Zeroizing the card is a hold over from previous hardware. I'm not going to claim that it's the best idea to allow this but we couldn't reasonably take it away given its intended use.
It was a design decision that ACPs can be manipulated only from a TKE. That ship sailed about a quarter century ago so it isn't going to change. TKE is trusted key entry AND MORE. ADT is American Data and Telegraph but now they do home security. AT&T no longer does telegraph but they do much more than just telephony. You get my point. There are switches to control loading of MKs, operational keys, use of various keys, etc. Someone who bought a mainframe without TKE got exactly what they paid for. Which particular ACP is blocking the function you are trying to use? Eric Rossman --------------------------------- ICSF Security Architect z/OS Security --------------------------------- -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Radoslaw Skorupka Sent: Monday, June 30, 2025 10:53 AM To: [email protected] Subject: [EXTERNAL] Re: ICSF ACP and TKE Lennie, I know the switches are related to microcode. However I can even change Crypto card mode (CCA -> PKCS, etc.) I can zeroize the card. All using regular HMC. Note: HMC is not open to everyone. So, excuse me, I still don't understand why some switches have to be accessible from TKE only. TKE is trusted KEY ENTRY. It is for entering secrets, not for HW management (this is role of HMC/SE). AFAIK none of the switches is related to secrets like MK entry, operational key, etc. Last, but not least: someone bought a mainframe without TKE - and just because lack of TKE he cannot enable some features which he paid for. Regards -- Radoslaw Skorupka Lodz, Poland W dniu 29.06.2025 o 23:31, Lennie Bradshaw pisze: > Radoslaw, > > These ACPs (Access Control Points) are really security switches which are > embedded in the microcode in the Crypto Express device. So only a process > which can have a secure conversation with that device is able to alter the > switches. That device is the TKE. RACF could not be used without a great deal > of software and firmware redesign. > As for the default settings, this is a question for IBM. Perhaps someone like > Garry Sullivan could answer such a question. > > Lennie > > > -----Original Message----- > From: IBM Mainframe Discussion List<[email protected]> On Behalf Of > Radoslaw Skorupka > Sent: 29 June 2025 14:11 > To:[email protected] > Subject: ICSF ACP and TKE > > I just tried to use some ICSF service and got rc=4, rsn=05A, which means some > Access Control Point is disabled. > I checked documentation - it is "DD" - Disabled by Default. > It can be enabled by the user, however TKE is the only way to change ACP > enable/disable status. > From the other hand TKE is optional (paid) feature. Important: > enablement of the ACP is not subject to charge (AFAIK). > > So, we have scenario where some users purchase CPC with CryptoExpress cards > plus z/OS with ICSF as a standard component, but some functionalities are > unavailable to them just because they are disabled. > Theoretically the user could borrow some TKE for a while and enable it. :-) > > Q1: Why some ACPs are disabled by default? What is the rationale behind it? > Q2: What is the purpose of such (IMHO quite complex) method of enablement > some features? Wouldn't be enough to use Image Profile checkboxes on HMC/SE > and/or RACF profiles? > > Just curious. > > -- > Radoslaw Skorupka > Lodz, Poland > > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
