You can easily control which services are used and which are not. ICSF
calls RACF, see CSF* classes.
BTW: Why do you afraid? What's the risk you want to avoid?
Just curious.
--
Hello Radoslaw,
I had already set on the RACF audit bit for the CSF* classes and have
successfully execute some ICSF API's and received audit records
in the CSFSERV class...this works fine.
However I am also conducting tests with CA-XCOM (FTP) and switched on the ICSF
interface in the XCOM config file, see XCOM documentation attachment, however
this time I do not get any hits in the CSFSERV class. I expect to see some hits
on the RACF profiles that cover ICSF CSNBSYE/CSNBSYD (CPACF) callable services.
/pp/xcom/config/configssl.cnf
ÝICSF¨
INITIATE_SIDE = CLEAR
RECEIVE_SIDE = CLEAR
ÝCIPHER¨
INITIATE_SIDE = ALL:!AES:!ADH:!LOW:!EXP:MD5:@STRENGTH
RECEIVE_SIDE = ALL:!AES:!ADH:!LOW:!EXP:!MD5:@STRENGTH
See also TSO ICSF Coprocessor Management panel screen print attachment
regards
Francis
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
Chapter 2: Installation and Configuration Best Practices 23
Hardware Data Encryption Technology
If data encryption is desired for CA XCOM Data Transport transfers, this is
most efficiently accomplished using the IBM Integrated Cryptographic Service
Facility (ICSF). This facility uses a specialized processor and CPU
instructions to perform data encryption and decryption using hardware. This
stands in contrast to the software-based data encryption provided by OpenSSL.
CA XCOM Data Transport supports both OpenSSL and ICSF as tools for encrypting
data. Using hardware-based encryption and decryption is more efficient and
reduces the amount of general processor resource required to perform secure
data transmissions.
For hardware-based encryption, only 3DES is supported.
Several parameter changes must be made in the XCOM_CONFIG_SSL configuration
file in order to activate hardware compression support.
Within the [ICSF] section of the XCOM_CONFIG_SSL data set, the following
parameters need to be set:
INITIATE_SIDE=CLEAR | NO
Applies to cases when this XCOM is the client (local machine)
RECEIVE_SIDE=CLEAR | NO
Applies to cases when this XCOM is the server (remote machine).
The allowable values and associated functionality for these parameters are:
CLEAR
Stores the symmetric keys in clear text in memory during the transfer and uses
the ICSF CSNBSYE/CSNBSYD encryption functions.
NO (default)
Uses the OpenSSL software encryption routine.
You also need to disable AES encryption in the configuration data set, because
it will always invoke OpenSSL encryption. Disabling AES encryption is also done
in the XCOM_CONFIG_SSL file, using the ! character. The following example of
keyword values will accomplish this:
[CIPHER]
INITIATE_SIDE = ALL:!AES:!ADH:!LOW:!EXP:MD5:@STRENGTH
RECEIVE_SIDE = ALL:!AES:!ADH:!LOW:!EXP:!MD5:@STRENGTH
Business Value:
Using less general processor resource translates to cost savings. It may
directly result in reduced billable CPU usage or free up processor resources
for other tasks within the system. Another possible benefit is to defer or
eliminate the need to upgrade or add general processor capacity
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
COPROCESSOR SERIAL NUMBER STATUS AES DES ECC RSA
----------- ------------- ------ --- --- --- ---
G00 90008xx1 ACTIVE U A U A
G01 90008xx2 ACTIVE U A U A
G02 90008xx3 ACTIVE U A U A
G03 90008xx4 ACTIVE U A U A
---------------------------------------------------------------------------------
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
