Integrated Cryptographic Services Facilities Subsystems (ICSF) Attributes

One row emitted per cryptographic agent to display subsystem and coprocessor status.

ICSF is a z/OS subsystem that provides cryptographic services to system functions and application servers. It provides publicly-documented service call exits that you may use. You can specify exits for each callable cryptographic service and other administrative function of ICSF. The table below shows the entry points.

Note: If you need to define your own exits, use the ICSF security exits as alternatives to the two service call exits, CSFEXIT3 and CSFEXIT4. If the monitoring agent discovers a user-defined exit that conflicts with an IBM performance-monitoring exit, it replaces the user-defined exit, issues a warning message, and proceeds with data collection.

Cryptographic Service or Function

Entry Point

ANSI X9.17 EDC Generate

CSFAEGN

ANSI X9.17 Key Export

CSFAKEX

ANSI X9.17 Key Import

CSFAKIM

ANSI X9.17 Key Translate

CSFAKTR

ANSI X9.17 Transport Key Partial Notarize

CSFATKN

Clear Key Import

CSFCKI

Clear PIN Encrypt

CSFCPE

Clear PIN Generate

CSFPGN

Clear PIN Generate Alternate

CSFCPA

Cipher/Decipher

CSFEDC

Ciphertext Translate

CSFCTT

Ciphertext Translate (with ALET)

CSFCTT1

Control Vector Translate

CSFCVT

Cryptographic Variable Encipher

CSFCVE

Data Key Export

CSFDKX

Data Key Import

CSFDKM

Decipher

CSFDEC

Decipher (with ALET)

CSFDEC1

Decode

CSFDCO

Digital Signature Generate

CSFDSG

Digital Signature Verify

CSFDSV

Diversified Key Generate

CSFDKG

Encipher under Master Key

CSFEMK

Encipher

CSFENC

Encipher (with ALET)

CSFENC1

Encode

CSFECO

Encrypted PIN Generate

CSFEPG

Encrypted PIN Translate

CSFPTR

Encrypted PIN Verify

CSFPVR

Generate a key

CSFGKC

Import a key

CSFRTC

Key Export

CSFKEX

Key Generate

CSFKGN

Key Import

CSFKIM

Key Part Import

CSFKPI

Key Record Create

CSFKRC

Key Record Delete

CSFKRD

Key Record Read

CSFKRR

Key Record Write

CSFKRW

Key Test

CSFKYT

Key Test Extended

CSFKYTX

Key Translate

CSFKTR

MAC Generate

CSFMGN

MAC Generate (with ALET)

CSFMGN1

MAC Verify

CSFMVR

MAC Verify (with ALET)

CSFMVR1

MDC Generate

CSFMDG

MDC Generate (with ALET)

CSFMDG1

Multiple Clear Key Import

CSFCKM

Multiple Secure Key Import

CSFSKM

One Way Hash Generate

CSFOWH

One Way Hash Generate (with ALET)

CSFOWH1

PCI Interface

CSFPCI

PKA Decrypt

CSFPKD

PKA Encrypt

CSFPKE

PKA Key Generate

CSFPKG

PKA Key Import

CSFPKI

PKA Public Key Extract

CSFPKX

PKDS Record Create

CSFPKRC

PKDS Record Delete

CSFPKRD

PKDS Record Read

CSFPKRR

PKDS Record Write

CSFPKRW

PKSC Interface

CSFPKSC

Prohibit Export

CSFPEX

Prohibit Export Extended

CSFPEXX

Random Number Generate

CSFRNG

Retained Key Delete

CSFRKD

Retained Key List

CSFRKL

Secure Key Import

CSFSKI

SET Block Compose

CSFSBC

SET Block Decompose

CSFSBD

Symmetric Key Export

CSFSYX

Symmetric Key Generate

CSFSYG

Symmetric Key Import

CSFSYI

Transform CDMF Key

CSFTCK

User Derived Key

CSFUDK

VISA CVV Service Generate

CSFCSG

VISA CVV Service Verify

CSFCSV


1_CC Cryptographic Coprocessor Available Indicates whether at least one cryptographic coprocessor is available. The values are: Yes, No, or Unknown.

1_CMOS Indicates whether at least one CMOS cryptographic coprocessor is available. The values are: The values are: Yes, No, or Unknown.

1_PCI Indicates whether at least one PCI coprocessor is available. The values are: The values are: Yes, No, or Unknown.

ASID The address space ID of the ICSF subsystem.

AvgWait The average internal wait time in seconds per sample.

CCC A cryptographic configuration control bit hexadecimal string.

CCMKeyOK Indicates whether a valid master key has been loaded into a coprocessor. The values are: The values are: Yes, No, or Unknown.

CDMF Indicates whether Commercial Data Masking Facility is enabled. The values are: Enabled, Disabled, or Unknown.

CICSWAITL Indicates the address of the CICS wait list represented as a hexadecimal string. A value of 0 indicates the wait list is not configured.

CKDS_80Full Indicates 80% or more utilization of the Cryptographic Key Dataset space. The values are: Yes, No, or Unknown.

CKDSAccess Indicates whether dynamic Cryptographic Key Dataset access is enabled. The values are: Enabled, Disabled, or Unknown.

CKDSname The Cryptographic Key Dataset name.

CryptoSvcs Indicates the status of the cryptographic services. The values are: Active or Inactive.

DES Indicates whether DES is enabled. The values are: Enabled, Disabled, or Unknown.

DomainIdx Is the Domain Index used to access coprocessors from an LPAR. An LPAR is a Logical Partition in a PR/SM environment. See PR/SM for more information.

KMMK_CMOS0 Indicates the state of the Public Key Algorithm, Key Management Master Key in CMOS coprocessor C0. The values are: Valid, Reset, and Unknown.

KMMK_CMOS1 Indicates the state of the Public Key Algorithm, Key Management Master Key in CMOS coprocessor C1. The values are: Valid, Reset, and Unknown.

KMMKey The Public Key Algorithm Key Management Master Key hash pattern.

MKey The Master Key verification pattern and authentication pattern.

MKVer The current Master Key version.

MonStatus Indicates the internal monitor state. The values are: Enabled or Disabled, or Unknown.

Note: You can correct the Overrun condition by recycling the ICSF subsystem.

ORIGINNODE The z/OS operating system in your enterprise monitored by a Tivoli OMEGAMON XE forz/OS agent from which the data is derived.

PCIStatus Indicates the status of PCI coprocessors. The values are: Active, Online, Present, or None.

PKACall Indicates whether Public Key Algorithm callable services are enabled. The values are: Enabled, Disabled, Unknown.

PKAMKeys Indicates whether the Public Key Algorithm Master Keys are valid. The values are: Valid,  Invalid, Unknown..

PKDSname The Public Key Dataset name.

PKDSRead Indicates whether Public Key Dataset read access is enabled. The values are: Enabled, Disabled, or Unknown.

PKDSWrite Indicates whether Public Key Dataset write access is enabled. The values are: Enabled, Disabled, or Unknown.

PRSM Indicates whether the coprocessors are operating in a PR/SM configuration. The values are: Yes, No, or Unknown. PR/SM stands for Processor Resource/System Manager and is a function that allows the processor unit to operate several system control programs simultaneously in LPAR mode.

SCEDisabled The number of service call exits disabled due to a KCGSEXIT ABEND. If this value is 0, all collector exits are operational.

SMFID The z/OS system associated with the ICSF subsystem executing.

SMK_CMOS0 Indicates the state of the Public Key Algorithm, Signature Master Key in CMOS coprocessor C0. The values are: Valid, Reset, or Unknown.

SMK_CMOS1 Indicates the state of the Public Key Algorithm, Signature Master Key in CMOS coprocessor C1. The values are: Valid, Reset, or Unknown.

SMKey Is the Public Key Authentication Signature Master Key hash pattern.

SSMODE Indicates whether Special Secure Mode is enabled. The values are: Enabled, Disabled, or Unknown.

Status Indicates the status of the ICSF subsystem. The values are: Active, Inactive, Not_Found, Initializing, or Terminating. .

Version Is the ICSF subsystem version and release level.

WLDSname Is the CICS wait list dataset name.