>From LOOKAT: *CSFM125I* *CRYPTOGRAPHY* *-* *LIMITED* *CPU-BASED* *SERVICES* *ARE* *AVAILABLE.*
*Explanation:* This is an informational message. ICSF is up and remains started. Only SHA-1 and SHA-2 services are available. The DES CPACF feature code is not enabled. On Fri, Dec 16, 2011 at 2:46 PM, David Booher <david.boo...@quest.com>wrote: > Yes, my CSF will run: > > 13.46.16 STC01522 $HASP373 CSF STARTED > 13.46.17 STC01522 CSFM607I A CKDS KEY STORE POLICY IS NOT DEFINED. > 13.46.17 STC01522 CSFM607I A PKDS KEY STORE POLICY IS NOT DEFINED. > 13.46.17 STC01522 CSFM610I GRANULAR KEYLABEL ACCESS CONTROL IS DISABLED. > 13.46.17 STC01522 CSFM611I XCSFKEY EXPORT CONTROL FOR AES IS DISABLED. > 13.46.17 STC01522 CSFM611I XCSFKEY EXPORT CONTROL FOR DES IS DISABLED. > 13.46.17 STC01522 CSFM101E PKA KEY DATA SET, CSF.CSFPKDS IS NOT > INITIALIZED. > 13.46.17 STC01522 CSFM506I CRYPTOGRAPHY - THERE IS NO ACCESS TO ANY > CRYPTOGRAPHIC COPROCESSORS OR ACCELERATORS. > 13.46.17 STC01522 CSFM012I NO ACCESS CONTROL AVAILABLE FOR CRYPTOZ > RESOURCES. ICSF PKCS11 SERVICES DISABLED. > 13.46.18 STC01522 CSFM009I NO ACCESS CONTROL AVAILABLE FOR ICSF SERVICES > OR KEYS > 13.46.18 STC01522 *CSFM122I PKA SERVICES WERE NOT ENABLED DURING ICSF > INITIALIZATION. > 13.46.18 STC01522 CSFM001I ICSF INITIALIZATION COMPLETE > 13.46.18 STC01522 CSFM125I CRYPTOGRAPHY - LIMITED CPU-BASED SERVICES ARE > AVAILABLE. > > But just was "limited" ciphers I have available is the question. > > Dave > > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On > Behalf Of Tom Simons > Sent: Friday, December 16, 2011 12:09 PM > To: IBM-MAIN@bama.ua.edu > Subject: Re: Calling all "crypto" gurus > > ICSF will work on the z800 without crypto hardware. From the document > mentioned below: > "ICSF is a software component of z/OS providing cryptographic support > either in its own > software routines or through access to the cryptographic hardware > available on the > platform." > We used ICSF's software routines for AES encryption, back when the crypto > hardware only supported DES. > > See "ICSF Version and FMID Cross Ref_110909.pdf" from this webpage: > http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/TD103782. > > On Fri, Dec 16, 2011 at 9:26 AM, Finch, Steve (ES - Mainframe) < > steve.fi...@hp.com> wrote: > > > David Booher wrote: > > > > >I have a z800 with no cryptographic processor installed. I'm attempting > > to > > > > use the SECURE SSL port on DB2 to establish a connection. I've pretty > much > > > > stepped thru the entire RedPaper on this. It seems the client (running > > > > IBM's gskit) doesn't want to negotiate a cipher to use with the > mainframe. > > > > I know since I don't have a crypto processor, I'm a very limited in what > I > > > > can support on the mainframe. By doing an SSLSCAN, I do see that the > > > > mainframe does offer two specific ciphers to be used, however the client > > > > doesn't want to negotiate those ciphers. > > > > > > > > Without a CCF (cryptographic processor) on a z800, you are very limited > in > > > > what ciphers you can use. You can use 'NULL-SHA' and 'NULL-MD5' ciphers. > > > > That's it. Your client must be configured to accept and use one of these > > two > > > > ciphers to connect with DB2's Secure SSL on your z800. > > > > > > > > However a "good" client would not support 'NULL-SHA' and 'NULL-MD5' > > ciphers. > > > > They are not really secure. It's not doing encryption > > > > > > > > In short without a CCF (cryptographic processor) on your z800, you cannot > > do > > > > "good" SSL. > > > > > > > > > > > > Steve Finch > > > > > > > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
