======================= REXXIQA =================================================

/* REXX REXX REXX REXX REXX REXX REXX REXX REXX REXX REXX REXX REXX */
/*------------------------------------------------------------------*/
/* */
/* CSFIQA - retrieve ICSF algorithms */
/* */
/*------------------------------------------------------------------*/
/*   the algorithm name, the algorithm size, whether or not clear or*/
/*  secure keys are                                                 */
/*    supported and what method ICSF will use to satisfy a request: */
/*  CPU instructions, a cryptographic accelerator                   */
/*  , a cryptographic coprocessor or software                       */
/*------------------------------------------------------------------*/
/*                                                                  */
/*                                                                  */
trace o
test = n
/* Skip to new page */
say ' ' ; say ' ' ; say ' ' ; say ' ' ;
say MVSVAR(SYSNAME) 'AT' TIME() 'ON' date()' ---- ICSF Algorithms'
say ' '
erc = '00000000'x ;
ers = '00000000'x ;
ers_4 = '00000004'x ;
/*------------------------------------------------------------------*/
/* CREATE THE CALL TO CSFIQA ROUTINE */
/* */
/*------------------------------------------------------------------*/
/* */
iqa_rc = 'FFFFFFFF'x ;
iqa_rs = 'FFFFFFFF'x ;
exit_data_length = '00000000'x ;
exit_data = '' ;
rule_array_count = '00000000'x ;
rule_array = ' '
ret_data_len = '00000800'x ;
ret_data = COPIES('00'x,2048) ;
res_data_len = '00000000'x ;
res_data = COPIES('00'x,256) ;
address linkpgm 'CSFIQA' ,
'iqa_rc' ,
'iqa_rs' ,
'exit_data_length' ,
'exit_data' ,
'rule_array_count' ,
'rule_array' ,
'ret_data_len' ,
'ret_data' ,
'res_data_len' ,
'res_data' ;
if test = y then do
say ''
say 'Following is from CSFIQA '
end
/* Check return and reason code */
if (iqa_rc ^= erc | iqa_rs ^= ers) then do ;
say 'IQA interface failed, rc =' C2X(iqa_rc) ,
'rs =' C2X(iqa_rs) ;
say ' ' ;
EXIT;
END ;
else do ;
if test = y then do
say ''
say 'IQA ok, RC=' C2X(IQA_RC) ,
'RS =' C2X(IQA_RS)
say ' ' ;
say 'Len ' C2X(ret_data_len) ;
say 'Data' ret_data ;
end
len = X2D(C2X(ret_data_len))
num = len / 32
say 'Algorithm Max Security Implementation'
say '--------- -------- -------- --------------'
do i = 0 to num
start = (i * 32) + 1
alg = SUBSTR(ret_data,start,8)
max = SUBSTR(ret_data,start+8,8)
sec = SUBSTR(ret_data,start+16,8)
imp = SUBSTR(ret_data,start+24,8)
say alg||' '||max||' '||sec||' '||imp
end
EXIT

======================= REXXIQF =======================================================================

/* REXX REXX REXX REXX REXX REXX REXX REXX REXX REXX REXX REXX REXX */
/*------------------------------------------------------------------*/
/* */
/* CSFIQF - retrieve ICSF and Coprocessor status */
/* */
/*------------------------------------------------------------------*/
trace o
test = n
tst2 = n
/* Skip to new page */
say ' ' ; say ' ' ; say ' ' ; say ' ' ;
say MVSVAR(SYSNAME) 'AT' TIME() 'ON' date()' ---- ICSF Details'
say ' '
erc = '00000000'x ;
ers = '00000000'x ;
ers_4 = '00000004'x ;
/*------------------------------------------------------------------*/
/* CREATE THE CALL TO CSFIQF ROUTINE */
/* */
/*------------------------------------------------------------------*/
/* */
iqf_rc = 'FFFFFFFF'x ;
iqf_rs = 'FFFFFFFF'x ;
exit_data_length = '00000000'x ;
exit_data = '' ;
rule_array_count = '00000002'x ;
rule_array = 'ANY     ICSFSTAT' ;
ret_data_len = '00000100'x ;
ret_data = COPIES('00'x,256) ;
res_data_len = '00000000'x ;
res_data = COPIES('00'x,256) ;
address linkpgm 'CSFIQF' ,
'iqf_rc' ,
'iqf_rs' ,
'exit_data_length' ,
'exit_data' ,
'rule_array_count' ,
'rule_array' ,
'ret_data_len' ,
'ret_data' ,
'res_data_len' ,
'res_data' ;
if test = y then do
say ''
say 'Following is from CSFIQF with ICSFSTAT'
end
/* Check return and reason code */
if (iqf_rc ^= erc | iqf_rs ^= ers) then do ;
say 'IQF interface failed, rc =' C2X(iqf_rc) ,
'rs =' C2X(iqf_rs) ;
say ' ' ;
EXIT;
END ;
else do ;
if test = y then do
say ''
say 'IQF ok, RC=' C2X(IQF_RC) ,
'RS =' C2X(IQF_RS)
say ' ' ;
say 'Len ' C2X(ret_data_len) ;
say 'Data' ret_data ;
end
parse value ret_data with 1 fmid ,
9 stat1 ,
17 stat2 ,
25 cpacf ,
33 aes ,
41 dsa ,
49 rsasig ,
57 rsakm ,
65 rsakg ,
73 accel ,
81 res1 ,
89 res2
say 'FMID =' fmid ;
status1.0 ='ICSF is STARTED'
status1.1 ='ICSF is INITIALIZED'
status1.2 ='ICSF has a valid SYM-MK'
status1.3 ='ICSF has a SYM-MK & PKA Callable services'
stat1=STRIP(stat1)
if SYMBOL('status1.stat1') = 'VAR' then stat1 = status1.stat1
else stat1 = 'UNKNOWN VALUE' stat1
say 'ICSF status 1 =' stat1 ;
status2.0 ='64-bit callers not supported'
status2.1 ='64-bit callers supported'
status2.2 ='64-bit callers supported (TKDS specified)'
stat2=STRIP(stat2)
if SYMBOL('status2.stat2') = 'VAR' then stat2 = status2.stat2
else stat2 = 'unknown value' stat2
say 'ICSF status 2 =' stat2 ;
cpacf.0 ='Not available'
cpacf.1 ='SHA-1 only'
cpacf.2 ='DES/TDES enabled'
cpacf.3 ='SHA-224, SHA-256 enabled'
cpacf.4 ='SHA-224, SHA-256, and DES/TDES enabled'
cpacf.5 ='SHA-384, SHA-512 enabled'
cpacf.6 ='SHA-384, SHA-512, and DES/TDES enabled'
cpacf.7 ='Encrypted CPACF functions available'
cpacf.8 ='OFB, CFB, and GCM CPACF functions are available'
cpacf.9 ='DRNG is available'
cpacf.10 ='TRNG, SHA-3, and SHAKE functions are available'
cpacf=STRIP(cpacf)
if SYMBOL('cpacf.cpacf') = 'VAR' then cpacf = cpacf.cpacf
else cpacf = 'unknown value' cpacf
say 'CPACF =' cpacf ;
aes.0 ='Not available'
aes.1 ='Software only'
aes.2 ='AES-128 available'
aes.3 ='AES-256 available'
aes=STRIP(aes)
if SYMBOL('aes.aes') = 'VAR' then aes = aes.aes
else aes = 'unknown value' aes
say 'AES =' aes ;
dsa.0 ='Not available'
dsa.1 ='1024 key available'
dsa.2 ='2048 key available'
dsa=STRIP(dsa)
if SYMBOL('dsa.dsa') = 'VAR' then dsa = dsa.dsa
else dsa = 'unknown value' dsa
say 'DSA =' dsa ;
rsasig.0 ='Not available'
rsasig.1 ='1024 Key available'
rsasig.2 ='2048 Key available'
rsasig.3 ='4096 Key available'
rsasig=STRIP(rsasig)
if SYMBOL('rsasig.rsasig') = 'VAR' then rsasig = rsasig.rsasig
else rsasig = 'unknown value' rsasig
say 'RSA signature =' rsasig ;
rsakm.0 ='Not available'
rsakm.1 ='1024 Key available'
rsakm.2 ='2048 Key available'
rsakm.3 ='4096 Key available'
rsakm=STRIP(rsakm)
if SYMBOL('rsakm.rsakm') = 'VAR' then rsakm = rsakm.rsakm
else rsakm = 'unknown value' rsakm
say 'RSA key management =' rsakm;
rsakg.0 ='Not available'
rsakg.1 ='2048 bit modulus available'
rsakg.2 ='4096 bit modulus available'
rsakg=STRIP(rsakg)
if SYMBOL('rsakg.rsakg') = 'VAR' then rsakg = rsakg.rsakg
else rsakg = 'unknown value' rsakg
say 'RSA key generate =' rsakg;
accel.0 ='Not available'
accel.1 ='At least one available for application use'
accel=strip(accel)
if SYMBOL('accel.accel') = 'VAR' then accel = accel.accel
else accel = 'unknown value' accel
say 'Accelerators =' accel
end ;
iqf_rc = 'FFFFFFFF'x ;
iqf_rs = 'FFFFFFFF'x ;
exit_data_length = '00000000'x ;
exit_data = '' ;
rule_array_count = '00000001'x ;
rule_array = 'ICSFST2 '
ret_data_len = '00000100'x ;
ret_data = COPIES('00'x,256) ;
res_data_len = '00000000'x ;
res_data = COPIES('00'x,256) ;
address linkpgm 'CSFIQF' ,
'iqf_rc' ,
'iqf_rs' ,
'exit_data_length' ,
'exit_data' ,
'rule_array_count' ,
'rule_array' ,
'ret_data_len' ,
'ret_data' ,
'res_data_len' ,
'res_data' ;
if test = y then do
say ''
say 'Following is from CSFIQF with ICSFST2 '
end
/* Check return and reason code */
if (iqf_rc ^= erc | iqf_rs ^= ers) then do ;
say ''
say 'IQF interface failed, rc =' C2X(iqf_rc) ,
'rs =' C2X(iqf_rs) ;
say ''
EXIT
end
else do ;
if tst2 = y then do
say ''
say 'IQF ok, RC=' C2X(IQF_RC) ,
'RS =' C2X(IQF_RS)
say ''
say 'Len ' C2X(ret_data_len)
say 'Data' ret_data
end
parse value ret_data with 1 version ,
9 fmid ,
17 stat1 ,
25 stat2 ,
33 stat3 ,
41 stat4 ,
49 stat5 ,
57 stat6 ,
65 stat7 ,
73 stat8 ,
81 stat9 ,
89 res1
if tst2 = y then do
say ''
say 'stat1:' stat1
say 'stat2:' stat2
say 'stat3:' stat3
say 'stat4:' stat4
say 'stat5:' stat5
say 'stat6:' stat6
say 'stat7:' stat7
say 'stat8:' stat8
say 'stat9:' stat9
end
status1.0 ='PKA callable services disabled'
status1.1 ='PKA callable services enabled'
stat1=STRIP(stat1)
if SYMBOL('status1.stat1') = 'VAR' then stat1 = status1.stat1
else stat1 = 'UNKNOWN VALUE' stat1
say 'PKA status =' stat1 ;
status2.0 ='PCKS #11 not available'
status2.1 ='PKCS #11 available'
stat2=STRIP(stat2)
if SYMBOL('status2.stat2') = 'VAR' then stat2 = status2.stat2
else stat2 = 'unknown value' stat2
say 'PKCS #11 status =' stat2 ;
status3.0 ='ICSF started'
status3.1 ='ICSF initialized'
status3.2 ='AES master key valid'
stat3=STRIP(stat3)
if SYMBOL('status3.stat3') = 'VAR' then stat3 = status3.stat3
else stat3 = 'unknown value' stat3
say 'AES-MK status =' stat3 ;
status4.0 ='Secure AES not available'
status4.1 ='Secure AES available'
stat4=STRIP(stat4)
if SYMBOL('status4.stat4') = 'VAR' then stat4 = status4.stat4
else stat4 = 'unknown value' stat4
say 'Secure AES status =' stat4 ;
do i = 1 to 7
substat5.i = SUBSTR(stat5,i,1)
end
/* Key store policy for CKDS */
select
when substat5.1 = 0 then do
ss5101 = 'Controls not enabled'
say 'CKDS Key Token Auth =' ss5101
end
when substat5.1 = 1 then do
ss5111 = 'Controls enabled in FAIL mode'
ss5112 = 'Key store policy ACTIVE'
say 'CKDS Key Token Auth =' ss5111
say ' ' ss5112
end
when substat5.1 = 2 then do
ss5121 = 'Controls enabled in WARN mode'
ss5122 = 'Key store policy ACTIVE'
say 'CKDS Key Token Auth =' ss5121
say ' ' ss5122
end
when substat5.1 = 3 then do
ss5131 = 'Controls enabled in FAIL mode'
ss5132 = 'Key store policy ACTIVE'
ss5133 = 'Default key label checking enabled'
say 'CKDS Key Token Auth =' ss5131
say ' ' ss5132
say ' ' ss5133
end
when substat5.1 = 4 then do
ss5141 = 'Controls enabled in WARN mode'
ss5142 = 'Key store policy ACTIVE'
ss5143 = 'Default key label checking enabled'
say 'CKDS Key Token Auth =' ss5141
say ' ' ss5142
say ' ' ss5143
end
otherwise
end
/* Duplicate key checking for CKDS */
select
when substat5.2 = 0 then do
ss5201 = 'Controls not enabled'
say 'CKDS Dup Key Checks =' ss5201
end
when substat5.2 = 1 then do
ss5211 = 'Controls enabled'
ss5212 = 'Key store policy ACTIVE'
say 'CKDS Dup Key Checks =' ss5211
say ' ' ss5212
end
otherwise
end
/* Key store policy for PKDS */
select
when substat5.3 = 0 then do
ss5301 = 'Controls not enabled'
say 'PKDS Key Token Auth =' ss5301
end
when substat5.3 = 1 then do
ss5311 = 'Controls enabled in FAIL mode'
ss5312 = 'Key store policy ACTIVE'
say 'PKDS Key Token Auth =' ss5311
say ' ' ss5312
end
when substat5.3 = 2 then do
ss5321 = 'Controls enabled in WARN mode'
ss5322 = 'Key store policy ACTIVE'
say 'PKDS Key Token Auth =' ss5321
say ' ' ss5322
end
when substat5.3 = 3 then do
ss5331 = 'Controls enabled in FAIL mode'
ss5332 = 'Key store policy ACTIVE'
ss5333 = 'Default key label checking enabled'
say 'PKDS Key Token Auth =' ss5331
say ' ' ss5332
say ' ' ss5333
end
when substat5.3 = 4 then do
ss5341 = 'Controls enabled in WARN mode'
ss5342 = 'Key store policy ACTIVE'
ss5343 = 'Default key label checking enabled'
say 'PKDS Key Token Auth =' ss5341
say ' ' ss5342
say ' ' ss5343
end
otherwise
end
/* Duplicate key checking for PKDS */
select
when substat5.4 = 0 then do
ss5401 = 'Controls not enabled'
say 'PKDS Dup Key Checks =' ss5401
end
when substat5.4 = 1 then do
ss5411 = 'Controls enabled'
ss5412 = 'Key store policy ACTIVE'
say 'PKDS Dup Key Checks =' ss5411
say ' ' ss5412
end
otherwise
end
/* Granular Key label access controls */
select
when substat5.5 = 0 then do
ss5501 = 'Controls not enabled'
say 'Granular Key Checks =' ss5501
end
when substat5.5 = 1 then do
ss5511 = 'Controls enabled in FAIL mode'
say 'Granular Key Checks =' ss5511
end
when substat5.5 = 2 then do
ss5521 = 'Controls enabled in FAIL mode'
say 'Granular Key Checks =' ss5521
end
otherwise
end
/* Symmetric label export controls */
select
when substat5.6 = 0 then do
ss5601 = 'Controls not enabled'
say 'Symmetric Export =' ss5601
end
when substat5.6 = 1 then do
ss5611 = 'Controls enabled for DES keys'
say 'Symmetric Export =' ss5611
end
when substat5.6 = 2 then do
ss5621 = 'Controls enabled for AES keys'
say 'Symmetric Export =' ss5621
end
when substat5.6 = 3 then do
ss5631 = 'Controls enabled for DES and AES keys'
say 'Symmetric Export =' ss5631
end
otherwise
end
/* Symmetric label export controls */
select
when substat5.7 = 0 then do
ss5701 = 'Controls not enabled'
say 'PKA Mgmt Extensions =' ss5701
end
when substat5.7 = 1 then do
ss5711 = 'Controls enabled in FAIL mode'
ss5712 = 'Trusted repository is a SAF keyring'
say 'PKA Mgmt Extensions =' ss5711
say ' ' ss5712
end
when substat5.7 = 2 then do
ss5721 = 'Controls enabled in FAIL mode'
ss5722 = 'Trusted repository is a PKCS #11 token'
say 'PKA Mgmt Extensions =' ss5721
say ' ' ss5722
end
when substat5.7 = 3 then do
ss5731 = 'Controls enabled in WARN mode'
ss5732 = 'Trusted repository is a SAF keyring'
say 'PKA Mgmt Extensions =' ss5731
say ' ' ss5732
end
when substat5.7 = 4 then do
ss5741 = 'Controls enabled in WARN mode'
ss5742 = 'Trusted repository is a PKCS #11 token'
say 'PKA Mgmt Extensions =' ss5741
say ' ' ss5742
end
otherwise
end
end
status6.0 ='ICSF started'
status6.1 ='ICSF initialized'
status6.2 ='ECC master key valid, internal keys supported'
status6.3 ='ECC master key valid, external keys also supported'
stat6=STRIP(stat6)
if SYMBOL('status6.stat6') = 'VAR' then stat6 = status6.stat6
else stat6 = 'unknown value' stat6
say 'ECC-MK status =' stat6 ;
status7.0 ='ICSF started'
status7.1 ='ICSF initialized'
status7.2 ='RSA master key valid'
stat7=STRIP(stat7)
if SYMBOL('status7.stat7') = 'VAR' then stat7 = status7.stat7
else stat7 = 'unknown value' stat7
say 'RSA-MK status =' stat7 ;
status8.0 ='ICSF started'
status8.1 ='ICSF initialized'
status8.2 ='DES master key valid'
stat8=STRIP(stat8)
if SYMBOL('status8.stat8') = 'VAR' then stat8 = status8.stat8
else stat8 = 'unknown value' stat8
say 'DES-MK status =' stat8 ;
status9.0 ='PKA callable services disabled'
status9.1 ='PKA callable services enabled'
stat9=STRIP(stat9)
if SYMBOL('status9.stat9') = 'VAR' then stat9 = status9.stat9
else stat9 = 'unknown value' stat9
say 'PKA callable status =' stat9 ;
EXIT