ICSF Keyword—Place Private Key in ICSF

Keywords › ICSF Keyword—Place Private Key in ICSF

ICSF Keyword—Place Private Key in ICSF

Valid on z/OS.

Use the ICSF keyword to indicate that the generated private key is placed in ICSF. If the DSN parameter was also specified and an existing certificate is replaced, the certificate is also placed in ICSF. ICSF must be active and configured for PKA operations.

When specifying the ICSF parameter, the KEYSIZE parameter can be as high as 1024.

Consider the following:

ICSF specified with ADD is ignored if no private key is involved
If ICSF, PCICC, or LABLPKDS is not specified with ADD the key is stored in the security file as a non-ICSF key
If ICSF is specified with ADD, but ICSF is not configured for PKA operations, the key is stored in the security file as a non‑ICSF key
If the key is stored in ICSF, the security file stores a label (which refers to the key)
ICSF is only valid to create only RSA keys with a length of up to 1024 bytes
If the certificate's private key resides in an ICSF storage facility and the format of PKCS12DER or PKCS12B64 is specified in the TSS EXPORT command, the command is rejected

This keyword has the following format:

TSS GENCERT(acid) DIGICERT(8—byte name)
                  ICSF

TSS REKEY(acid) DIGICERT(8‑byte name)
                DCDSN(dsname)
                ICSF

This keyword is used with:

The commands ADDTO, GENCERT, and REKEY and RENEW
The ACID types User, DCA, VCA, ZCA, LSCA, and SCA
ACID(MAINTAIN) authority for users
MISC4(CERTUSER) authority for user ACIDs
MISC4(CERTSITE) authority for CERTSITE ACIDs
MISC4(CERTAUTH) authority for CERTAUTH ACIDs

Examples: ICSF keyword

This example indicates that the digital certificate is stored in an ICSF facility:

TSS ADDTO(USERA) DIGICERT(USERACER)
                 DCDSN(USERA.CERT01)
                 ICSF

This example removes the entry in the ICSF storage facility by removing the DIGICERT from the acid:

TSS REMOVE(USERA) DIGICERT(USERACER)