I have just upgraded to ACF2 for z/OS r16.0 and now I am getting message ACF0A217 when inserting a certificate using the GENCERT command. I am specifying the ICSF parameter.
Article ID: 57381
Updated On:
Products
Issue/Introduction
Symptoms:
I have just upgraded to ACF2 for z/OS r16.0 and now I am getting message ACF0A217 when inserting
a certificate using the GENCERT command. I am specifying the ICSF parameter.
GENCERT r16.icsfcert su(cn='r16 cert with ICSF & default 2048 keysize') ICSF
I receive error message
ACF0A217 Key size of certificate requires PCI Cryptographic Coprocessor.
Specify PCICC instead of ICSF
When I insert the certificate on an ACF2 for z/OS r15.0 system it works successfully.
GENCERT r15.icsfcert su(cn='r15 cert with ICSF & default 1024 keysize') ICSF
CERTDATA / R15.ICSFCERT LAST CHANGED BY USER001 ON 11/16/15-12:44
CERTNSER(0000000000000001) ICSF
ISSUERDN(CN=r15 cert with ICSF & default 1024 keysize)
KEYSIZE(1,024) LABEL(R15.ICSFCERT) SERIAL#(00)
SUBJDN(CN=r15 cert with ICSF & default 1024 keysize)
TRUST
Certificate is not connected to any key rings
Resolution:
In ACF2 for z/OS r16.0 the default certificate key size has changed from 1024 to 2048.
ICSF has an upper limit of 1024 so any gencert requests that specify ICSF with no SIZE
parameter will get this error message on r16:
? gencert r16.icsfcert su(cn='r16 cert with ICSF & default 2048 keysize') ICSF
ACF0A217 Key size of certificate requires PCI Cryptographic Coprocessor.
Specify PCICC instead of ICSF
On r15 a similar GENCERT command with ICSF and no KEYSIZE works OK:
? gencert r15.icsfcert su(cn='r15 cert with ICSF & default 1024 keysize') ICSF
CERTDATA / R15.ICSFCERT LAST CHANGED BY USER001 ON 11/16/15-12:44
CERTNSER(0000000000000001) ICSF
ISSUERDN(CN=r15 cert with ICSF & default 1024 keysize)
KEYSIZE(1,024) LABEL(R15.ICSFCERT) SERIAL#(00)
SUBJDN(CN=r15 cert with ICSF & default 1024 keysize)
TRUST
The solution is to specify PCICC instead of ICSF.
Environment
Component: ACF2MS
Resolution
-
Feedback
