use if ICSF and PCICC in a GENCERT command

book

Article ID: 193284

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - DB2 Option CA ACF2 for zVM CA ACF2 - z/OS CA ACF2 - MISC CA LDAP Server for z/OS CA PAM Client for Linux for zSeries CA Web Administrator for Top Secret

Issue/Introduction

apparently you get an error if you specify both of these, PCICC implies ICSF but why flag it as an error

Environment

Release : 16.0

Component : CA ACF2 for z/OS

Resolution

From the documentation for the GENCERT command:

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-mainframe-software/security/ca-acf2-for-z-os/16-0/administrating/digital-certificate-support/process-digital-certificates-with-ca-acf2.html#concept.dita_742faf19321a7e7286b7e3f9b1c1a66acb9562f7_GENCERTSubcommand

 

The GENCERT command syntax is:

GENCert { logonid | logonid.suffix | CERTAUTH | CERTAUTH.suffix | SITECERT | SITECERT.suffix } [Label(label)] [DSname(data-set-name)] [SUbjsdn([CN=common-name] [T=title] [OU=organizational-unit-name] [O=organization-name] [L=locality] [{S=state-or-province | SP=state-or-province | ST=state-or-province}] [C=country])] [SIZe({key-size|2048|192})] [PCICC|ICSF|DSA|NISTECC|BPECC] [ACtive({date-or-date-time|current-date-000000| current-date-time})] [Expire({date-or-date-time|current-date-000000| current-date-time})] [SIGnwith({ CERTAUTH Label(label-name) | CERTAUTH.suffix | SITECERT Label(label-name) | SITECERT.suffix) | Label(label-name)})] [HASHALG(SHA1|SHA256)] [Keyusage([HANDSHAKE][DATAENCRYPT] [DOCSIGN][CERTSIGN][KEYAGREE])] [ALtname([IP=numeric-ip-address] [DOMAIN=internet-domain-name] [EMAIL=email-address] [URI=universal-resource-identifier])] [Fromicsf(PKDS label)] [PKDSLBL({PKDS label|*})]

 

From the Command Notation documentation:

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-mainframe-software/security/ca-acf2-for-z-os/16-0/getting-started/command-notation.html

 

It states vertical bars between parameters indicate

"Separates alternative keywords and/or parameters, select one."

 

[PCICC|ICSF|DSA|NISTECC|BPECC]

 

The difference between PCICC and ICSF is the token format:

 

ICSF

Specifies the RSA private key (or public key if the private key is not in the PKCS #11 token) for the certificate is placed in ICSF using the RSA Modulus-Exponent (ME) key token format.

 

PCICC

Indicates that RSA private key (or public key if the private key is not in the PKCS #11 token) for the certificate is placed in ICSF using the RSA Chinese Remainder Theorem key token format.