Gary, That is correct, but I was asking about (before OA55437) whether when using ICSF for /dev/random whether a card was used and if so whether it makes any difference.
On Tue, Jan 22, 2019 at 6:09 PM Gary Freestone <maz...@iinet.net.au> wrote: > This was announced by IBM last August. > > “With the PTFs for APAR OA55437, customers on z/OS V2.2 and V2.3 can now > generate true random numbers via /dev/random when running on the IBM z14™ > family of servers, without needing to set up the Integrated Cryptographic > Service Facility (ICSF). This new support is significant for users of > OpenSSH, who may now use functions such as sftp and ssh without needing to > set up ICSF, especially when using the new function introduced last year in > APAR OA54299 (also for z/OS V2.2 and V2.3) allowing OpenSSH to use the > CPACF instructions, when present, directly for certain ciphers and MACs > > Regards, Gary > > > Sent from Mail for Windows 10 > > From: Kirk Wolf > Sent: Saturday, 19 January 2019 10:30 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: ICSF and z/OS 2.3 > > ICSF is currently required if you want to use the Unix /dev/random and > /dev/urandom devices. > These might be required by Unix apps (or jobs/stcs that use z/OS Unix > System services). > > For exampe: IBM OpenSSH server will not work without ICSF and /dev/random > available. > > On Fri, Jan 18, 2019 at 5:24 PM Greg Boyd <gregb...@mainframecrypto.com> > wrote: > > > ICSF is only required if you want to use the ICSF APIs, so it depends on > > what, if anything in your shop might be using the APIs. System SSL (TLS) > > will certainly leverage the APIs if you have Crypto Express cards > available > > and that might provide some CPU relief. The Guardium Database Encryption > > Tool requires it if you want to encrypt IMS segments or DB2 tables at the > > row level. > > > > Pervasive is getting a lot of attention and if you're going that route, I > > would highly recommend that ICSF be active everywhere. You don't want > one > > system writing ciphertext to a file and another system thinking that the > > file is cleartext. IBM is also recommending that ICSF be 'always up'. > > They have made a number of changes to the component so that it will come > up > > earlier in the IPL and it should be one of the last tasks running. > > > > Given the growth in crypto workload, I take 'always up' to also mean > > 'running everywhere'. There are simply more things that can leverage > ICSF, > > some optionally and some require it. > > > > I'm not sure why DFSMShsm would need ICSF active, unless they were using > > the Encryption Facility for z/OS with the DFSMSdss feature. > > > > Greg Boyd > > Mainframe Crypto > > www.mainframecrypto.com > > > > > > > > On Fri, 18 Jan 2019 18:16:37 +0000, Mary Kay Tubello < > mtube...@humana.com> > > wrote: > > > > >Hello all, > > > > > >Does anyone know if z/os 2.3 requires ICSF to be installed on each LPAR? > > > > > >Thanks, > > >Mary Kay > > > > > >Large Systems Engineering > > >IT Infrastructure > > >Humana > > >123 E. Main St. 40202 (CT6) > > >502-476-2772 > > >mtube...@humana.com<mailto:mtube...@humana.com> > > > > > > > > > > > > > > >---------------------------------------------------------------------- > > >For IBM-MAIN subscribe / signoff / archive access instructions, > > >send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
