Re: ICSF -- initializing a PKDS
You must have a CCA Coprocessor to initialize a PKDS. From the current SPG, for HCR77D1 (SC14-7507-09, p. 431), Appendix F: If only the CPACF feature is installed, you will not be able to: 1. Set master keys. 2. Initialize the PKDS. 3. Store keys in the PKDS. That has been true for a long time. You can't have a clear key only PKDS. I guess if you are using your security product database as your certificate repository, then your private keys are in a clear key repository. You can have a clear key only CKDS if you don't have a CCA Coprocessor, but as Lennie points out, that is a one-way path. You can't later add Crypto Express cards and migrate the keys in the CKDS. That option is not available for the PKDS. And the new support on the z15 for RSA keys is clear key only. The CPACF will only work with the public key part of the key pair. Greg Mainframe Crypto www.mainframecrypto.com On Thu, 16 Jul 2020 15:05:15 -0500, John McKown wrote: >FWIW, this is what I see when I bring up CSF: > >IEF403I CSF - STARTED - TIME=13.13.39 >CSFO0230 CKDSN(TSSPV.CSF.CKDS) >CSFO0230 PKDSN(TSSPV.CSF.PKDS) >CSFO0230 COMPAT(NO) >CSFO0230 SSM(YES) >CSFO0230 KEYAUTH(NO) >CSFO0230 CHECKAUTH(NO) >CSFO0230 USERPARM(USERPARM) >CSFO0230 CKTAUTH(YES) >CSFO0230 TRACEENTRY(1) >CSFO0230 REASONCODES(ICSF) >CSFO0166 DEFAULT CICS WAIT LIST WILL BE USED. >CSFM607I A CKDS KEY STORE POLICY IS NOT DEFINED. >CSFM607I A PKDS KEY STORE POLICY IS NOT DEFINED. >CSFM610I GRANULAR KEYLABEL ACCESS CONTROL IS DISABLED. >CSFM611I XCSFKEY EXPORT CONTROL FOR AES IS DISABLED. >CSFM611I XCSFKEY EXPORT CONTROL FOR DES IS DISABLED. >CSFM612I PKA KEY EXTENSIONS CONTROL IS DISABLED. >CSFM101E PKA KEY DATA SET, TSSPV.CSF.PKDS IS NOT INITIALIZED. >CSFM507I CRYPTOGRAPHY - THERE ARE NO CRYPTOGRAPHIC COPROCESSORS >ONLINE. >CSFM508I CRYPTOGRAPHY - THERE ARE NO CRYPTOGRAPHIC ACCELERATORS >ONLINE. >CSFM122I PKA SERVICES WERE NOT ENABLED DURING ICSF INITIALIZATION. >CSFM001I ICSF INITIALIZATION COMPLETE >CSFM126I CRYPTOGRAPHY - FULL CPU-BASED SERVICES ARE AVAILABLE. > >I think the following message means/implies no use of PKDS > > CSFM122I PKA SERVICES WERE NOT ENABLED DURING ICSF INITIALIZATION. > > >On Thu, Jul 16, 2020 at 12:45 PM John McKown >wrote: > >> This is for a very old z/OS 1.12 system running on a z9BC. CPACF is >> enabled in the machine. There are no cryptographic coprocessors installed. >> I can initialize the CKDS using the panel. But when I try to initialize the >> PKDS, the panel displays "OPTION NOT ACTIVE". PF1 displays 'THE SELECTED >> PANEL OPTION IS NOT AVAILABLE WITH YOUR CURRENT SYSTEM CONFIGURATION" >> >> Is this normal? Can I not use the PKDS on a system with only CPACF? Or do >> I need to enable some other option somewhere? >> >> Thanks. >> >> -- >> People in sleeping bags are the soft tacos of the bear world. >> Maranatha! <>< >> John McKown >> > > >-- >People in sleeping bags are the soft tacos of the bear world. >Maranatha! <>< >John McKown > >-- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ICSF -- initializing a PKDS
> I think the following message means/implies no use of PKDS > > CSFM122I PKA SERVICES WERE NOT ENABLED DURING ICSF INITIALIZATION. Looks like it to me too. Mark Jacobs Sent from ProtonMail, Swiss-based encrypted email. GPG Public Key - https://api.protonmail.ch/pks/lookup?op=get=markjac...@protonmail.com ‐‐‐ Original Message ‐‐‐ On Thursday, July 16, 2020 4:05 PM, John McKown wrote: > FWIW, this is what I see when I bring up CSF: > > IEF403I CSF - STARTED - TIME=13.13.39 > CSFO0230 CKDSN(TSSPV.CSF.CKDS) > CSFO0230 PKDSN(TSSPV.CSF.PKDS) > CSFO0230 COMPAT(NO) > CSFO0230 SSM(YES) > CSFO0230 KEYAUTH(NO) > CSFO0230 CHECKAUTH(NO) > CSFO0230 USERPARM(USERPARM) > CSFO0230 CKTAUTH(YES) > CSFO0230 TRACEENTRY(1) > CSFO0230 REASONCODES(ICSF) > CSFO0166 DEFAULT CICS WAIT LIST WILL BE USED. > CSFM607I A CKDS KEY STORE POLICY IS NOT DEFINED. > CSFM607I A PKDS KEY STORE POLICY IS NOT DEFINED. > CSFM610I GRANULAR KEYLABEL ACCESS CONTROL IS DISABLED. > CSFM611I XCSFKEY EXPORT CONTROL FOR AES IS DISABLED. > CSFM611I XCSFKEY EXPORT CONTROL FOR DES IS DISABLED. > CSFM612I PKA KEY EXTENSIONS CONTROL IS DISABLED. > CSFM101E PKA KEY DATA SET, TSSPV.CSF.PKDS IS NOT INITIALIZED. > CSFM507I CRYPTOGRAPHY - THERE ARE NO CRYPTOGRAPHIC COPROCESSORS > ONLINE. > CSFM508I CRYPTOGRAPHY - THERE ARE NO CRYPTOGRAPHIC ACCELERATORS > ONLINE. > CSFM122I PKA SERVICES WERE NOT ENABLED DURING ICSF INITIALIZATION. > CSFM001I ICSF INITIALIZATION COMPLETE > CSFM126I CRYPTOGRAPHY - FULL CPU-BASED SERVICES ARE AVAILABLE. > > I think the following message means/implies no use of PKDS > > CSFM122I PKA SERVICES WERE NOT ENABLED DURING ICSF INITIALIZATION. > > On Thu, Jul 16, 2020 at 12:45 PM John McKown john.archie.mck...@gmail.com > wrote: > > > This is for a very old z/OS 1.12 system running on a z9BC. CPACF is > > enabled in the machine. There are no cryptographic coprocessors installed. > > I can initialize the CKDS using the panel. But when I try to initialize the > > PKDS, the panel displays "OPTION NOT ACTIVE". PF1 displays 'THE SELECTED > > PANEL OPTION IS NOT AVAILABLE WITH YOUR CURRENT SYSTEM CONFIGURATION" > > Is this normal? Can I not use the PKDS on a system with only CPACF? Or do > > I need to enable some other option somewhere? > > Thanks. > > -- > > People in sleeping bags are the soft tacos of the bear world. > > Maranatha! <>< > > John McKown > > -- > > People in sleeping bags are the soft tacos of the bear world. > Maranatha! <>< > > John McKown > > > > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ICSF -- initializing a PKDS
It only very recently that CPACF does any processing for asymmetric keys. Remember that if you initialise a CKDS using CPACF, you cannot subsequently convert the CKDS to a protected key CKDS. You could always look at the old Redbook for Crypto n the z9 SG24-7123-00. . Lennie Dymoke-Bradshaw Consultant working on contract for ‘Dance like no one is watching. Encrypt like everyone is.’ -Original Message- From: IBM Mainframe Discussion List On Behalf Of John McKown Sent: 16 July 2020 18:45 To: IBM-MAIN@LISTSERV.UA.EDU Subject: [IBM-MAIN] ICSF -- initializing a PKDS This is for a very old z/OS 1.12 system running on a z9BC. CPACF is enabled in the machine. There are no cryptographic coprocessors installed. I can initialize the CKDS using the panel. But when I try to initialize the PKDS, the panel displays "OPTION NOT ACTIVE". PF1 displays 'THE SELECTED PANEL OPTION IS NOT AVAILABLE WITH YOUR CURRENT SYSTEM CONFIGURATION" Is this normal? Can I not use the PKDS on a system with only CPACF? Or do I need to enable some other option somewhere? Thanks. -- People in sleeping bags are the soft tacos of the bear world. Maranatha! <>< John McKown -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ICSF -- initializing a PKDS
Resolved in a very few hours. That z9 ran for around 10 years. I'll never have another priority 1 issue. We are running on someone else's' z13 now. Any issues are their's. > -Original Message- > From: IBM Mainframe Discussion List On > Behalf Of Steve Beaver > Sent: Thursday, July 16, 2020 12:49 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: ICSF -- initializing a PKDS > > A SEV1 does get a lot of attention > > Sent from my iPhone > > I promise you I can’t type or > Spell on any smartphone > > > On Jul 16, 2020, at 14:11, Gibney, Dave wrote: > > > > Same here. My one and only priority 1 issue with IBM. When the z9BC was > brand new, I defined all 4 crypto cards as accelerators. Couldn't define my > master keys or get SSL working. (It had been working on the z800-0B1) > > We elected to go forward with the processor upgrade that Saturday. And I > called IBM, told them priority 1 and that I couldn't go into operation on > Monday without security. > > > > The answer was to redefine at least one crypto co-processor. > > > >> -Original Message- > >> From: IBM Mainframe Discussion List On > >> Behalf Of Carmen Vitullo > >> Sent: Thursday, July 16, 2020 11:05 AM > >> To: IBM-MAIN@LISTSERV.UA.EDU > >> Subject: Re: ICSF -- initializing a PKDS > >> > >> It's been a long time since I've INIT'd a PKDS, my config had a co > >> processor > >> installed and I had to have CSF running to INIT a PKDS and store the DES > >> master key > >> did you start CSF? > >> > >> > >> Carmen Vitullo > >> > >> - Original Message - > >> > >> From: "John McKown" > >> To: IBM-MAIN@LISTSERV.UA.EDU > >> Sent: Thursday, July 16, 2020 12:45:16 PM > >> Subject: ICSF -- initializing a PKDS > >> > >> This is for a very old z/OS 1.12 system running on a z9BC. CPACF is enabled > >> in the machine. There are no cryptographic coprocessors installed. I can > >> initialize the CKDS using the panel. But when I try to initialize the PKDS, > >> the panel displays "OPTION NOT ACTIVE". PF1 displays 'THE SELECTED > PANEL > >> OPTION IS NOT AVAILABLE WITH YOUR CURRENT SYSTEM > CONFIGURATION" > >> > >> Is this normal? Can I not use the PKDS on a system with only CPACF? Or do > I > >> need to enable some other option somewhere? > >> > >> Thanks. > >> > >> -- > >> People in sleeping bags are the soft tacos of the bear world. > >> Maranatha! <>< > >> John McKown > >> > >> -- > >> For IBM-MAIN subscribe / signoff / archive access instructions, > >> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > >> > >> > >> -- > >> For IBM-MAIN subscribe / signoff / archive access instructions, > >> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > - > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ICSF -- initializing a PKDS
FWIW, this is what I see when I bring up CSF: IEF403I CSF - STARTED - TIME=13.13.39 CSFO0230 CKDSN(TSSPV.CSF.CKDS) CSFO0230 PKDSN(TSSPV.CSF.PKDS) CSFO0230 COMPAT(NO) CSFO0230 SSM(YES) CSFO0230 KEYAUTH(NO) CSFO0230 CHECKAUTH(NO) CSFO0230 USERPARM(USERPARM) CSFO0230 CKTAUTH(YES) CSFO0230 TRACEENTRY(1) CSFO0230 REASONCODES(ICSF) CSFO0166 DEFAULT CICS WAIT LIST WILL BE USED. CSFM607I A CKDS KEY STORE POLICY IS NOT DEFINED. CSFM607I A PKDS KEY STORE POLICY IS NOT DEFINED. CSFM610I GRANULAR KEYLABEL ACCESS CONTROL IS DISABLED. CSFM611I XCSFKEY EXPORT CONTROL FOR AES IS DISABLED. CSFM611I XCSFKEY EXPORT CONTROL FOR DES IS DISABLED. CSFM612I PKA KEY EXTENSIONS CONTROL IS DISABLED. CSFM101E PKA KEY DATA SET, TSSPV.CSF.PKDS IS NOT INITIALIZED. CSFM507I CRYPTOGRAPHY - THERE ARE NO CRYPTOGRAPHIC COPROCESSORS ONLINE. CSFM508I CRYPTOGRAPHY - THERE ARE NO CRYPTOGRAPHIC ACCELERATORS ONLINE. CSFM122I PKA SERVICES WERE NOT ENABLED DURING ICSF INITIALIZATION. CSFM001I ICSF INITIALIZATION COMPLETE CSFM126I CRYPTOGRAPHY - FULL CPU-BASED SERVICES ARE AVAILABLE. I think the following message means/implies no use of PKDS CSFM122I PKA SERVICES WERE NOT ENABLED DURING ICSF INITIALIZATION. On Thu, Jul 16, 2020 at 12:45 PM John McKown wrote: > This is for a very old z/OS 1.12 system running on a z9BC. CPACF is > enabled in the machine. There are no cryptographic coprocessors installed. > I can initialize the CKDS using the panel. But when I try to initialize the > PKDS, the panel displays "OPTION NOT ACTIVE". PF1 displays 'THE SELECTED > PANEL OPTION IS NOT AVAILABLE WITH YOUR CURRENT SYSTEM CONFIGURATION" > > Is this normal? Can I not use the PKDS on a system with only CPACF? Or do > I need to enable some other option somewhere? > > Thanks. > > -- > People in sleeping bags are the soft tacos of the bear world. > Maranatha! <>< > John McKown > -- People in sleeping bags are the soft tacos of the bear world. Maranatha! <>< John McKown -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ICSF -- initializing a PKDS
On Thu, Jul 16, 2020 at 1:04 PM Carmen Vitullo wrote: > It's been a long time since I've INIT'd a PKDS, my config had a co > processor installed and I had to have CSF running to INIT a PKDS and store > the DES master key > did you start CSF? > Yes. > > > Carmen Vitullo > > - Original Message - > > From: "John McKown" > To: IBM-MAIN@LISTSERV.UA.EDU > Sent: Thursday, July 16, 2020 12:45:16 PM > Subject: ICSF -- initializing a PKDS > > This is for a very old z/OS 1.12 system running on a z9BC. CPACF is > enabled > in the machine. There are no cryptographic coprocessors installed. I can > initialize the CKDS using the panel. But when I try to initialize the > PKDS, > the panel displays "OPTION NOT ACTIVE". PF1 displays 'THE SELECTED PANEL > OPTION IS NOT AVAILABLE WITH YOUR CURRENT SYSTEM CONFIGURATION" > > Is this normal? Can I not use the PKDS on a system with only CPACF? Or do > I > need to enable some other option somewhere? > > Thanks. > > -- > People in sleeping bags are the soft tacos of the bear world. > Maranatha! <>< > John McKown > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- People in sleeping bags are the soft tacos of the bear world. Maranatha! <>< John McKown -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ICSF -- initializing a PKDS
On Thu, Jul 16, 2020 at 12:56 PM Mark Jacobs < 0224d287a4b1-dmarc-requ...@listserv.ua.edu> wrote: > Looks like CPACF on a z9 doesn't do anything related to public/private > keys, just symmetric keys. So, likely there's no support for the PKDS on a > z9 without crypto cards. > Thanks. I was thinking that, but couldn't find anything. I found a REXX example code to use CSNBSAE, but I get an RC=12 on that. {sigh} > > Mark Jacobs > > > Sent from ProtonMail, Swiss-based encrypted email. > > GPG Public Key - > https://api.protonmail.ch/pks/lookup?op=get=markjac...@protonmail.com > > ‐‐‐ Original Message ‐‐‐ > On Thursday, July 16, 2020 1:45 PM, John McKown < > john.archie.mck...@gmail.com> wrote: > > > This is for a very old z/OS 1.12 system running on a z9BC. CPACF is > enabled > > in the machine. There are no cryptographic coprocessors installed. I can > > initialize the CKDS using the panel. But when I try to initialize the > PKDS, > > the panel displays "OPTION NOT ACTIVE". PF1 displays 'THE SELECTED PANEL > > OPTION IS NOT AVAILABLE WITH YOUR CURRENT SYSTEM CONFIGURATION" > > > > Is this normal? Can I not use the PKDS on a system with only CPACF? Or > do I > > need to enable some other option somewhere? > > > > Thanks. > > > > > > > > > People in sleeping bags are the soft tacos of the bear world. > > Maranatha! <>< > > > > John McKown > > > > > > > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- People in sleeping bags are the soft tacos of the bear world. Maranatha! <>< John McKown -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ICSF -- initializing a PKDS
A SEV1 does get a lot of attention Sent from my iPhone I promise you I can’t type or Spell on any smartphone > On Jul 16, 2020, at 14:11, Gibney, Dave wrote: > > Same here. My one and only priority 1 issue with IBM. When the z9BC was > brand new, I defined all 4 crypto cards as accelerators. Couldn't define my > master keys or get SSL working. (It had been working on the z800-0B1) > We elected to go forward with the processor upgrade that Saturday. And I > called IBM, told them priority 1 and that I couldn't go into operation on > Monday without security. > > The answer was to redefine at least one crypto co-processor. > >> -Original Message- >> From: IBM Mainframe Discussion List On >> Behalf Of Carmen Vitullo >> Sent: Thursday, July 16, 2020 11:05 AM >> To: IBM-MAIN@LISTSERV.UA.EDU >> Subject: Re: ICSF -- initializing a PKDS >> >> It's been a long time since I've INIT'd a PKDS, my config had a co processor >> installed and I had to have CSF running to INIT a PKDS and store the DES >> master key >> did you start CSF? >> >> >> Carmen Vitullo >> >> - Original Message ----- >> >> From: "John McKown" >> To: IBM-MAIN@LISTSERV.UA.EDU >> Sent: Thursday, July 16, 2020 12:45:16 PM >> Subject: ICSF -- initializing a PKDS >> >> This is for a very old z/OS 1.12 system running on a z9BC. CPACF is enabled >> in the machine. There are no cryptographic coprocessors installed. I can >> initialize the CKDS using the panel. But when I try to initialize the PKDS, >> the panel displays "OPTION NOT ACTIVE". PF1 displays 'THE SELECTED PANEL >> OPTION IS NOT AVAILABLE WITH YOUR CURRENT SYSTEM CONFIGURATION" >> >> Is this normal? Can I not use the PKDS on a system with only CPACF? Or do I >> need to enable some other option somewhere? >> >> Thanks. >> >> -- >> People in sleeping bags are the soft tacos of the bear world. >> Maranatha! <>< >> John McKown >> >> -- >> For IBM-MAIN subscribe / signoff / archive access instructions, >> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN >> >> >> -- >> For IBM-MAIN subscribe / signoff / archive access instructions, >> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > - -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ICSF -- initializing a PKDS
Same here. My one and only priority 1 issue with IBM. When the z9BC was brand new, I defined all 4 crypto cards as accelerators. Couldn't define my master keys or get SSL working. (It had been working on the z800-0B1) We elected to go forward with the processor upgrade that Saturday. And I called IBM, told them priority 1 and that I couldn't go into operation on Monday without security. The answer was to redefine at least one crypto co-processor. > -Original Message- > From: IBM Mainframe Discussion List On > Behalf Of Carmen Vitullo > Sent: Thursday, July 16, 2020 11:05 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: ICSF -- initializing a PKDS > > It's been a long time since I've INIT'd a PKDS, my config had a co processor > installed and I had to have CSF running to INIT a PKDS and store the DES > master key > did you start CSF? > > > Carmen Vitullo > > - Original Message - > > From: "John McKown" > To: IBM-MAIN@LISTSERV.UA.EDU > Sent: Thursday, July 16, 2020 12:45:16 PM > Subject: ICSF -- initializing a PKDS > > This is for a very old z/OS 1.12 system running on a z9BC. CPACF is enabled > in the machine. There are no cryptographic coprocessors installed. I can > initialize the CKDS using the panel. But when I try to initialize the PKDS, > the panel displays "OPTION NOT ACTIVE". PF1 displays 'THE SELECTED PANEL > OPTION IS NOT AVAILABLE WITH YOUR CURRENT SYSTEM CONFIGURATION" > > Is this normal? Can I not use the PKDS on a system with only CPACF? Or do I > need to enable some other option somewhere? > > Thanks. > > -- > People in sleeping bags are the soft tacos of the bear world. > Maranatha! <>< > John McKown > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ICSF -- initializing a PKDS
It's been a long time since I've INIT'd a PKDS, my config had a co processor installed and I had to have CSF running to INIT a PKDS and store the DES master key did you start CSF? Carmen Vitullo - Original Message - From: "John McKown" To: IBM-MAIN@LISTSERV.UA.EDU Sent: Thursday, July 16, 2020 12:45:16 PM Subject: ICSF -- initializing a PKDS This is for a very old z/OS 1.12 system running on a z9BC. CPACF is enabled in the machine. There are no cryptographic coprocessors installed. I can initialize the CKDS using the panel. But when I try to initialize the PKDS, the panel displays "OPTION NOT ACTIVE". PF1 displays 'THE SELECTED PANEL OPTION IS NOT AVAILABLE WITH YOUR CURRENT SYSTEM CONFIGURATION" Is this normal? Can I not use the PKDS on a system with only CPACF? Or do I need to enable some other option somewhere? Thanks. -- People in sleeping bags are the soft tacos of the bear world. Maranatha! <>< John McKown -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ICSF -- initializing a PKDS
Looks like CPACF on a z9 doesn't do anything related to public/private keys, just symmetric keys. So, likely there's no support for the PKDS on a z9 without crypto cards. Mark Jacobs Sent from ProtonMail, Swiss-based encrypted email. GPG Public Key - https://api.protonmail.ch/pks/lookup?op=get=markjac...@protonmail.com ‐‐‐ Original Message ‐‐‐ On Thursday, July 16, 2020 1:45 PM, John McKown wrote: > This is for a very old z/OS 1.12 system running on a z9BC. CPACF is enabled > in the machine. There are no cryptographic coprocessors installed. I can > initialize the CKDS using the panel. But when I try to initialize the PKDS, > the panel displays "OPTION NOT ACTIVE". PF1 displays 'THE SELECTED PANEL > OPTION IS NOT AVAILABLE WITH YOUR CURRENT SYSTEM CONFIGURATION" > > Is this normal? Can I not use the PKDS on a system with only CPACF? Or do I > need to enable some other option somewhere? > > Thanks. > > > > People in sleeping bags are the soft tacos of the bear world. > Maranatha! <>< > > John McKown > > > > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
ICSF -- initializing a PKDS
This is for a very old z/OS 1.12 system running on a z9BC. CPACF is enabled in the machine. There are no cryptographic coprocessors installed. I can initialize the CKDS using the panel. But when I try to initialize the PKDS, the panel displays "OPTION NOT ACTIVE". PF1 displays 'THE SELECTED PANEL OPTION IS NOT AVAILABLE WITH YOUR CURRENT SYSTEM CONFIGURATION" Is this normal? Can I not use the PKDS on a system with only CPACF? Or do I need to enable some other option somewhere? Thanks. -- People in sleeping bags are the soft tacos of the bear world. Maranatha! <>< John McKown -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN