Is the 2T LMP key required for Tape Encryption? I'm receiving the message 'CAS9180E - CPU xxxxxx Requires a LMP key to run Prod (2T)' every hour in the BES1 task.
search cancel

Is the 2T LMP key required for Tape Encryption? I'm receiving the message 'CAS9180E - CPU xxxxxx Requires a LMP key to run Prod (2T)' every hour in the BES1 task.

book

Article ID: 220249

calendar_today

Updated On:

Products

Tape Encryption

Issue/Introduction

When the BES1 task is running, the following message is appearing in the BES1 STC output messages every hour: 

CAS9180E - CPU xxxxxx Requires a LMP key to run Prod (2T) 

We found LMP Key 2T that seems to reference Tape Encryption as the SKU (starts with BTE*).  We know we don't have NetMaster running on the LPAR so we assume this is somehow tied to product Tape Encryption:   

Description

LMP Key

TOPS Code

SAP Code

Encryption Key Manager Option for Key Management

2T

BTEAMN00200

BTEAMN002

NetMaster Network Operations for TCP/IP

2T

UNNO..00200

UNNOXX002

Do we need to have a 2T LMP key if we are just running Tape Encryption for CA-1?

When is the 2T key required?

Environment

Release : 14.5

Component : Tape Encryption

Cause

The CAS9180E message is appearing in the BES1 task because the 2T LMP key is still in a semi-active state, even though it is not needed by Tape Encryption.

Resolution

The 2T LMP key is not needed to run Tape Encryption with CA-1.  As a matter of fact, the Tape Encryption component that was previously associated with this LMP key, the Key Manager Option (EKM), is no longer supported in Tape Encryption (this product went EOL in late 2013).  The following batch job can be run to list the active LMP info: 

//CAIRIMU  EXEC PGM=CAIRIMU                                    
//STEPLIB  DD  DISP=SHR,DSN=<your.ccs.CAW0LINK>
//PARMLIB  DD  *                                               
CAIRIMU PROD                                     
/*

Even though the output from the CAIRIMU utility shows the 2T LMP key in an 'inactive' state, the CAS9180E message is still appearing in the BES1 task every hour.   Also, the Tape Encryption parameter 'CAKMEnable' is set to 'N', and the 'IBMEKMKeysDatabase' parameter is set to 'NONE'.  

This error condition can occur only if: 1) There HAD been a valid key at the time of the last system IPL, 2) There exists a 2T key that will expire in 30 days. If a 2T key is not present AND it never existed at the last IPL, then CATE/BTE will not be checking for it every hour.  What has happened is that there was a 2T key active at the time of the last IPL, but is not present now.  The only way to clear out this message is to perform another system IPL.  LMP keys can only be fully removed with an IPL.  

Powered by Wolken Software