Command Propagation Facility (CPF) logging with digital certificates is accompanied by abnormally high CPU time in the Systems Management Facility (SMF) started task (STC).

Errors are seen on Integrated Cryptographic Service Facility (ICSF) startup:

 CSFM123E MASTER KEY DES ON CRYPTO EXPRESS7 COPROCESSOR nnnn, SERIAL
 NUMBER nnnnnnnn, IN ERROR.

*CSFM137E CRYPTO EXPRESS7 COPROCESSOR nnnn, SN nnnnnnnn STATUS CHANGED
 FROM Initializing stage 1 TO Master key incorrect.

CSFM505I CRYPTOGRAPHY - THERE ARE NO ACTIVE CRYPTOGRAPHIC COPROCESSORS,

Component : CA Top Secret for z/OS

z/OS 2.3.0+

The status of the CRYPTO processors shows that the system that has the issue is missing needed CRYPTO processors. ICSF needs at least one configured as an "Accelerator" to use the hardware encryption services. If ICSF can't find an "Accelerator"-configured coprocessor (crypto card) then it will use software to perform the encryption and signatures, which causes significantly higher CPU impact. 

The system administrator enters the correct values of master keys for the online coprocessors. At the next ICSF startup this message is seen: 

CSFM400I CRYPTOGRAPHY - SERVICES ARE NOW AVAILABLE

SMF CPU is seen to be restored to acceptable levels.

NOTE: If ICSF FMID HCR77B1 or later is running, the DISPLAY ICSF,CARDS operator command can also be used to show the state of cryptographic coprocessors and accelerators.

Overview of Digital Signatures and Systems Management Facilites (SMF)

IBM doc : Displaying cryptographic coprocessor status and IBM Coprocessor Management panel. 

For additional information on ICSF operator commands, see 

 z/OS Cryptographic Services ICSF System Programmer's Guide.