>So Timothy (and probably just for me), I've seen a couple >of sites without crypto HSM cards not bother to run ICSF. >Can I assume in that case there's pretty-much no way any >encryption processing could be using CPACF?
ICSF supports many, many cryptography-dependent features in z/OS. Even many business applications that just need a simple API to get a random number rely on ICSF. ICSF is “darn important.” But the way you phrased your question I’d answer no. It’s technically possible to exploit CPACF even from within z/OS but without calling ICSF. One simple example that comes to mind is via the z/OS Container Extensions (zCX). You could have a running container image in zCX that’s using CPACF instructions — via an OpenSSL library, for example. (OpenSSL on this architecture knows how to exploit CPACF instructions and has for many years.) However, the container image has no direct access to ICSF. ————— Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM Z/LinuxONE, Asia-Pacific [email protected] ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
