search cancel

Top Secret FASTAUTH support for SMF encryption

book

Article ID: 215409

calendar_today

Updated On:

Products

Top Secret

Issue/Introduction

Get the following signature failure messages during IPL time. 

IFA743I SMF SIGNATURE GENERATION FAILURE DIAGNOSTIC INFORMATION 118 
        FOR LOGSTREAM IFASMF.HO43.LOGSTRMA                          
        TOKENNAME CITI#GBL#SMF#ICSF#PKCS11#2020#01                  
        HASH SHA512 SERVICE NAME CSFPOWH                            
        RC=00000008 RSN=00000BD2                                    

CSFM011I FASTAUTH IS NOT SUPPORTED BY THE INSTALLED SECURITY PRODUCT.   
CSFM012I NO ACCESS CONTROL AVAILABLE FOR CRYPTOZ RESOURCES. ICSF PKCS11 
SERVICES DISABLED.                                                      
CSFM009I NO ACCESS CONTROL AVAILABLE FOR ICSF SERVICES OR KEYS          

 

Environment

Release : 16.0

Component : CA Top Secret for z/OS

Resolution

When ICSF starts up, it checks for a flag (RCVTXMFR) in the RACF's RCVT control block. This flag is set to ON during RACF initialization routine. RACF senses that the Security System is TSS and not RACF, it does not turn that bit ON.

Please ask TSS to check if TSS also turns this flag ON. If it does, then probably it turns it ON during TSS initialization but that would mean ICSF initialization was completely earlier.

To get ICSF to realize that TSS is fully up, you can consider recycling ICSF by entering the SETICSF PAUSE command. This command will re-start ICSF and causes ICSF initialization to run again. Please do this after all System SSL applications have been initialized so that System SSL will keep trying to use ICSF when ICSF becomes available again. Do not do this earlier because if the System SSL applications are up while ICSF is down, they will never use crypto hardware even when ICSF comes back up later.