Greg - /dev/random use does require ICSF to be started, but is it affected (improved) by the presence of a crypto card? That was not my understanding, but I could be wrong.
On Tue, Jan 22, 2019 at 7:27 AM Greg Boyd <gregb...@mainframecrypto.com> wrote: > There may have been changes to Connect Direct since the last time I worked > with it, but I suspect ICSF is required if you want to leverage the > hardware technology, and specifically the CEX cards. As Kirk points out, > if you want to use the random number generation on hardware then you need > ICSF active. (And you probably do want the performance of RNG in > hardware.) Similarly, for System SSL, if you want to use the Crypto > Express cards for authentication (public/private key operations), then ICSF > needs to be active. Enabling the cards and having ICSF active can make a > big difference in throughput and capacity (CPU savings), but strictly > speaking it's probably not required unless you configure the environment to > use the crypto hardware. > > Greg Boyd > Mainframe Crypto > www.mainframecrypto.com > > > On Fri, 18 Jan 2019 17:55:51 -0600, Steve beaver <st...@stevebeaver.com> > wrote: > > >Also it’s required for Connect Direct > > > >Sent from my iPhone > > > >Sorry for the finger checks > > > >> On Jan 18, 2019, at 17:29, Kirk Wolf <k...@wolf-associates.com> wrote: > >> > >> ICSF is currently required if you want to use the Unix /dev/random and > >> /dev/urandom devices. > >> These might be required by Unix apps (or jobs/stcs that use z/OS Unix > >> System services). > >> > >> For exampe: IBM OpenSSH server will not work without ICSF and > /dev/random > >> available. > >> > >> On Fri, Jan 18, 2019 at 5:24 PM Greg Boyd <gregb...@mainframecrypto.com > > > >> wrote: > >> > >>> ICSF is only required if you want to use the ICSF APIs, so it depends > on > >>> what, if anything in your shop might be using the APIs. System SSL > (TLS) > >>> will certainly leverage the APIs if you have Crypto Express cards > available > >>> and that might provide some CPU relief. The Guardium Database > Encryption > >>> Tool requires it if you want to encrypt IMS segments or DB2 tables at > the > >>> row level. > >>> > >>> Pervasive is getting a lot of attention and if you're going that > route, I > >>> would highly recommend that ICSF be active everywhere. You don't want > one > >>> system writing ciphertext to a file and another system thinking that > the > >>> file is cleartext. IBM is also recommending that ICSF be 'always up'. > >>> They have made a number of changes to the component so that it will > come up > >>> earlier in the IPL and it should be one of the last tasks running. > >>> > >>> Given the growth in crypto workload, I take 'always up' to also mean > >>> 'running everywhere'. There are simply more things that can leverage > ICSF, > >>> some optionally and some require it. > >>> > >>> I'm not sure why DFSMShsm would need ICSF active, unless they were > using > >>> the Encryption Facility for z/OS with the DFSMSdss feature. > >>> > >>> Greg Boyd > >>> Mainframe Crypto > >>> www.mainframecrypto.com > >>> > >>> > >>> > >>> On Fri, 18 Jan 2019 18:16:37 +0000, Mary Kay Tubello < > mtube...@humana.com> > >>> wrote: > >>> > >>>> Hello all, > >>>> > >>>> Does anyone know if z/os 2.3 requires ICSF to be installed on each > LPAR? > >>>> > >>>> Thanks, > >>>> Mary Kay > >>>> > >>>> Large Systems Engineering > >>>> IT Infrastructure > >>>> Humana > >>>> 123 E. Main St. 40202 (CT6) > >>>> 502-476-2772 > >>>> mtube...@humana.com<mailto:mtube...@humana.com> > >>>> > >>>> > >>>> > >>>> > >>>> ---------------------------------------------------------------------- > >>>> For IBM-MAIN subscribe / signoff / archive access instructions, > >>>> send email to lists...@listserv.ua.edu with the message: INFO > IBM-MAIN > >>> > >>> ---------------------------------------------------------------------- > >>> For IBM-MAIN subscribe / signoff / archive access instructions, > >>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > >>> > >> > >> ---------------------------------------------------------------------- > >> For IBM-MAIN subscribe / signoff / archive access instructions, > >> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > >---------------------------------------------------------------------- > >For IBM-MAIN subscribe / signoff / archive access instructions, > >send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
