OA64000: SHA2 RELATED HASH ALGORITHMS REPORTED AS SHA-224, SHA-256, SHA-384 AND SHA-512 WHICH DOES NOT MATCH COMMS SERVER IP

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• SHA2 related hash algorithms reported as SHA-224, SHA-256,
  SHA-384 and SHA-512 which does not match Comms Server IP.
  
  For example, Communications Server IP zERT SMF records and
  Network Configuration Assistant define message
  authentication algorithm HMAC-SHA2-384, while zSecure reports
  HMAC-SHA-384 in SMF reporting.
  
  To be consistent, zSecure should also report HMAC-SHA2-384.
  

Local fix

• N/A
  

Problem summary

• ****************************************************************
  * USERS AFFECTED: Users of zSecure Audit exploiting SMF        *
  *                 reports.                                     *
  ****************************************************************
  * PROBLEM DESCRIPTION: zSecure Audit reports some values of    *
  *                      various fields (SMF reports) related to *
  *                      authentication method incorrectly.      *
  *                      The affected fields are:                *
  *                       o IKE_TUNNEL_AUTH_METHOD.              *
  *                       o IPSEC_TUNNEL_AUTH_METHOD.            *
  *                       o SSH_INBOUND_AUTH_METHOD              *
  *                       o SSH_OUTBOUND_AUTH_METHOD.            *
  *                       o TLS_MSG_AUTH_METHOD.                 *
  *                      Same applies to the                     *
  *                      IKE_TUNL_PSEUDO_RANDOM_F field.         *
  ****************************************************************
  * RECOMMENDATION: Apply the PTF provided and review the        *
  *                 documentation updates.                       *
  ****************************************************************
  Various SMF fields related to authentication methods and the
  field IKE_TUNL_PSEUDO_RANDOM_F (Pseudo-random function used for
  seeding IKE tunnel keying material) might display following
  values: HMAC-SHA-224, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512,
  HMAC-SHA-256-128, HMAC-SHA-384-192, and HMAC-SHA-512-256. These
  values are incorrect. The 'SHA' part should be 'SHA2'.
  

Problem conclusion

• zSecure Audit has been modified, so that SMF fields
  IKE_TUNNEL_AUTH_METHOD, IPSEC_TUNNEL_AUTH_METHOD,
  SSH_INBOUND_AUTH_METHOD, SSH_OUTBOUND_AUTH_METHOD,
  TLS_MSG_AUTH_METHOD, and IKE_TUNL_PSEUDO_RANDOM_F report
  correct values. Please note the documentation updates as
  provided by the APAR tracking comment data.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UJ09704

Modules/Macros

• C2R3SME0 C2R3SMES C2R3SMET C2R3SMFK C2R3SMFN C2R3SMG8 CKAFDEFA
  CKAOUSMF GKRFDEFA GKROUSMF
  

Fix information

• Fixed component name

  ZSEC BASE,ADMIN

• Fixed component ID

  5655T0100

Applicable component levels

• R250 PSY UJ09704

     UP22/12/08 P F212

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.