One row emitted per cryptographic agent to display subsystem and coprocessor status.
ICSF is a z/OS subsystem that provides cryptographic services to system functions and application servers. It provides publicly-documented service call exits that you may use. You can specify exits for each callable cryptographic service and other administrative function of ICSF. The table below shows the entry points.
Note: If you need to define your own exits, use the ICSF security exits as alternatives to the two service call exits, CSFEXIT3 and CSFEXIT4. If the monitoring agent discovers a user-defined exit that conflicts with an IBM performance-monitoring exit, it replaces the user-defined exit, issues a warning message, and proceeds with data collection.
Cryptographic Service or Function |
Entry Point |
ANSI X9.17 EDC Generate |
CSFAEGN |
ANSI X9.17 Key Export |
CSFAKEX |
ANSI X9.17 Key Import |
CSFAKIM |
ANSI X9.17 Key Translate |
CSFAKTR |
ANSI X9.17 Transport Key Partial Notarize |
CSFATKN |
Clear Key Import |
CSFCKI |
Clear PIN Encrypt |
CSFCPE |
Clear PIN Generate |
CSFPGN |
Clear PIN Generate Alternate |
CSFCPA |
Cipher/Decipher |
CSFEDC |
Ciphertext Translate |
CSFCTT |
Ciphertext Translate (with ALET) |
CSFCTT1 |
Control Vector Translate |
CSFCVT |
Cryptographic Variable Encipher |
CSFCVE |
Data Key Export |
CSFDKX |
Data Key Import |
CSFDKM |
Decipher |
CSFDEC |
Decipher (with ALET) |
CSFDEC1 |
Decode |
CSFDCO |
Digital Signature Generate |
CSFDSG |
Digital Signature Verify |
CSFDSV |
Diversified Key Generate |
CSFDKG |
Encipher under Master Key |
CSFEMK |
Encipher |
CSFENC |
Encipher (with ALET) |
CSFENC1 |
Encode |
CSFECO |
Encrypted PIN Generate |
CSFEPG |
Encrypted PIN Translate |
CSFPTR |
Encrypted PIN Verify |
CSFPVR |
Generate a key |
CSFGKC |
Import a key |
CSFRTC |
Key Export |
CSFKEX |
Key Generate |
CSFKGN |
Key Import |
CSFKIM |
Key Part Import |
CSFKPI |
Key Record Create |
CSFKRC |
Key Record Delete |
CSFKRD |
Key Record Read |
CSFKRR |
Key Record Write |
CSFKRW |
Key Test |
CSFKYT |
Key Test Extended |
CSFKYTX |
Key Translate |
CSFKTR |
MAC Generate |
CSFMGN |
MAC Generate (with ALET) |
CSFMGN1 |
MAC Verify |
CSFMVR |
MAC Verify (with ALET) |
CSFMVR1 |
MDC Generate |
CSFMDG |
MDC Generate (with ALET) |
CSFMDG1 |
Multiple Clear Key Import |
CSFCKM |
Multiple Secure Key Import |
CSFSKM |
One Way Hash Generate |
CSFOWH |
One Way Hash Generate (with ALET) |
CSFOWH1 |
PCI Interface |
CSFPCI |
PKA Decrypt |
CSFPKD |
PKA Encrypt |
CSFPKE |
PKA Key Generate |
CSFPKG |
PKA Key Import |
CSFPKI |
PKA Public Key Extract |
CSFPKX |
PKDS Record Create |
CSFPKRC |
PKDS Record Delete |
CSFPKRD |
PKDS Record Read |
CSFPKRR |
PKDS Record Write |
CSFPKRW |
PKSC Interface |
CSFPKSC |
Prohibit Export |
CSFPEX |
Prohibit Export Extended |
CSFPEXX |
Random Number Generate |
CSFRNG |
Retained Key Delete |
CSFRKD |
Retained Key List |
CSFRKL |
Secure Key Import |
CSFSKI |
SET Block Compose |
CSFSBC |
SET Block Decompose |
CSFSBD |
Symmetric Key Export |
CSFSYX |
Symmetric Key Generate |
CSFSYG |
Symmetric Key Import |
CSFSYI |
Transform CDMF Key |
CSFTCK |
User Derived Key |
CSFUDK |
VISA CVV Service Generate |
CSFCSG |
VISA CVV Service Verify |
CSFCSV |
1_CC Cryptographic Coprocessor Available Indicates whether at least one cryptographic coprocessor is available. The values are: Yes, No, or Unknown.
1_CMOS Indicates whether at least one CMOS cryptographic coprocessor is available. The values are: The values are: Yes, No, or Unknown.
1_PCI Indicates whether at least one PCI coprocessor is available. The values are: The values are: Yes, No, or Unknown.
ASID The address space ID of the ICSF subsystem.
AvgWait The average internal wait time in seconds per sample.
CCC A cryptographic configuration control bit hexadecimal string.
CCMKeyOK Indicates whether a valid master key has been loaded into a coprocessor. The values are: The values are: Yes, No, or Unknown.
CDMF Indicates whether Commercial Data Masking Facility is enabled. The values are: Enabled, Disabled, or Unknown.
CICSWAITL Indicates the address of the CICS wait list represented as a hexadecimal string. A value of 0 indicates the wait list is not configured.
CKDS_80Full Indicates 80% or more utilization of the Cryptographic Key Dataset space. The values are: Yes, No, or Unknown.
CKDSAccess Indicates whether dynamic Cryptographic Key Dataset access is enabled. The values are: Enabled, Disabled, or Unknown.
CKDSname The Cryptographic Key Dataset name.
CryptoSvcs Indicates the status of the cryptographic services. The values are: Active or Inactive.
DES Indicates whether DES is enabled. The values are: Enabled, Disabled, or Unknown.
DomainIdx Is the Domain Index used to access coprocessors from an LPAR. An LPAR is a Logical Partition in a PR/SM environment. See PR/SM for more information.
KMMK_CMOS0 Indicates the state of the Public Key Algorithm, Key Management Master Key in CMOS coprocessor C0. The values are: Valid, Reset, and Unknown.
KMMK_CMOS1 Indicates the state of the Public Key Algorithm, Key Management Master Key in CMOS coprocessor C1. The values are: Valid, Reset, and Unknown.
KMMKey The Public Key Algorithm Key Management Master Key hash pattern.
MKey The Master Key verification pattern and authentication pattern.
MKVer The current Master Key version.
MonStatus Indicates the internal monitor state. The values are: Enabled or Disabled, or Unknown.
Note: You can correct the Overrun condition by recycling the ICSF subsystem.
ORIGINNODE The z/OS operating system in your enterprise monitored by a Tivoli OMEGAMON XE forz/OS agent from which the data is derived.
PCIStatus Indicates the status of PCI coprocessors. The values are: Active, Online, Present, or None.
PKACall Indicates whether Public Key Algorithm callable services are enabled. The values are: Enabled, Disabled, Unknown.
PKAMKeys Indicates whether the Public Key Algorithm Master Keys are valid. The values are: Valid, Invalid, Unknown..
PKDSname The Public Key Dataset name.
PKDSRead Indicates whether Public Key Dataset read access is enabled. The values are: Enabled, Disabled, or Unknown.
PKDSWrite Indicates whether Public Key Dataset write access is enabled. The values are: Enabled, Disabled, or Unknown.
PRSM Indicates whether the coprocessors are operating in a PR/SM configuration. The values are: Yes, No, or Unknown. PR/SM stands for Processor Resource/System Manager and is a function that allows the processor unit to operate several system control programs simultaneously in LPAR mode.
SCEDisabled The number of service call exits disabled due to a KCGSEXIT ABEND. If this value is 0, all collector exits are operational.
SMFID The z/OS system associated with the ICSF subsystem executing.
SMK_CMOS0 Indicates the state of the Public Key Algorithm, Signature Master Key in CMOS coprocessor C0. The values are: Valid, Reset, or Unknown.
SMK_CMOS1 Indicates the state of the Public Key Algorithm, Signature Master Key in CMOS coprocessor C1. The values are: Valid, Reset, or Unknown.
SMKey Is the Public Key Authentication Signature Master Key hash pattern.
SSMODE Indicates whether Special Secure Mode is enabled. The values are: Enabled, Disabled, or Unknown.
Status Indicates the status of the ICSF subsystem. The values are: Active, Inactive, Not_Found, Initializing, or Terminating. .