IBM Support

SI68933 - OSP-CCA CSNDPKX ERROR 8/47 WITH AES MODULUS-EXPONENT FORMAT

PTF ( Program Temporary Fixes ) Cover letter


Order this fix

Abstract

OSP-CCA CSNDPKX ERROR 8/47 WITH AES MODULUS-EXPONENT FORMAT


Pre/Co-Requisite PTF / Fix List

REQ  LICENSED           PTF/FIX  LEVEL

TYPE PROGRAM  RELEASE   NUMBER   MIN/MAX  OPTION
---- -------- --------- -------  -------  ------
PRE  5770999  V7R2M0    MF62827   00/00    0000
DIST 5733CY3  V7R2M0    SI63440   NONE     0000
DIST 5770SS1  V7R2M0    SI63095   NONE     0034



NOTICE:
-------
Application of this PTF may disable or render ineffective programs that
use system memory addresses not generated by the IBM translator,
including programs that circumvent control technology designed to limit
interactive capacity to purchased levels.  This PTF may be a prerequisite
for future PTFs.  By applying this PTF you authorize and agree to the
foregoing.

This PTF is subject to the terms of the license agreement which
accompanied, or was contained in, the Program for which you are obtaining
the PTF.  You are not authorized to install or use the PTF except as part
of a Program for which you have a valid Proof of Entitlement.

SUBJECT TO ANY WARRANTIES WHICH CAN NOT BE EXCLUDED OR EXCEPT AS EXPLICITLY
AGREED TO IN THE APPLICABLE LICENSE AGREEMENT OR AN APPLICABLE SUPPORT
AGREEMENT, IBM MAKES NO WARRANTIES OR CONDITIONS EITHER EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OR CONDITIONS OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON INFRINGEMENT,
REGARDING THE PTF.

The applicable license agreement may have been provided to you in printed
form and/or may be viewed using the Work with Software Agreements (WRKSFWAGR)
CL command.





APAR Error Description / Circumvention

-----------------------------------------------
Using CCA API CSNDPKX to extract a public key that was generated
using option RSA-AESM results in return code 8 reason code 47
which means the source key token is unusable because it contains
data that is not valid or is undefined.

CORRECTION FOR APAR SE70425 :
-----------------------------
The CSNDPKX API is updated to support the key token format.

CIRCUMVENTION FOR APAR SE70425 :
--------------------------------
None.


Activation Instructions


If you are not using or do not intend to use a cryptographic
coprocessor, nothing further needs to be done.

There are 3 master key registers: New, Current, and Old.
When "Loading" master key parts, only the New master key register
gets updated.  The Current and Old registers are not changed.
When "Setting" master key parts, the Current master key gets moved
to the Old master key register, and the New master key gets moved to
the Current master key register.
When "Re-encrypting" keys in a keystore that are encrypted with a
master key, the Old master key is used to decrypt the keys, the
Current master key is used to encrypt the keys.  It is therefore very
important to re-encrypt keys residing in a keystore immediately after
setting the master key to ensure the correct Old master key is
accessible for decryption.

The following steps describe how to load and set the master key parts.
If you have an APKA master key in addition to an AES master key, you
may set the APKA master key parts after setting the AES master key
so the re-encrypt process is only ran once. The process to load, set,
and re-encrypt keys is performed using the Cryptographic Coprocessor
Configuration web-based utility found by clicking on IBM i Tasks page
link on the IBM Navigator for i welcome page at
http://server-name:2001.

-  Click on "Manage configuration".
-  Click on "Master keys" and provide information to manage keys on
desired coprocessor.
-  Click on "Load".
-  Select "AES" and click on "Manual load".
-  Fill in the four 8-byte values and click "Continue" to set the
First key part.
-  Repeat to set the Middle and Last key parts, and then click
"Done".
-  Click "Set", select "AES", and then click "Continue" to have the
new master key set as the current master key.
-  Click "Done" to complete the Master key entering process.
-  Click on "AES keys", specify the key store name and library, and
click "Continue" to manage the existing AES keys.
-  Click on "Re-encrypt" and provide profile information, then click
"Re-encrypt" to have the keys enciphered using the current master
key.

APKA master keys are used to encrypt Elliptic Curve Cryptography (ECC)
keys and RSA with Object Protection Keys (OPK).  These keys reside in
the AES keystore. To re-encrypt these keys with a new APKA master key,
follow the process above specifying to load and set the APKA master
key instead of an AES master key, and then re-encrypt keys in the AES
keystore.

If you have keys that are not in a keystore or if you would prefer to
write your own application to re-encrypt keys, you can do so by using
the key token change (CSNBKTC and CSNDKTC) API verbs.





Special Instructions


********************************************************************
THE FOLLOWING ARE SUPERSEDED SPECIAL INSTRUCTIONS. IF THE SUPERSEDED
PTF HAS ALREADY BEEN APPLIED AND ITS SPECIAL INSTRUCTION FOLLOWED,
IT IS NOT NECESSARY TO FOLLOW THAT SPECIAL INSTRUCTION AGAIN.
********************************************************************

SPECIAL INSTRUCTIONS FOR SUPERSEDED PTF SI64296 :
=================================================

After applying or removing this PTF,
end and restart the HTTP administration server.


If you are not using or do not intend to use a cryptographic
coprocessor, nothing further needs to be done.

If you are using or intend to use a cryptographic coprocessor, follow
these steps:
- End all jobs that are using the CCA APIs in 5770SS1 Option 35.
This includes the *ADMIN server instance.
- Load and apply the PTF.
- Start the jobs again.


Run the following CL command to determine if any jobs are currently
using any type cryptographic coprocessor:

WRKCFGSTS *DEV *CRP

If there are jobs using a cryptographic coprocessor, end and then start
them again after applying this PTF.


Default Instructions

THIS PTF CAN BE APPLIED IMMEDIATE OR DELAYED.



Supersedes

PTF/FIX NO(S).  APAR TITLE LINE
--------------  ------------------------------------------------------------
   SI64296      OSP-CRYPTO: AES MASTER KEY NOT LOADED WITH CORRECT KEY PARTS
   SI64321      CCA Updates for 4.4 and 5.3 verbs
   SI63797      OSP-SECURITY CCA APIs UPDATED FOR D/T 4765, 4767
   SI63272      OSP-SECURITY APIs UPDATED FOR DEVICE 4767
   SI63097      CRYPTO:  Native support for Sentry Cryptographic Co-processo
   SI52232      CCA-INCORROUT RE-ENCRYPT FUNCTION IN CCA CRYPTO GUI FAILS
   SI52232      CCA Reencrypt of PKA files fails in Crypto GUI
   SI51335      CCA CSNBKPI2 return reason code 8/343

Summary Information

System.............................. i
Models..............................
Release............................. V7R2M0
Licensed Program............... 5770SS1
APAR Fixed.......................... View details for APAR SE70425
Superseded by:......................
Recompile........................... N
Library............................. QCCA
MRI Feature ........................ NONE
Cum Level........................... C9123720


System i Support

IBM disclaims all warranties, whether express or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. By furnishing this document, IBM grants no licenses to any related patents or copyrights. Copyright © 1996,1997,1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019 IBM Corporation. Any trademarks and product or brand names referenced in this document are the property of their respective owners. Consult the Terms of use link for trademark information.

Document information

More support for: i family

Software version: V7R2M0

Operating system(s): OS/400

Reference #: SI68933

Modified date: 24 January 2019