Re: ICSF ACP and TKE

Mon, 30 Jun 2025 07:54:05 -0700 

Lennie,
I know the switches are related to microcode.
However I can even change Crypto card mode (CCA -> PKCS, etc.) I can zeroize the card. All using regular HMC. Note: HMC is not open to everyone. So, excuse me, I still don't understand why some switches have to be accessible from TKE only. TKE is trusted KEY ENTRY. It is for entering secrets, not for HW management (this is role of HMC/SE). AFAIK none of the switches is related to secrets like MK entry, operational key, etc. Last, but not least: someone bought a mainframe without TKE - and just because lack of TKE he cannot enable some features which he paid for. 

Regards
--
Radoslaw Skorupka
Lodz, Poland



W dniu 29.06.2025 o 23:31, Lennie Bradshaw pisze:

Radoslaw,

These ACPs (Access Control Points) are really security switches which are 
embedded in the microcode in the Crypto Express device. So only a process which 
can have a secure conversation with that device is able to alter the switches. 
That device is the TKE. RACF could not be used without a great deal of software 
and firmware redesign.
As for the default settings, this is a question for IBM. Perhaps someone like 
Garry Sullivan could answer such a question.

Lennie


-----Original Message-----
From: IBM Mainframe Discussion List<[email protected]> On Behalf Of 
Radoslaw Skorupka
Sent: 29 June 2025 14:11
To:[email protected]
Subject: ICSF ACP and TKE

I just tried to use some ICSF service and got rc=4, rsn=05A, which means some 
Access Control Point is disabled.
I checked documentation - it is "DD" - Disabled by Default.
It can be enabled by the user, however TKE is the only way to change ACP 
enable/disable status.
  From the other hand TKE is optional (paid) feature. Important:
enablement of the ACP is not subject to charge (AFAIK).

So, we have scenario where some users purchase CPC with CryptoExpress cards 
plus z/OS with ICSF as a standard component, but some functionalities are 
unavailable to them just because they are disabled.
Theoretically the user could borrow some TKE for a while and enable it. :-)

Q1: Why some ACPs are disabled by default? What is the rationale behind it?
Q2: What is the purpose of such (IMHO quite complex) method of enablement some 
features? Wouldn't be enough to use Image Profile checkboxes on HMC/SE and/or 
RACF profiles?

Just curious.

--
Radoslaw Skorupka
Lodz, Poland




----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN






















					Reply via email to