Integrated Cryptographic Services Facilities Subsystems (ICSF) attributes

One row emitted per cryptographic agent to display subsystem and coprocessor status.

ICSF is a z/OS subsystem that provides cryptographic services to system functions and application servers. It provides publicly-documented service call exits that you may use. You can specify exits for each callable cryptographic service and other administrative function of ICSF. The table below shows the entry points.

Note: If you need to define your own exits, use the ICSF security exits as alternatives to the two service call exits, CSFEXIT3 and CSFEXIT4. If the monitoring agent discovers a user-defined exit that conflicts with an IBM performance-monitoring exit, it replaces the user-defined exit, issues a warning message, and proceeds with data collection.

Cryptographic Service or Function

Entry Point

ANSI X9.17 EDC Generate

CSFAEGN

ANSI X9.17 Key Export

CSFAKEX

ANSI X9.17 Key Import

CSFAKIM

ANSI X9.17 Key Translate

CSFAKTR

ANSI X9.17 Transport Key Partial Notarize

CSFATKN

Clear Key Import

CSFCKI

Clear PIN Encrypt

CSFCPE

Clear PIN Generate

CSFPGN

Clear PIN Generate Alternate

CSFCPA

Cipher/Decipher

CSFEDC

Ciphertext Translate

CSFCTT

Ciphertext Translate (with ALET)

CSFCTT1

Control Vector Translate

CSFCVT

Cryptographic Variable Encipher

CSFCVE

Data Key Export

CSFDKX

Data Key Import

CSFDKM

Decipher

CSFDEC

Decipher (with ALET)

CSFDEC1

Decode

CSFDCO

Digital Signature Generate

CSFDSG

Digital Signature Verify

CSFDSV

Diversified Key Generate

CSFDKG

Encipher under Master Key

CSFEMK

Encipher

CSFENC

Encipher (with ALET)

CSFENC1

Encode

CSFECO

Encrypted PIN Generate

CSFEPG

Encrypted PIN Translate

CSFPTR

Encrypted PIN Verify

CSFPVR

Generate a key

CSFGKC

Import a key

CSFRTC

Key Export

CSFKEX

Key Generate

CSFKGN

Key Import

CSFKIM

Key Part Import

CSFKPI

Key Record Create

CSFKRC

Key Record Delete

CSFKRD

Key Record Read

CSFKRR

Key Record Write

CSFKRW

Key Test

CSFKYT

Key Test Extended

CSFKYTX

Key Translate

CSFKTR

MAC Generate

CSFMGN

MAC Generate (with ALET)

CSFMGN1

MAC Verify

CSFMVR

MAC Verify (with ALET)

CSFMVR1

MDC Generate

CSFMDG

MDC Generate (with ALET)

CSFMDG1

Multiple Clear Key Import

CSFCKM

Multiple Secure Key Import

CSFSKM

One Way Hash Generate

CSFOWH

One Way Hash Generate (with ALET)

CSFOWH1

PCI Interface

CSFPCI

PKA Decrypt

CSFPKD

PKA Encrypt

CSFPKE

PKA Key Generate

CSFPKG

PKA Key Import

CSFPKI

PKA Public Key Extract

CSFPKX

PKDS Record Create

CSFPKRC

PKDS Record Delete

CSFPKRD

PKDS Record Read

CSFPKRR

PKDS Record Write

CSFPKRW

PKSC Interface

CSFPKSC

Prohibit Export

CSFPEX

Prohibit Export Extended

CSFPEXX

Random Number Generate

CSFRNG

Retained Key Delete

CSFRKD

Retained Key List

CSFRKL

Secure Key Import

CSFSKI

SET Block Compose

CSFSBC

SET Block Decompose

CSFSBD

Symmetric Key Export

CSFSYX

Symmetric Key Generate

CSFSYG

Symmetric Key Import

CSFSYI

Transform CDMF Key

CSFTCK

User Derived Key

CSFUDK

VISA CVV Service Generate

CSFCSG

VISA CVV Service Verify

CSFCSV

1_CC Cryptographic Coprocessor Available Indicates whether at least one cryptographic coprocessor is available. The values are Yes, No, or Unknown.

1_CMOS Indicates whether at least one CMOS cryptographic coprocessor is available. The values are: The values are Yes, No, or Unknown.

1_PCI Indicates whether at least one PCI coprocessor is available. The values are: The values are Yes, No, or Unknown.

ASID The address space ID of the ICSF subsystem.

AvgWait The average internal wait time in seconds per sample.

CCC A cryptographic configuration control bit hexadecimal string.

CCMKeyOK Indicates whether a valid master key has been loaded into a coprocessor. The values are Yes, No, or Unknown.

CDMF Indicates whether Commercial Data Masking Facility is enabled. The values are Enabled, Disabled, or Unknown.

CICSWAITL Indicates the address of the CICS wait list represented as a hexadecimal string. A value of 0 indicates the wait list is not configured.

CKDS_80Full Indicates 80% or more utilization of the Cryptographic Key Dataset space. The values are Yes, No, or Unknown.

CKDSAccess Indicates whether dynamic Cryptographic Key Dataset access is enabled. The values are Enabled, Disabled, or Unknown.

CKDSname The name of the Cryptographic Key Data set.

CryptoSvcs Indicates the status of the cryptographic services. The possible values are Active or Inactive.

DES Indicates whether DES is enabled. The possible values are Enabled, Disabled, or Unknown.

DomainIdx The Domain Index used to access coprocessors from an LPAR. An LPAR is a Logical Partition in a PR/SM environment. See PR/SM for more information.

KMMK_CMOS0 Indicates the state of the Public Key Algorithm, Key Management Master Key in CMOS coprocessor C0. The values are Valid, Reset, and Unknown.

KMMK_CMOS1 Indicates the state of the Public Key Algorithm, Key Management Master Key in CMOS coprocessor C1. The values are Valid, Reset, and Unknown.

KMMKey The Public Key Algorithm Key Management Master Key hash pattern.

MKey The Master Key verification pattern and authentication pattern.

MKVer The current Master Key version.

MonStatus Indicates the internal monitor state. The values are Enabled or Disabled, or Unknown.

Note: You can correct the Overrun condition by recycling the ICSF subsystem.

ORIGINNODE The z/OS operating system in your enterprise monitored by an OMEGAMON XE on z/OS agent from which the data is derived.

PCIStatus Indicates the status of PCI coprocessors. The possible values are Active, Online, Present, or None.

PKACall Indicates whether Public Key Algorithm callable services are enabled. The possible values are Enabled, Disabled, Unknown.

PKAMKeys Indicates whether the Public Key Algorithm Master Keys are valid. The possible values are Valid, Invalid, Unknown.

PKDSname The Public Key Dataset name.

PKDSRead Indicates whether Public Key Dataset read access is enabled. The possible values are Enabled, Disabled, or Unknown.

PKDSWrite Indicates whether Public Key Dataset write access is enabled. The possible values are Enabled, Disabled, or Unknown.

PRSM Indicates whether the coprocessors are operating in a PR/SM configuration. The values are Yes, No, or Unknown. PR/SM stands for Processor Resource/System Manager and is a function that allows the processor unit to operate several system control programs simultaneously in LPAR mode.

SCEDisabled The number of service call exits disabled due to a KCGSEXIT ABEND. If this value is 0, all collector exits are operational.

SMFID The z/OS system associated with the ICSF subsystem executing.

SMK_CMOS0 Indicates the state of the Public Key Algorithm, Signature Master Key in CMOS coprocessor C0. The possible values are Valid, Reset, or Unknown.

SMK_CMOS1 Indicates the state of the Public Key Algorithm, Signature Master Key in CMOS coprocessor C1. The possible values are Valid, Reset, or Unknown.

SMKey The Public Key Authentication Signature Master Key hash pattern.

SSMODE Indicates whether Special Secure Mode is enabled. The values are Enabled, Disabled, or Unknown.

Status Indicates the status of the ICSF subsystem. The possible values are Active, Inactive, Not_Found, Initializing, or Terminating.

Version The ICSF subsystem version and release level.

WLDSname The CICS wait list dataset name.