You must have a CCA Coprocessor to initialize a PKDS. From the current SPG, for HCR77D1 (SC14-7507-09, p. 431), Appendix F: If only the CPACF feature is installed, you will not be able to: 1. Set master keys. 2. Initialize the PKDS. 3. Store keys in the PKDS.
That has been true for a long time. You can't have a clear key only PKDS. I guess if you are using your security product database as your certificate repository, then your private keys are in a clear key repository. You can have a clear key only CKDS if you don't have a CCA Coprocessor, but as Lennie points out, that is a one-way path. You can't later add Crypto Express cards and migrate the keys in the CKDS. That option is not available for the PKDS. And the new support on the z15 for RSA keys is clear key only. The CPACF will only work with the public key part of the key pair. Greg Mainframe Crypto www.mainframecrypto.com On Thu, 16 Jul 2020 15:05:15 -0500, John McKown <john.archie.mck...@gmail.com> wrote: >FWIW, this is what I see when I bring up CSF: > >IEF403I CSF - STARTED - TIME=13.13.39 >CSFO0230 CKDSN(TSSPV.CSF.CKDS) >CSFO0230 PKDSN(TSSPV.CSF.PKDS) >CSFO0230 COMPAT(NO) >CSFO0230 SSM(YES) >CSFO0230 KEYAUTH(NO) >CSFO0230 CHECKAUTH(NO) >CSFO0230 USERPARM(USERPARM) >CSFO0230 CKTAUTH(YES) >CSFO0230 TRACEENTRY(10000) >CSFO0230 REASONCODES(ICSF) >CSFO0166 DEFAULT CICS WAIT LIST WILL BE USED. >CSFM607I A CKDS KEY STORE POLICY IS NOT DEFINED. >CSFM607I A PKDS KEY STORE POLICY IS NOT DEFINED. >CSFM610I GRANULAR KEYLABEL ACCESS CONTROL IS DISABLED. >CSFM611I XCSFKEY EXPORT CONTROL FOR AES IS DISABLED. >CSFM611I XCSFKEY EXPORT CONTROL FOR DES IS DISABLED. >CSFM612I PKA KEY EXTENSIONS CONTROL IS DISABLED. >CSFM101E PKA KEY DATA SET, TSSPV.CSF.PKDS IS NOT INITIALIZED. >CSFM507I CRYPTOGRAPHY - THERE ARE NO CRYPTOGRAPHIC COPROCESSORS >ONLINE. >CSFM508I CRYPTOGRAPHY - THERE ARE NO CRYPTOGRAPHIC ACCELERATORS >ONLINE. >CSFM122I PKA SERVICES WERE NOT ENABLED DURING ICSF INITIALIZATION. >CSFM001I ICSF INITIALIZATION COMPLETE >CSFM126I CRYPTOGRAPHY - FULL CPU-BASED SERVICES ARE AVAILABLE. > >I think the following message means/implies no use of PKDS > > CSFM122I PKA SERVICES WERE NOT ENABLED DURING ICSF INITIALIZATION. > > >On Thu, Jul 16, 2020 at 12:45 PM John McKown <john.archie.mck...@gmail.com> >wrote: > >> This is for a very old z/OS 1.12 system running on a z9BC. CPACF is >> enabled in the machine. There are no cryptographic coprocessors installed. >> I can initialize the CKDS using the panel. But when I try to initialize the >> PKDS, the panel displays "OPTION NOT ACTIVE". PF1 displays 'THE SELECTED >> PANEL OPTION IS NOT AVAILABLE WITH YOUR CURRENT SYSTEM CONFIGURATION" >> >> Is this normal? Can I not use the PKDS on a system with only CPACF? Or do >> I need to enable some other option somewhere? >> >> Thanks. >> >> -- >> People in sleeping bags are the soft tacos of the bear world. >> Maranatha! <>< >> John McKown >> > > >-- >People in sleeping bags are the soft tacos of the bear world. >Maranatha! <>< >John McKown > >---------------------------------------------------------------------- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
