ACF2 response to ICSF message CSFM654I
Article ID: 252417
Updated On:
Products
Issue/Introduction
This ICSF( Integrated Cryptographic Service Facility) message is seen at ICSF initialization:
CSFM654I KEY ARCHIVING USE CONTROL IS DISABLED.
The IBM doc on the message provides RACF response information:
The profile that activates the key archive use control is the CSF.KDS.KEY.ARCHIVE.USE resource in the XFACILIT class.
RACF commands may be used to define, change, list, or delete the profiles that cover these resources in the XFACILIT class.
Further IBM documentation on CSF.KDS.KEY.ARCHIVE.USE provides more information and a RACF example.
How can this feature be ENABLED in ACF2?
Environment
Release : 16.0
z/OS 2.4.0
Cause
During ICSF initialization ACF2 processes an initial RACROUTE EXTRACT call made under the type code of the resource class looking for an "existence rule" (no rule lines needed) that matches the profile record.
PKA Key Management Extensions controls enabling use of archived KDS records have not yet been established by ACF2 security admininistrator.
Resolution
To enable the key archive use control for all key data sets, enter the following commands at the TSO ACF prompt:
SET RESOURCE(XFC)
RESOURCE
RECKEY PKA ADD(CSF.KDS.KEY.ARCHIVE.USE)
ACF70010 ACF COMPILER ENTERED
$KEY(PKA) TYPE(XFC)
CSF.KDS.KEY.ARCHIVE.USE
ACF70051 TOTAL RECORD LENGTH= 255 BYTES, 1 PERCENT UTILIZED
ACF60207 RULE R XFC PKA INSERTED
ACF60039 Issue the F ACF2,REBUILD(XFC) command to activate the rule
RESOURCE
F ACF2,REBUILD(XFC)
ACF8A036 DIRECTORY RXFC HAS BEEN REBUILT
RESOURCE
Additional Information
See also
Feedback
