I have just upgraded to ACF2 for z/OS r16.0 and now I am getting message ACF0A217 when inserting a certificate using the GENCERT command. I am specifying the ICSF parameter.

Document ID : KB000057381
Last Modified Date : 14/02/2018
Show Technical Document Details

Symptoms:

I have just upgraded to ACF2 for z/OS r16.0 and now I am getting message ACF0A217 when inserting
a certificate using the GENCERT command. I am specifying the ICSF parameter.

GENCERT r16.icsfcert su(cn='r16 cert with ICSF & default 2048 keysize') ICSF

I receive error message
ACF0A217 Key size of certificate requires PCI Cryptographic Coprocessor.      
         Specify PCICC instead of ICSF    

When I insert the certificate on an ACF2 for z/OS r15.0 system it works successfully.
GENCERT r15.icsfcert su(cn='r15 cert with ICSF & default 1024 keysize') ICSF

CERTDATA / R15.ICSFCERT LAST CHANGED BY MASTER ON 11/16/15-12:44             
                      CERTNSER(0000000000000001) ICSF                         
                      ISSUERDN(CN=r15 cert with ICSF & default 1024 keysize)  
                      KEYSIZE(1,024) LABEL(R15.ICSFCERT) SERIAL#(00)          
                      SUBJDN(CN=r15 cert with ICSF & default 1024 keysize)    
                      TRUST                                                   
 Certificate is not connected to any key rings   

 

Resolution:

In ACF2 for z/OS r16.0 the default certificate key size has changed from 1024 to 2048.

ICSF has an upper limit of 1024 so any gencert requests that specify ICSF with no SIZE
parameter will get this error message on r16:

?  gencert r16.icsfcert su(cn='r16 cert with ICSF & default 2048 keysize') ICSF
ACF0A217 Key size of certificate requires PCI Cryptographic Coprocessor.      
 Specify PCICC instead of ICSF                                                

On r15 a similar GENCERT command with ICSF and no KEYSIZE works OK:

?  gencert r15.icsfcert su(cn='r15 cert with ICSF & default 1024 keysize') ICSF
CERTDATA / R15.ICSFCERT LAST CHANGED BY MASTER ON 11/16/15-12:44             
                      CERTNSER(0000000000000001) ICSF                         
                      ISSUERDN(CN=r15 cert with ICSF & default 1024 keysize)  
                      KEYSIZE(1,024) LABEL(R15.ICSFCERT) SERIAL#(00)          
                      SUBJDN(CN=r15 cert with ICSF & default 1024 keysize)   
                      TRUST 
 
The solution is to specify PCICC instead of ICSF.