In <4914821700290639.wa.walt.farrellgmail@bama.ua.edu>, on
04/24/2012
at 11:33 AM, Walt Farrell said:
>As often happens when people include links in sentences, his
>sentence-ending punctuation ("." ) was taken as part of the link.
Which is why enclusing a URL in <> is best practice.
--
W dniu 2012-04-24 20:24, Ward, Mike S pisze:
Hello all is it possible to simultaneously have a DES master and an
AES master key at the same time or are they mutually exclusive?
What does it mean "to have keys" ?
In ICSF you can set master key for DES and AES algorithms indepen
On Tue, 24 Apr 2012 12:05:28 -0500, Paul Gilmartin wrote:
>Hmmm. This could be the basis for the APAR IO11698 fiasco
>two years ago in which IBM manfestly allowed an integrity
>exposure to remain unrepaired but provided a means of limiting
>access to the dangerous tool.
No, it's not related t
Hello all is it possible to simultaneously have a DES master and an AES master
key at the same time or are they mutually exclusive?
==
This email, and any files transmitted with it, is confidential and intended
solely for the use of the individual or entity to which it is
On Tue, 24 Apr 2012 11:33:08 -0500, Walt Farrell wrote:
>
>>>Starting with ICSF HCR7750 and the z9, ICSF relies on the CPACF hardware on
>>>the host for the full SHA support (SHA-1 as well as SHA-2). The CP Assist
>>>(CP Assist for Cryptographic Function) is run
On Tue, 24 Apr 2012 12:23:39 -0400, Rob Schramm wrote:
>Worked for me.
>
>>>Starting with ICSF HCR7750 and the z9, ICSF relies on the CPACF hardware on
>>>the host for the full SHA support (SHA-1 as well as SHA-2). The CP Assist
>>>(CP Assist for Cryptograph
On Tue, 24 Apr 2012 11:15:37 -0500, Paul Gilmartin wrote:
>On Tue, 24 Apr 2012 10:00:46 -0500, Greg Boyd wrote:
>
>>Starting with ICSF HCR7750 and the z9, ICSF relies on the CPACF hardware on
>>the host for the full SHA support (SHA-1 as well as SHA-2). The CP Assist
Worked for me.
Rob Schramm
Senior Systems Consultant
Imperium Group
On Tue, Apr 24, 2012 at 12:15 PM, Paul Gilmartin wrote:
> On Tue, 24 Apr 2012 10:00:46 -0500, Greg Boyd wrote:
>
>>Starting with ICSF HCR7750 and the z9, ICSF relies on the CPACF hardware on
>>the hos
On Tue, 24 Apr 2012 10:00:46 -0500, Greg Boyd wrote:
>Starting with ICSF HCR7750 and the z9, ICSF relies on the CPACF hardware on
>the host for the full SHA support (SHA-1 as well as SHA-2). The CP Assist (CP
>Assist for Cryptographic Function) is running compliant implementations of
Starting with ICSF HCR7750 and the z9, ICSF relies on the CPACF hardware on the
host for the full SHA support (SHA-1 as well as SHA-2). The CP Assist (CP
Assist for Cryptographic Function) is running compliant implementations of the
SHA algorithms. For the z196, see Cert #1497 at
http
Hi Greg,
Thanks for the pointing out that there are no SAF profiles associated with
CSNBSYD/CSNBSYE, and the explanation.
The ICSF Application Programmer's Guide manual states that there are no saf
checks made for these clear key API's.
I verified this by running some tests and you
On Wed, 31 Aug 2011 (last year) 20:07:42 -0500, Paul Gilmartin (I) wrote:
>
>If you have ICSF, there's CSNBOWH. See Rexx samples in SYS1.SAMPLIB(CSF*).
>There's a manual somewhere.
>
A few days ago, I received an off-list communication from a colleague
who tried this, then
There are no SAF proiles associated with CSNBSYD/CSNBSYE, the clear key APIs,
so you will not see any messages. These APIs invoke the clear key instructions
on the CPACF. You could write an assembler routine to invoke those
instructions and there are no SAF checks at the instruction level, so
It is important to note that CSFSERV calls for authorization differs
based upon the ICSF option CHECKAUTH at startup. If you run
CHECKAUTH(NO) you will NOT see all users of ICSF services. There is a
small performance implication for running CHECKAUTH(YES)... but you
have to weight it against
W dniu 2012-04-03 08:54, Francis van Zutphen pisze:
You can easily control which services are used and which are not.
ICSF calls RACF, see CSF* classes.
BTW: Why do you afraid? What's the risk you want to avoid? Just
curious.
-- Hello Radoslaw,
I had already set on the RACF audit bit fo
You can easily control which services are used and which are not. ICSF
calls RACF, see CSF* classes.
BTW: Why do you afraid? What's the risk you want to avoid?
Just curious.
--
Hello Radoslaw,
I had already set on the RACF audit bit for the CSF* classes and have
successfully execute some
You can easily control which services are used and which are not. ICSF
calls RACF, see CSF* classes.
BTW: Why do you afraid? What's the risk you want to avoid?
Just curious.
--
Radoslaw Skorupka
Lodz, Poland
W dniu 2012-03-30 18:04, Francis van Zutphen pisze:
Hi Mark, On second tho
Hi Mark, On second thoughts, I will leace ICSF running, other wise the API's
to CPACF will not work..I know that we use hashing...
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to
W dniu 2012-03-30 16:17, Mark Jacobs pisze:
Yes, If you stop ICSF you won't be able to execute the ICSF API's that
interface with the cryptographic cards.
To complement: ICSF is the only *supported* way to access Crypto cards
*from z/OS*.
Remarks:
- you can access Crypto cards fro
Yes, If you stop ICSF you won't be able to execute the ICSF API's that
interface with the cryptographic cards.
Mark Jacobs
On 03/30/12 09:48, Francis van Zutphen wrote:
Mark, Rob and Radoslaw,
Thanks for your feedback.
OK, so HMC is the medium to make the co-processor offline
equest and this will take time..
In the meanwhile if I stop ICSF prove that the co-processor is not available?
@Radoslaw thanks for extra explanations
regards
Francis
--
For IBM-MAIN subscribe / signoff / archive acces
W dniu 2012-03-29 10:03, Francis van Zutphen pisze:
Hello fellow ICSF/crypto supporters,
We currently define our co-processor cards(CEX3) to all our 10 lpars.
We are now in the process of outsourcing 2 lpars ( I will call these lpar "A" and
"B").
We do not have Masterkeys
s through the support element on the HMC.
>
> Mark Jacobs
>
>
> On 03/29/12 04:03, Francis van Zutphen wrote:
>>
>> Hello fellow ICSF/crypto supporters,
>>
>> We currently define our co-processor cards(CEX3) to all our 10 lpars.
>> We are now in
e HMC.
Mark Jacobs
On 03/29/12 04:03, Francis van Zutphen wrote:
Hello fellow ICSF/crypto supporters,
We currently define our co-processor cards(CEX3) to all our 10 lpars.
We are now in the process of outsourcing 2 lpars ( I will call these lpar "A" and
"B").
We do not h
Hello fellow ICSF/crypto supporters,
We currently define our co-processor cards(CEX3) to all our 10 lpars.
We are now in the process of outsourcing 2 lpars ( I will call these lpar "A"
and "B").
We do not have Masterkeys defined in the CKDS for Lpar "A" and lpar
W dniu 2012-01-16 17:26, Francis van Zutphen pisze:
I need to check if CEX3 MCL level is as follows:
Driver 93G , EC N48132 , MCL N48132.001->003 , Bundle 3
Is there an ICSF query that can display this information or is this a HMC (SE)
function?
You can check it at HMC.
--
Rados
I need to check if CEX3 MCL level is as follows:
Driver 93G , EC N48132 , MCL N48132.001->003 , Bundle 3
Is there an ICSF query that can display this information or is this a HMC (SE)
function?
--
For IBM-MAIN subscr
> -Original Message-
> From: IBM Mainframe Discussion List
> [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of John Kasperer
> Sent: Sunday, April 03, 2011 3:18 PM
> To: IBM-MAIN@bama.ua.edu
> Subject: Re: Help needed for RC=12 from ICSF CSNBENC/DEC with
> z10+CPACF
>
By the way, RTFM should of course begin with the z/OS Cryptographic Services
ICSF Application Programmer's Guide, that describes all callable services.
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send
On Sun, 3 Apr 2011 14:11:10 -0400, Farley, Peter x23353
wrote:
>
>Thanks for the clear answer.
>
>That fact is not at all clear in the ICSF documentation, at least not that
I have found in the Application Programmer's Guide so far.
>
>If such is the case, what are the op
> -Original Message-
> From: IBM Mainframe Discussion List
> [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of John Kasperer
> Sent: Saturday, April 02, 2011 4:58 PM
> To: IBM-MAIN@bama.ua.edu
> Subject: Re: Help needed for RC=12 from ICSF CSNBENC/DEC with
> z10+CPACF
>
ICSF callable services CSNBENC or CSNBDEC are only for ICSF **secure key**
processing, so clear keys cannot be used. I agree that the rc=12 is
misleading...
___
CryptoMon, the only z/OS crypto monitor
http://www.aspg.com/cryptomon.htm
The Application Programmer’s Guide lists a couple of restrictions in the
sections that are labelled "CCF Systems Only", if you search
using "CSNBENC".
For example, from "System Encryption Algorithm Marks (CCF systems only)":
"It is possible to generate an operational DES-marked DATA key on a
I am experimenting with ICSF subroutines for encrypting and decrypting
sensitive data. We are on z10 hardware at z/OS 1.10 with only CPACF crypto
instructions in the CPU, we have no crypto cards at all.
I can successfully use the ICSF "clear key" encrypt/decrypt subroutines CS
Both systems are at 1.11.
Thanks!!
-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of
Jousma, David
Sent: Wednesday, March 09, 2011 7:51 AM
To: IBM-MAIN@bama.ua.edu
Subject: Re: ICSF Troubles
Hal,
What FMID is on the 1.9 system, and
Hal -
Is this issue described by APAR OA29163?
Larre Shiller
US Social Security Administration
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN
: ICSF Troubles
Thanks for the replies so far!
Rob: Here are my parms:
CKDSN(My.CKDS)
PKDSN(My.PKDS)
COMPAT(NO)
SSM(YES)
DOMAIN(2)
KEYAUTH(NO)
CHECKAUTH(NO)
TRACEENTRY(1000)
USERPARM(USERPARM
Hal,
Ok. Let's look at a couple of things
DISPLAY GRS,RES=(SYSZPKT.*)
DISPLAY GRS,RES=(SYSDSN.*) <<= look for anyone using My.PKDS
I can tell you that weird things start to happen if you have something
accessing the PKDS that is not the ICSF task. The ENQ scheme does not take
non-p
Hal -
I'm a little late to this party, but I saw your post and I remembered that we
had some changes to make when we converted to zOS 1.11 (seems like so
long ago..). Based on my notes, it looks like we had to remove the COMPENC
and PKDSCACHE parameters--I think they are no longer supported.
)
REASONCODES(ICSF)
PKDSCACHE(64)
Allen: The LRECL of the PKDS does not seem to be an issue. It occurs (or works)
with either.
John: No VM. There is nothing to suggest a real hardware issue.
We use GRS for sharing. The member in SAMPLIB was used to define the
--
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On
> Behalf Of Hal Merritt
> Sent: Thursday, March 03, 2011 11:36 AM
> To: IBM-MAIN@bama.ua.edu
> Subject: ICSF Troubles
>
> We are z/os 1.11. We almost never IPL. The last time we IPL'd, we
> receive
We have one PKDS and one CKDS for all lpars.
-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On
Behalf Of Hal Merritt
Sent: Thursday, March 03, 2011 11:36 AM
To: IBM-MAIN@bama.ua.edu
Subject: ICSF Troubles
We are z/os 1.11. We almost never IPL. The
1) Check SYS1.PARMLIB(CSFPRM*). It may be pointing to the wrong place.
2) Check the LRECL of the PKDS. 1.11 changed the LRECL of the PKDS. See
http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/E0Z2M17A/8.2.
6?DT=20090616151803
HTH.
We are z/os 1.11. We almost never IPL. The last time
Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf
Of Hal Merritt
Sent: Thursday, March 03, 2011 12:36 PM
To: IBM-MAIN@bama.ua.edu
Subject: ICSF Troubles
We are z/os 1.11. We almost never IPL. The last time we IPL'd, we received
the following:
11.47.55 STC00014 CSFM450E UNEXPECTED
To: IBM-MAIN@bama.ua.edu
Subject: ICSF Troubles
We are z/os 1.11. We almost never IPL. The last time we IPL'd, we received
the following:
11.47.55 STC00014 CSFM450E UNEXPECTED ERROR PROCESSING PKDS, RETURN CODE =
000C, REASON CODE = 1780.
11.47.55 STC00014 CSFM401I CRYPTOG
We are z/os 1.11. We almost never IPL. The last time we IPL'd, we received the
following:
11.47.55 STC00014 CSFM450E UNEXPECTED ERROR PROCESSING PKDS, RETURN CODE =
000C, REASON CODE = 1780.
11.47.55 STC00014 CSFM401I CRYPTOGRAPHY - SERVICES ARE NO LONGER AVAILABLE.
11.47.55 STC00014
In , on 01/26/2011
at 10:21 AM, Henrique Seganfredo
said:
>I am leaving this here if anyone struggles with the same problem and
>if any IBMer is seeing this, it would be nice to investigate more
>about the issue and maybe update the ICS Programming Guide manual,
>because the linkng instruction
Hello,
I´ve been dealing with some linking errors while trying to build AMODE64
ICSF-aware programs.
Documentation clearly states that jsut referring to CSF.SCSFMOD0 on the DD
SYSLIB should be enough as seen in
http://publib.boulder.ibm.com/infocenter/zos/v1r11/index.jsp?topic=/com.ibm.zos.r11
Done.
Below is the example if anyone is interested.
Compile C prog as AMODE64 to be called as a dll from Java (JDK 6 / 64).
Everything under USS:
#Compile
cc -V -c -o GenChav.o -Wc,dll,LP64,exportall -I.
-I/usr/lpp/java/J6.0_64/include GenChav.c > cmplisting.txt
#DD SYSLIB cards needed by the li
So, I am advancing on the subject.
Had to change the environment variables I was setting before linker
invocation, because my caller program is AMODE64 and I was outputting
AMODE31 with the linker.
I did these declarations:
export _CC_L6SYSLIB="SYS1.CSSLIB:SSOP.TZ11.CEE.SCEEBND2"
export _CC_L6S
I just discovered the following text:
RE: z/O HO OP C Newsletter Issue 23, august 2010 - "Let's clear up this
xcrypto confusion!"
The Random Number Generate (CSNBRNG) service requires an active
coprocessor and (depending on the version of ICSF your system is running)
might
we still need to maintain the Master Key in order to access the co-
processor? For example using ICSF API CSNERNG(Random Number Generate).
The ICSF System Programmer's guide states the following:
---
In order for the coprocessor to become a
raries (modules) not available in zFS (Unix
filesystem). That´s where I will refer to the ICSF module.
I guess...
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the m
Compile and link under OMVS a C program that will run under OMVS and will
make ICSF calls.
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
On Mon, 17 Jan 2011 22:11:02 -0600, Henrique Seganfredo wrote:
>
>Where can I find a sample of compile and link commands for a ICSF-aware app
>to run under OMVS?
>
There's a Rexx example in 'SYS1.SAMPLIB(CSFTEST)' IIRC. Rexx,
but the interface it uses is "address
Hello,
Where can I find a sample of compile and link commands for a ICSF-aware app
to run under OMVS?
Regards,
Henrique Seganfredo
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists
On Fri, 19 Nov 2010 07:30:08 -0600, Staller, Allan wrote:
>IIRC static linking is *NOT* required. Just make the ICSF loadlib avail
>via LNKLST or steplib
>
>
>So, my question is whether static linking is required, or if (for
>instance) a standard Enterprise COBOL dynamic ca
IIRC static linking is *NOT* required. Just make the ICSF loadlib avail
via LNKLST or steplib
HTH,
So, my question is whether static linking is required, or if (for
instance) a standard Enterprise COBOL dynamic call ("CALL dataname")
will
I am investigating the symmetric clear-key encryption callable services in
ICSF, specifically CSNBSYE and CSNBSYD. The Fine Manual shows a way to link
the ICSF modules with your calling application code, but AFAICS does *not*
specify whether static linking is required or not.
So, my question
David,
SSM is set to YES.
Thx
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.
t: Tuesday, October 19, 2010 1:38 PM
To: IBM-MAIN@bama.ua.edu
Subject: Using the CSNBKPI call in ICSF
Hey all,
I am trying to use the CSNBKPI call in ICSF and am creating PINGEN keys but the
funny thing is that they don't agree with the same keys created by the KGUP
utility so I know I must be
Hey all,
I am trying to use the CSNBKPI call in ICSF and am creating PINGEN keys but the
funny thing is that they don't agree with the same keys created by the KGUP
utility so I know I must be doing something wrong when i'm calling CSNBKPI -
for instance if I generate PINs usi
W dniu 2010-07-23 17:46, Mark Jacobs pisze:
On 07/23/10 11:18, Lizette Koehler wrote:
I have been asked to research the use of ICSF in DB2.
I know that ICSF comes with z/OS. However, I am not sure if it really
requires a Crypto card to run.
Q1: Can you run ICSF without a Crypto Card?
Second
Yes, you can run ICSF without a crypto card, however, the functionality may
be somewhat limited. If the CPACF is enabled you have hardware support for
clear key AES and DES/TDES encryption and SHA hashing. (It also depends
on which machine you're running on. For example, the z10 and z19
Would you mind please sending me a copy also?
Thanks.
-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of
Wissink, Brad [ITSYS]
Sent: Friday, July 23, 2010 11:17 AM
To: IBM-MAIN@bama.ua.edu
Subject: Re: ICSF, Crypto Cards and DB2
We do DB2
We do DB2 row encrypt/decrypt using the ICSF CSNBENC and CSNBDEC service. We
did this a couple of years ago, but we tested the various ICSF services and the
KMC assembler instruction. We found the CSNBENC service worked the quickest
when setup to utilize the CPACF hardware function and not
> -Original Message-
> From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On
> Behalf Of Lizette Koehler
> Sent: Friday, July 23, 2010 11:18 AM
> To: IBM-MAIN@bama.ua.edu
> Subject: ICSF, Crypto Cards and DB2
>
> I have been asked to research the us
On 07/23/10 11:18, Lizette Koehler wrote:
I have been asked to research the use of ICSF in DB2.
I know that ICSF comes with z/OS. However, I am not sure if it really requires
a Crypto card to run.
Q1: Can you run ICSF without a Crypto Card?
Second, the intent is to encrypt row(s) of DB2
Lizette Koehler wrote:
I have been asked to research the use of ICSF in DB2.
I know that ICSF comes with z/OS. However, I am not sure if it really requires
a Crypto card to run.
Q1: Can you run ICSF without a Crypto Card?
Yes. ICSF uses CPACFs in addition to crypto cards, and will also
I have been asked to research the use of ICSF in DB2.
I know that ICSF comes with z/OS. However, I am not sure if it really requires
a Crypto card to run.
Q1: Can you run ICSF without a Crypto Card?
Second, the intent is to encrypt row(s) of DB2 Data. Is ICSF the best way to
go or are
es to .
On the other side, this is the same user y use in the batch job, but the debug
tells me it is using the helper instead of ICSF.
Regards, Enrique.
--
For IBM-MAIN subscribe / signoff / archive access instructions,
sen
On Fri, Mar 12, 2010 at 10:55 AM, Paul Gilmartin wrote:
> On Fri, 12 Mar 2010 10:52:33 -0500, Hayim Sokolsky wrote:
>>
>>But in any case, the Open_SSH ported tool - was not coded to interface
>>with ICSF, as far as I know.
>>
> Except through /dev/random? A
On Fri, 12 Mar 2010 10:52:33 -0500, Hayim Sokolsky wrote:
>
>But in any case, the Open_SSH ported tool - was not coded to interface
>with ICSF, as far as I know.
>
Except through /dev/random? A quick validity check might be:
head /dev/random | o
On Fri, Mar 12, 2010 at 9:52 AM, Hayim Sokolsky wrote:
> A few points here...
>
> The ICSF STC is not the API itself. It is the I/O server that reads and
> writes to the PKDS and CKDS.
> Use of the ICSF APIs can be allowed or disallowed by RACF (and Top Secret
> and ACF/2).
>
A few points here...
The ICSF STC is not the API itself. It is the I/O server that reads and
writes to the PKDS and CKDS.
Use of the ICSF APIs can be allowed or disallowed by RACF (and Top Secret
and ACF/2).
- You didn't say if the CSFSERV class was active or inactive in your
security pr
Read the FAQ in the IBM Ported Tools for z/OS User's Guide on setting
up ICSF and /dev/random.
On Fri, Mar 12, 2010 at 8:04 AM, MONTERO ROMERO, ENRIQUE ELOI
wrote:
> Hi to all,
>
> We have the ICSF running as an STC in our environment.
> ===> CSFM400I CRYPTOGRAPHY - SERVIC
Hi to all,
We have the ICSF running as an STC in our environment.
===> CSFM400I CRYPTOGRAPHY - SERVICES ARE NOW AVAILABLE.
I am trying to SHH against a linux server in BATCH.
//SSHCOMM EXEC PGM=BPXBATCH,
// PARM=('SH /ZOSAA/bin/ss
Thanks a lot Walt, for your appointment.
>> The book for z/OS V1 R11 (ICSF FMID HCR7770,
>> see /publibz.boulder.ibm.com/cgi-
>> bin/bookmgr_OS390/BOOKS/CSFB2ZA0/5.3.2?
>> SHELF=EZ2ZBK0H&DT=20091114130346
>> or http://preview.tinyurl.com/yeb9hnf ) and as I read
On Tue, 5 Jan 2010 00:15:44 -0600, Angel-Luis Dominguez
wrote:
>I am developping ICSF service exits to write information in SMF.
>
>Manuals along all the releases only say:
>
>"The installation exit gets passed the address of the service parameter list
>in Register 1.&quo
I am developping ICSF service exits to write information in SMF.
Manuals along all the releases only say:
"The installation exit gets passed the address of the service parameter list
in Register 1."
But I have encountered that ..
If you have HCR7740 function, the para
Meganen Naidoo pisze:
Hi all,
We want to generate a hash key for a dataset but not encrypt the data
using ICSF on z/OS 1.7.
Can someone clarify that an entire file (and not just a field, or record
within a file) can be processed by the routines CSNBOWH and CSNBOWH1.
The Cryptographic Services
We want to generate a hash key for a dataset but not encrypt the data
using ICSF on z/OS 1.7.
Can someone clarify that an entire file (and not just a field, or record
within a file) can be processed by the routines CSNBOWH and CSNBOWH1.
The Cryptographic Services ICSF Application Programmer
It's certainly possible; GIMZIP and SMP/E use this to generate
and verify checksums of their pax.Z files.
the interface is described in:
Linkname: 2.3.6.2 "z/OS V1R10.0 ICSF Application Programmer's Guide"
URL:
http://publibz.boulder.ibm.com/cgi-bin/bookmgr_
Hi all,
We want to generate a hash key for a dataset but not encrypt the data
using ICSF on z/OS 1.7.
Can someone clarify that an entire file (and not just a field, or record
within a file) can be processed by the routines CSNBOWH and CSNBOWH1.
The Cryptographic Services ICSF Application
We are currently developing the implementation of EMV ICSF. We wants to hear
about any experience managing ARQC cryptograms and ARPC.
Thanks in advance.
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send
Hal,
ICSF fulfills multiple purposes:
1. It's the crypto hardware manager
2. It's the crypto key repository (CKDS, PKDS, etc..)
3. It's the API for crypto services.
If you have the RACF CSFSERV class active, the API calls issued by
non-system (not key 0, not sup state) callers
Cross posted to MVS and RACF:
I have a sysprog asking for access to CSFOWH in the CSFSERV class. I am a
little confused: the doc seems to relate this to ICSF which is not active on
that LPAR. We do have ICSF hardware on the box and use it in other LPARS.
Are some of the callable services still
Salah,
There is no "archive" function in ICSF. The keys stored in the CKDS (and
PKDS) as well, are stored based upon the name you've given the key. If
you've created your key with let's say the name "FRED", and you replace
that key, the old key is gone - fo
Hello List,
This is a question related to ICSF Key generation/update process:
what I'm trying to do is Generate a new key using the CSNBKGN call and then
update the Today-instant-issue-key, using the CSNBKRW, call with the newly
generated key.
My question is – what does ICSF do wit
Hi all;
I need to code an ICSF exit to write smf records for some ICSF functions.
These exits work in Cross Memory mode, and must be coded in AR mode and
ALET=1 to access and retrieve the parameter list.
¿has anybody an example about?
Thanks a lot
Angel Luis Domínguez
Systems Programmer-Spain
names, which
message digest and assimetric algorithms are used for the digital signature,
etc.). But I see no ICSF callable service allowing me to do this.
Looks like ICSF and SSL support on z/OS are two different worlds aimed for
security purposes, but they do not communicate very well.
What can I
On Wed, 3 Jun 2009 08:58:59 -0400, Rob Schramm
wrote:
>Frank,
>
>Looks like there are two methods:
>* roll your own
>* DKMS
>
>ICSF doesn't have an API that does 'generate pin mailer and print
>securely' which of course would be pretty cool but is a l
Frank,
Looks like there are two methods:
* roll your own
* DKMS
ICSF doesn't have an API that does 'generate pin mailer and print
securely' which of course would be pretty cool but is a little outside
the box as it relates to what ICSF typically does.
Roll your own
* CSNB
On Tue, 2 Jun 2009 11:42:25 -0500, Frank Swarbrick wrote:
>Anyone out there use ICSF (Integrated Cryptographic Service Facility) for
>encryption between self and Visa/Mastercard/ATMs? I'm specifically curious
>about how PIN mailer processing is done. (If it is done!) We current
A google of The Thales Host Security Modules solution appears to be software
that runs under Windows.
ICSF is a hardware and software API feature of z/os.
-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of
Frank Swarbrick
Sent
Anyone out there use ICSF (Integrated Cryptographic Service Facility) for
encryption between self and Visa/Mastercard/ATMs? I'm specifically curious
about how PIN mailer processing is done. (If it is done!) We currently use
Thales Host Security Modules. When a new card is ordered a r
Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of
R.S.
Sent: Friday, January 23, 2009 2:39 AM
To: IBM-MAIN@bama.ua.edu
Subject: Re: ICSF and VISA/MasterCard?amex reference list
Raymond Noal wrote:
> Rather than a list of user's of the HW crypto feature, would not the
> security/cert
The following message is a courtesy copy of an article
that has been posted to bit.listserv.ibm-main as well.
jayare...@hotmail.com (J R) writes:
> As Ted mentioned, Canadian banks use it. It is also used extensively
> by European banks and those in the Antipodes.
>
> What do these banks ha
Raymond Noal wrote:
Rather than a list of user's of the HW crypto feature, would not the
security/certification level of the IBM processor's be even more impressive?
For me ? Yes. But I don't need to convince myself. My opinion "must be
biased, because I'm mainframe bigot". And last, but not
Additionally, under PCI you have to separate test and production.. which
for the external boxes... means buying more. Not so for the CEX2C's since
they can be shared across LPARs.
I agree about the speed. I am not sure that the actual processors run
that much faster.. but the ability to use
1 - 100 of 279 matches
Mail list logo