looks like an ICSF (CSF) issue. ITschak Mugzach *|** IronSphere Platform* *|* *Information Security Continuous Monitoring for z/OS, x/Linux & IBM I **| z/VM coming soon *
nbsp; *|* On Mon, Apr 14, 2025 at 9:24 PM Jousma, David < [email protected]> wrote: > Look at the pre-IPL TCPIP STC output, and compare to current. > > It was the messages in and around here that were bad > > System SSL: SHA-1 crypto assist is available > System SSL: SHA-224 crypto assist is available > System SSL: SHA-256 crypto assist is available > System SSL: SHA-384 crypto assist is available > System SSL: SHA-512 crypto assist is available > System SSL: DES crypto assist is available > System SSL: DES3 crypto assist is available > System SSL: AES 128-bit crypto assist is available > System SSL: AES 256-bit crypto assist is available > System SSL: AES-GCM crypto assist is available > System SSL: Cryptographic accelerator is not available > System SSL: Cryptographic coprocessor is available > System SSL: Public key hardware support is available > System SSL: Max RSA key sizes in hardware - signature 4096, encryption > 4096, verification 4096 > System SSL: ECC secure key support is available. Maximum key size 521 > System SSL: ICSF Secure key PKCS11 support is not available > System SSL: ICSF FMID is HCR77E0 > EZZ0162I HOST NAME FOR TCPIP IS hmsystk2 > > Dave Jousma > Vice President | Director, Technology Engineering > > > > > > From: IBM Mainframe Discussion List <[email protected]> on behalf > of Phil Smith III <[email protected]> > Date: Monday, April 14, 2025 at 2:17 PM > To: [email protected] <[email protected]> > Subject: Re: GSK question > > > > Thanks. This might be the answer, though I may not be able to tell. > > > > -----Original Message----- > > From: IBM Mainframe Discussion List <[email protected]> On Behalf > Of Jousma, David > > Sent: Monday, April 14, 2025 2:11 PM > > To: [email protected] > > Subject: Re: GSK question > > > > AFAIK, there is no shutting off SYSTEM SSL. > > > > Years ago, and a few generations of Crypto adapters ago, we IPL’d before > Crypto adapters were fully initialized (there is a time factor when > installing MCL’s), and System SSL was “broken” from a TCPIP perspective. > The fix was to recycle TCPIP, we elected to IPL, because the cycle of > TCPIP was just about as invasive. This caused us all kinds of problems > and it took a bit to track down that TCPIP came up before crypto was > available. > > > > I have no idea if this exposure still exists, but to this day, we still > wait for crypto adapters to be fully initialized before we IPL anything. > > > > Dave Jousma > > Vice President | Director, Technology Engineering > > > > > > > > > > > > From: IBM Mainframe Discussion List <[email protected]> on behalf > of Phil Smith III <[email protected]> > > Date: Monday, April 14, 2025 at 1:55 PM > > To: [email protected] <[email protected]> > > Subject: GSK question > > > > > > > > Is there a way to turn off GSK (System SSL)? We have a customer who had a > problem where our STC suddenly wouldn't start: it would try to connect (to > a server off z/OS) and that would fail. Connectivity SEEMED ok otherwise, > and of course "nothing has changed". A gsktrace produced nothing. After > some back-and-forth, they reIPLed and now it's fine. (Which I 50% wish they > hadn't done, so we could get more info; and am 50% glad they did, of > course, since it fixed the problem!) > > > > > > > > All I can think is that GSK was broken somehow. If there was a > GSKsomething STC I'd kill that and try, see if I got the same symptoms, but > there isn't. Is it just baked into TCP/IP? Any other ideas about something > I can kill that would break GSK? I can do anything I want on our system and > then reIPL if needed. > > > > > > > > Thanks for any ideas. > > > > > > > > ---------------------------------------------------------------------- > > > > For IBM-MAIN subscribe / signoff / archive access instructions, > > > > send email to [email protected] with the message: INFO IBM-MAIN > > > > This e-mail transmission contains information that is confidential and may > be privileged. It is intended only for the addressee(s) named above. If > you receive this e-mail in error, please do not read, copy or disseminate > it in any manner. If you are not the intended recipient, any disclosure, > copying, distribution or use of the contents of this information is > prohibited. Please reply to the message immediately by informing the sender > that the message was misdirected. After replying, please erase it from your > computer system. Your assistance in correcting this error is appreciated. > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, send email > to [email protected] with the message: INFO IBM-MAIN > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to [email protected] with the message: INFO IBM-MAIN > > This e-mail transmission contains information that is confidential and may > be privileged. It is intended only for the addressee(s) named above. If > you receive this e-mail in error, please do not read, copy or disseminate > it in any manner. If you are not the intended recipient, any disclosure, > copying, distribution or use of the contents of this information is > prohibited. Please reply to the message immediately by informing the sender > that the message was misdirected. After replying, please erase it from your > computer system. Your assistance in correcting this error is appreciated. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
