There may have been changes to Connect Direct since the last time I worked with it, but I suspect ICSF is required if you want to leverage the hardware technology, and specifically the CEX cards. As Kirk points out, if you want to use the random number generation on hardware then you need ICSF active. (And you probably do want the performance of RNG in hardware.) Similarly, for System SSL, if you want to use the Crypto Express cards for authentication (public/private key operations), then ICSF needs to be active. Enabling the cards and having ICSF active can make a big difference in throughput and capacity (CPU savings), but strictly speaking it's probably not required unless you configure the environment to use the crypto hardware.
Greg Boyd Mainframe Crypto www.mainframecrypto.com On Fri, 18 Jan 2019 17:55:51 -0600, Steve beaver <st...@stevebeaver.com> wrote: >Also it’s required for Connect Direct > >Sent from my iPhone > >Sorry for the finger checks > >> On Jan 18, 2019, at 17:29, Kirk Wolf <k...@wolf-associates.com> wrote: >> >> ICSF is currently required if you want to use the Unix /dev/random and >> /dev/urandom devices. >> These might be required by Unix apps (or jobs/stcs that use z/OS Unix >> System services). >> >> For exampe: IBM OpenSSH server will not work without ICSF and /dev/random >> available. >> >> On Fri, Jan 18, 2019 at 5:24 PM Greg Boyd <gregb...@mainframecrypto.com> >> wrote: >> >>> ICSF is only required if you want to use the ICSF APIs, so it depends on >>> what, if anything in your shop might be using the APIs. System SSL (TLS) >>> will certainly leverage the APIs if you have Crypto Express cards available >>> and that might provide some CPU relief. The Guardium Database Encryption >>> Tool requires it if you want to encrypt IMS segments or DB2 tables at the >>> row level. >>> >>> Pervasive is getting a lot of attention and if you're going that route, I >>> would highly recommend that ICSF be active everywhere. You don't want one >>> system writing ciphertext to a file and another system thinking that the >>> file is cleartext. IBM is also recommending that ICSF be 'always up'. >>> They have made a number of changes to the component so that it will come up >>> earlier in the IPL and it should be one of the last tasks running. >>> >>> Given the growth in crypto workload, I take 'always up' to also mean >>> 'running everywhere'. There are simply more things that can leverage ICSF, >>> some optionally and some require it. >>> >>> I'm not sure why DFSMShsm would need ICSF active, unless they were using >>> the Encryption Facility for z/OS with the DFSMSdss feature. >>> >>> Greg Boyd >>> Mainframe Crypto >>> www.mainframecrypto.com >>> >>> >>> >>> On Fri, 18 Jan 2019 18:16:37 +0000, Mary Kay Tubello <mtube...@humana.com> >>> wrote: >>> >>>> Hello all, >>>> >>>> Does anyone know if z/os 2.3 requires ICSF to be installed on each LPAR? >>>> >>>> Thanks, >>>> Mary Kay >>>> >>>> Large Systems Engineering >>>> IT Infrastructure >>>> Humana >>>> 123 E. Main St. 40202 (CT6) >>>> 502-476-2772 >>>> mtube...@humana.com<mailto:mtube...@humana.com> >>>> >>>> >>>> >>>> >>>> ---------------------------------------------------------------------- >>>> For IBM-MAIN subscribe / signoff / archive access instructions, >>>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN >>> >>> ---------------------------------------------------------------------- >>> For IBM-MAIN subscribe / signoff / archive access instructions, >>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN >>> >> >> ---------------------------------------------------------------------- >> For IBM-MAIN subscribe / signoff / archive access instructions, >> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > >---------------------------------------------------------------------- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
