Skip to main content

Software  >  Information Management  >  

Potential undetected loss of data under specific conditions with data encryption or decryption using CUSP or IPS keywords

 Flash (Alert)
 
Abstract
DB2® and IMS™ Data Encryption Tool (5655P0300) has one IMS exit routine (DECENC01) and one DB2 EDITPROC (DECENC00) that exploit the ICSF callable services CSNBENC or CSNBDEC for ICSF secure key processing. Without this GTS fix, a zero return code might be returned when an internal ICSF error goes undetected, resulting in corrupted data being inserted, then retrieved from the affected database or table. This problem ONLY occurs on data strings (IMS segments and DB2 rows) that exceed 1400 bytes in length.
 
Content
If all of the criteria listed below is met, there is a potential for an undetected loss of data while using an encryption or a decryption operation that is invoking the CIPHER macro or using the ICSF callable services CSNBENC or CSNBDEC. Data that is encrypted or decrypted with this macro or these services, with specified keywords and text length, will not be processed successfully. However, the return codes and reason codes during this processing will indicate successful operation completion.

The service teams, working with the client and the independent software vendors, should use the following criteria to determine if the client could be exposed to this issue. All of the following criteria must be met in order for a client to be exposed:

1. Machine types: 2094 or 2096, operating on firmware driver level 67L only. No exposure for this problem exists at firmware driver level 63J. And all of the following conditions are also met:

2. The machine has crypto feature code FC0863 installed and activated. No exposure for this problem exists if this feature is installed but not activated.
3. Application is using ICSF callable services CSNBENC or CSNBDEC specifying CUSP or IPS as keywords in the rule_array - or - using the CIPHER macro with the COMPAT(YES) parameter in the ICSF options data set. Note that other keywords that are specified with CSNBENC or CSNBDEC have no effect regarding this issue.

4. The encryption or decryption data has a text_length greater than 1400 bytes.

Information about meeting criteria #3 and #4 above, can be obtained from the client system programmer.

For additional information on ICSF keywords, data lengths, and the ICSF options data set, see:
- z/OS Cryptographic Services ICSF Application Programmer's Guide
- z/OS Cryptographic Services ICSF Systems Programmer's Guide

These guides can be found online at: http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/FINDBOOK?filter=crypto

If the service team or client is unable to determine if all of the above criteria are met, contact your IBM next level of support for assistance.

RECOMMENDED ACTIONS:
Product Engineering strongly recommends the following actions be taken to immediately fix the root cause of this issue.

Install and activate the following (5) D67L Hiper MCLs (bundle 15A) that are available in RETAIN today (10/05/2007):

Driver 67L Hiper MCL 001 in the G40942 (SE xcrypto) stream
Driver 67L Hiper MCL 002 in the G40942 (SE xcrypto) stream
Driver 67L Hiper MCL 003 in the G40942 (SE xcrypto) stream
Driver 67L Hiper MCL 004 in the G40942 (SE xcrypto) stream
Driver 67L Hiper MCL 005 in the G40942 (SE xcrypto) stream

These MCLs can all be applied concurrently and require a crypto adapter configure off/on to activate.

Please contact IBM support if you have any questions or require guidance related to this notification.

 
 
 

Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Rate this page
Please take a moment to complete this form to help us better serve you.
This material provides me with the information I need.




This material is clear and easy to understand.




Did the information help you to achieve your goal?
What updates, improvements, or related information would you like to see in this document?
Your response will be used to improve our document content. Requests for assistance, if applicable, should be submitted through your normal support channel as we cannot respond from this site.
Input the verification number to submit feedback:
Document information
 Product categories:
 Software
 Data Management
 Database Management Tools
 DB2 and IMS Tools
 IBM Data Encryption for IMS and DB2 Databases
 Operating system(s):
  z/OS
 Software version:
  1.1.0
 Reference #:
  1282683
 IBM Group:
 Software Group
 Modified date:
 2008-05-15

Translate My Page
 
 

Rate this page

Help us improve this page. Your response will be used to improve our document content. Requests for assistance, if applicable, should be submitted through your normal support channel as we cannot respond from this site.