wiadomo ci lub pracownikiem upowa nionym do 
> jej przekazania adresatowi, informujemy,  e jej rozpowszechnianie, 
> kopiowanie, rozprowadzanie lub inne dzia anie o podobnym charakterze jest 
> prawnie
> zabronione i mo e by  karalne. Je eli otrzyma e  t  wiadomo   omy kowo,
> prosimy niezw ocznie zawiadomi  nadawc  wysy aj c odpowied  oraz trwale
> usun   t  wiadomo   w  czaj c w to wszelkie jej kopie wydrukowane lub
> zapisane na dysku.
>
> This e-mail may contain legally privileged information of the Bank and 
> is intended solely for business use of the addressee. This e-mail may 
> only be received by the addressee and may not be disclosed to any 
> third parties. If you are not the intended addressee of this e-mail or 
> the employee authorized to forward it to the addressee, be advised 
> that any dissemination, copying, distribution or any other similar 
> activity is legally prohibited and may be punishable. If you received 
> this e-mail by mistake please advise the sender immediately by using 
> the reply facility in your e-mail software and delete permanently this 
> e-mail including any copies of it either printed or saved to hard drive.
>
> mBank S.A. z siedzib  w Warszawie, ul. Senatorska 18, 00-950 Warszawa, 
> www.mBank.pl, e-mail: kont...@mbank.pl S d Rejonowy dla m. st. 
> Warszawy XII Wydzia  Gospodarczy Krajowego Rejestru S dowego, nr 
> rejestru przedsi biorców KRS 025237, NIP:
> 526-021-50-88. Wed ug stanu na dzie  01.01.2016 r. kapita  zak adowy 
> mBanku S.A. (w ca o ci wp acony) wynosi 168.955.696 z otych.
>
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send 
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Implementing ICSF - FOTS1949 PRNG is not seeded

2016-10-19 Thread Jesse 1 Robinson

We are installing a z13s and going through preliminary setup. When selecting 
the Crypto tab in an Image profile, I was a bit alarmed by this message:

Attention: You must install the 'IBM CP Assist for Cryptographic Functions' 
(CPACF) feature if a cryptographic candidate is selected from the list box. 
Otherwise, some functions of Integrated Cryptographic Service Facility (ICSF) 
may fail.

I spoke to the person who created and placed the order. He assured me that 
CPACF had been ordered and that no one he talked to believed that it requires 
explicit 'activation'. So I went to a z12 that has been in service for years. I 
see the same warning message on the Crypto tab. So it appears to be standard 
boilerplate that does not reflect the status of CPACF.

We’re still exploring how to set the Master Key. We had thought that it was an 
HCM task, but now we're led to believe that it's done through ICSF. Which means 
that we have to IPL (each?) LPAR in order to set it. The guy who did this for 
years is gone.   

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler 
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-302-7535 Office
robin...@sce.com

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Kirk Wolf
Sent: Wednesday, October 19, 2016 8:20 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: (External):Re: Implementing ICSF - FOTS1949 PRNG is not seeded

Right.  I've never seen this particular error caused by a missing CPACF feature.
More likely either ICSF is not started or the correct userids do not have 
access to the necessary ICSF features via SAF/RACF.

Kirk Wolf
Dovetailed Technologies
http://dovetail.com

On Wed, Oct 19, 2016 at 10:13 AM, R.S. 
wrote:

> W dniu 2016-10-19 o 17:05, John Eells pisze:
>
>> R.S. wrote:
>> 
>>
>>> Double click on CPC icon. Instance Information tab, bottom right 
>>> corner "CP Assist for Crypto functions:
>>> Installed".
>>>
>>
>> Note also that CPACF is a feature, so if it's not installed 
>> (enabled), you need to order the feature to get it installed. 
>> (Whether its enablement or lack thereof matters in this context, I 
>> have no clue.)
>>
>> Isn't it enabled by default for all customers except North Korea ? 
>> ;-)
>
> --
> Radoslaw Skorupka
> Lodz, Poland

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Implementing ICSF - FOTS1949 PRNG is not seeded

2016-10-19 Thread Tom Brennan

Thanks - I think I need to read that!  One client I work with has CPACF 
installed with no crypto cards, but no ICSF running.  They run SSH 
uploads hundreds or maybe thousands of times per day, and every day 
there are a few timeout failures (on their pretty slow z114) while 
initializing the SSH connection.


My theory is this is because crypto work is all being done in software, 
and maybe some work could be offloaded to CPACF if I can figure out how 
to get ICSF running to use it.


Kirk Wolf wrote:

Have you looked at our Quick Start guide for installing and tuning z/OS 2.2
OpenSSH?
https://dovetail.com/docs/pt-quick-inst/index.html

your question I believe is covered in section "1.6 Using ICSF and
/dev/random"


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Implementing ICSF - FOTS1949 PRNG is not seeded

2016-10-19 Thread Tom Brennan

When IBM or a business partner orders a new mainframe, CPACF is enabled 
by default only if the machine has Crypto cards.  Otherwise, it's a 
no-charge feature code so it would make sense to be sure the person 
ordering the mainframe knows to enable it, even if you don't need it 
right away.


R.S. wrote:

Isn't it enabled by default for all customers except North Korea ? ;-)



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Implementing ICSF - FOTS1949 PRNG is not seeded

2016-10-19 Thread Kirk Wolf

Right.  I've never seen this particular error caused by a missing CPACF
feature.
More likely either ICSF is not started or the correct userids do not have
access to the necessary ICSF features via SAF/RACF.

Kirk Wolf
Dovetailed Technologies
http://dovetail.com

On Wed, Oct 19, 2016 at 10:13 AM, R.S. 
wrote:

> W dniu 2016-10-19 o 17:05, John Eells pisze:
>
>> R.S. wrote:
>> 
>>
>>> Double click on CPC icon. Instance Information tab, bottom right corner
>>> "CP Assist for Crypto functions:
>>> Installed".
>>>
>>
>> Note also that CPACF is a feature, so if it's not installed (enabled),
>> you need to order the feature to get it installed. (Whether its enablement
>> or lack thereof matters in this context, I have no clue.)
>>
>> Isn't it enabled by default for all customers except North Korea ? ;-)
>
> --
> Radoslaw Skorupka
> Lodz, Poland
>
>
>
>
>
>
> ---
> Tre   tej wiadomo ci mo e zawiera  informacje prawnie chronione Banku
> przeznaczone wy  cznie do u ytku s u bowego adresata. Odbiorc  mo e by
> jedynie jej adresat z wy  czeniem dost pu osób trzecich. Je eli nie jeste
> adresatem niniejszej wiadomo ci lub pracownikiem upowa nionym do jej
> przekazania adresatowi, informujemy,  e jej rozpowszechnianie, kopiowanie,
> rozprowadzanie lub inne dzia anie o podobnym charakterze jest prawnie
> zabronione i mo e by  karalne. Je eli otrzyma e  t  wiadomo   omy kowo,
> prosimy niezw ocznie zawiadomi  nadawc  wysy aj c odpowied  oraz trwale
> usun   t  wiadomo   w  czaj c w to wszelkie jej kopie wydrukowane lub
> zapisane na dysku.
>
> This e-mail may contain legally privileged information of the Bank and is
> intended solely for business use of the addressee. This e-mail may only be
> received by the addressee and may not be disclosed to any third parties. If
> you are not the intended addressee of this e-mail or the employee
> authorized to forward it to the addressee, be advised that any
> dissemination, copying, distribution or any other similar activity is
> legally prohibited and may be punishable. If you received this e-mail by
> mistake please advise the sender immediately by using the reply facility in
> your e-mail software and delete permanently this e-mail including any
> copies of it either printed or saved to hard drive.
>
> mBank S.A. z siedzib  w Warszawie, ul. Senatorska 18, 00-950 Warszawa,
> www.mBank.pl, e-mail: kont...@mbank.pl
> S d Rejonowy dla m. st. Warszawy XII Wydzia  Gospodarczy Krajowego
> Rejestru S dowego, nr rejestru przedsi biorców KRS 025237, NIP:
> 526-021-50-88. Wed ug stanu na dzie  01.01.2016 r. kapita  zak adowy mBanku
> S.A. (w ca o ci wp acony) wynosi 168.955.696 z otych.
>
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Implementing ICSF - FOTS1949 PRNG is not seeded

2016-10-19 Thread R.S.


W dniu 2016-10-19 o 17:05, John Eells pisze:

R.S. wrote:


Double click on CPC icon. Instance Information tab, bottom right corner
"CP Assist for Crypto functions:
Installed".


Note also that CPACF is a feature, so if it's not installed (enabled), 
you need to order the feature to get it installed. (Whether its 
enablement or lack thereof matters in this context, I have no clue.)



Isn't it enabled by default for all customers except North Korea ? ;-)

--
Radoslaw Skorupka
Lodz, Poland






---
Tre tej wiadomoci moe zawiera informacje prawnie chronione Banku 
przeznaczone wycznie do uytku subowego adresata. Odbiorc moe by jedynie 
jej adresat z wyczeniem dostpu osób trzecich. Jeeli nie jeste adresatem 
niniejszej wiadomoci lub pracownikiem upowanionym do jej przekazania 
adresatowi, informujemy, e jej rozpowszechnianie, kopiowanie, rozprowadzanie 
lub inne dziaanie o podobnym charakterze jest prawnie zabronione i moe by 
karalne. Jeeli otrzymae t wiadomo omykowo, prosimy niezwocznie 
zawiadomi nadawc wysyajc odpowied oraz trwale usun t wiadomo 
wczajc w to wszelkie jej kopie wydrukowane lub zapisane na dysku.

This e-mail may contain legally privileged information of the Bank and is 
intended solely for business use of the addressee. This e-mail may only be 
received by the addressee and may not be disclosed to any third parties. If you 
are not the intended addressee of this e-mail or the employee authorized to 
forward it to the addressee, be advised that any dissemination, copying, 
distribution or any other similar activity is legally prohibited and may be 
punishable. If you received this e-mail by mistake please advise the sender 
immediately by using the reply facility in your e-mail software and delete 
permanently this e-mail including any copies of it either printed or saved to 
hard drive.

mBank S.A. z siedzib w Warszawie, ul. Senatorska 18, 00-950 Warszawa, 
www.mBank.pl, e-mail: kont...@mbank.pl
Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru 
Sdowego, nr rejestru przedsibiorców KRS 025237, NIP: 526-021-50-88. 
Wedug stanu na dzie 01.01.2016 r. kapita zakadowy mBanku S.A. (w caoci 
wpacony) wynosi 168.955.696 zotych.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Implementing ICSF - FOTS1949 PRNG is not seeded

2016-10-19 Thread John Eells


R.S. wrote:


Double click on CPC icon. Instance Information tab, bottom right corner
"CP Assist for Crypto functions:
Installed".


Note also that CPACF is a feature, so if it's not installed (enabled), 
you need to order the feature to get it installed.  (Whether its 
enablement or lack thereof matters in this context, I have no clue.)


--
John Eells
IBM Poughkeepsie
ee...@us.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Implementing ICSF - FOTS1949 PRNG is not seeded

2016-10-19 Thread R.S.


W dniu 2016-10-19 o 16:19, Dazzo, Matt pisze:

This is totally new world for me so bear with me.  Been reading for several 
hours on trying to determine what I need to satisfy the support of 'OpenSSH 
requires that a working /dev/random device' as I got the error  'FOTS1949 PRNG 
is not seeded' when testing SSH-FTP on my newly installed zos2.2 system.

I determined that  ICSF has to be implemented (started) but does CPACF have to 
be  enabled ? From reading the archives I found in a thread that displaying the 
CPU would show if the CPACF is enabled?

Below is a display of our CPU, appears the CPACF is not enabled? Does this 
require an IPL?

D M=CPU
IEE174I 09.46.57 DISPLAY M 216
PROCESSOR STATUS
ID  CPU  SERIAL
00  + 024E7E2828
01  + 024E7E2828
02  +I024E7E2828
03  NI
04  NI
05  NI


Thanks Matt

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN




In order to start ICSF (some simplification here) you have to have CPACF 
enabled.

How to check it?

Logon on Support Element. Not to be confused with HMC. The same action 
on HMC will NOT give you the answer.


Double click on CPC icon. Instance Information tab, bottom right corner 
"CP Assist for Crypto functions:

Installed".

HTH

--
Radoslaw Skorupka
Lodz, Poland






---
Tre tej wiadomoci moe zawiera informacje prawnie chronione Banku 
przeznaczone wycznie do uytku subowego adresata. Odbiorc moe by jedynie 
jej adresat z wyczeniem dostpu osób trzecich. Jeeli nie jeste adresatem 
niniejszej wiadomoci lub pracownikiem upowanionym do jej przekazania 
adresatowi, informujemy, e jej rozpowszechnianie, kopiowanie, rozprowadzanie 
lub inne dziaanie o podobnym charakterze jest prawnie zabronione i moe by 
karalne. Jeeli otrzymae t wiadomo omykowo, prosimy niezwocznie 
zawiadomi nadawc wysyajc odpowied oraz trwale usun t wiadomo 
wczajc w to wszelkie jej kopie wydrukowane lub zapisane na dysku.

This e-mail may contain legally privileged information of the Bank and is 
intended solely for business use of the addressee. This e-mail may only be 
received by the addressee and may not be disclosed to any third parties. If you 
are not the intended addressee of this e-mail or the employee authorized to 
forward it to the addressee, be advised that any dissemination, copying, 
distribution or any other similar activity is legally prohibited and may be 
punishable. If you received this e-mail by mistake please advise the sender 
immediately by using the reply facility in your e-mail software and delete 
permanently this e-mail including any copies of it either printed or saved to 
hard drive.

mBank S.A. z siedzib w Warszawie, ul. Senatorska 18, 00-950 Warszawa, 
www.mBank.pl, e-mail: kont...@mbank.pl
Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru 
Sdowego, nr rejestru przedsibiorców KRS 025237, NIP: 526-021-50-88. 
Wedug stanu na dzie 01.01.2016 r. kapita zakadowy mBanku S.A. (w caoci 
wpacony) wynosi 168.955.696 zotych.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Implementing ICSF - FOTS1949 PRNG is not seeded

2016-10-19 Thread Kirk Wolf

Have you looked at our Quick Start guide for installing and tuning z/OS 2.2
OpenSSH?
https://dovetail.com/docs/pt-quick-inst/index.html

your question I believe is covered in section "1.6 Using ICSF and
/dev/random"



Kirk Wolf
Dovetailed Technologies
http://dovetail.com

On Wed, Oct 19, 2016 at 9:19 AM, Dazzo, Matt <
00a854d4f854-dmarc-requ...@listserv.ua.edu> wrote:

> This is totally new world for me so bear with me.  Been reading for
> several hours on trying to determine what I need to satisfy the support of
> 'OpenSSH requires that a working /dev/random device' as I got the error
> 'FOTS1949 PRNG is not seeded' when testing SSH-FTP on my newly installed
> zos2.2 system.
>
> I determined that  ICSF has to be implemented (started) but does CPACF
> have to be  enabled ? From reading the archives I found in a thread that
> displaying the CPU would show if the CPACF is enabled?
>
> Below is a display of our CPU, appears the CPACF is not enabled? Does this
> require an IPL?
>
> D M=CPU
> IEE174I 09.46.57 DISPLAY M 216
> PROCESSOR STATUS
> ID  CPU  SERIAL
> 00  + 024E7E2828
> 01  + 024E7E2828
> 02  +I024E7E2828
> 03  NI
> 04  NI
> 05  NI
>
>
> Thanks Matt
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Implementing ICSF - FOTS1949 PRNG is not seeded

2016-10-19 Thread Dazzo, Matt

This is totally new world for me so bear with me.  Been reading for several 
hours on trying to determine what I need to satisfy the support of 'OpenSSH 
requires that a working /dev/random device' as I got the error  'FOTS1949 PRNG 
is not seeded' when testing SSH-FTP on my newly installed zos2.2 system.

I determined that  ICSF has to be implemented (started) but does CPACF have to 
be  enabled ? From reading the archives I found in a thread that displaying the 
CPU would show if the CPACF is enabled?

Below is a display of our CPU, appears the CPACF is not enabled? Does this 
require an IPL?

D M=CPU
IEE174I 09.46.57 DISPLAY M 216
PROCESSOR STATUS
ID  CPU  SERIAL
00  + 024E7E2828
01  + 024E7E2828
02  +I024E7E2828
03  NI
04  NI
05  NI


Thanks Matt

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

40 matches

Mail list logo