A fix is available
APAR status
Closed as new function.
Error description
New Function
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: * * Users of ICSF * **************************************************************** * PROBLEM DESCRIPTION: * * New Function * * * * Cryptographic services enhancements for CCA and PKCS11 * * * * Support for clear HMAC keys * * Changed services * * HMAC Generate (CSNBHMG or CSNBHMG1 and CSNEHMG or * * CSNEHMG1) * * HMAC Verify (CSNBHMV or CSNBHMV1 and CSNEHMV or * * CSNEHMV1) * * MAC Generate2 (CSNBMGN2, CSNBMGN3, CSNEMGN2, and * * CSNEMGN3) * * MAC Verify2 (CSNBMVR2, CSNBMVR3, CSNEMVR2, and CSNEMVR3) * * * * Exploit CPACF instructions for HMAC generation * * Changed services * * HMAC Generate (CSNBHMG or CSNBHMG1 and CSNEHMG or * * CSNEHMG1) * * HMAC Verify (CSNBHMV or CSNBHMV1 and CSNEHMV or * * CSNEHMV1) * * MAC Generate2 (CSNBMGN2, CSNBMGN3, CSNEMGN2, and * * CSNEMGN3) * * MAC Verify2 (CSNBMVR2, CSNBMVR3, CSNEMVR2, and CSNEMVR3) * * PKCS11 Generate Keyed MAC (CSFPHMG and CSFPHMG6) * * PKCS11 Verify Keyed MAC (CSFPHMV and CSFPHMV6) * * * * New access control for Enterprise PKCS #11 coprocessors * * "BTC-related including blockchain, altcoins, and digital * * assets" * * number 42 * **************************************************************** * RECOMMENDATION: * ****************************************************************
Problem conclusion
Summary ------------------------------------------ Support for clear HMAC keys for CCA services ICSF is adding support to generate and verify MACs using clear HMAC keys. These callable services have been enhanced to support clear HMAC keys: HMAC Generate (CSNBHMG or CSNBHMG1 and CSNEHMG or CSNEHMG1) HMAC Verify (CSNBHMV or CSNBHMV1 and CSNEHMV or CSNEHMV1) MAC Generate2 (CSNBMGN2, CSNBMGN3, CSNEMGN2, and CSNEMGN3) MAC Verify2 (CSNBMVR2, CSNBMVR3, CSNEMVR2, and CSNEMVR3) The CPACF instructions will be used to generate and verify clear keys MACs using the HMAC algorithm. SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 algorithms are supported. Theses services have been enhanced to exploit CPACF instructions: HMAC Generate (CSNBHMG or CSNBHMG1 and CSNEHMG or CSNEHMG1) HMAC Verify (CSNBHMV or CSNBHMV1 and CSNEHMV or CSNEHMV1) MAC Generate2 (CSNBMGN2, CSNBMGN3, CSNEMGN2, and CSNEMGN3) MAC Verify2 (CSNBMVR2, CSNBMVR3, CSNEMVR2, and CSNEMVR3) PKCS #11 Generate Keyed MAC (CSFPHMG and CSFPHMG6) PKCS #11 Verify Keyed MAC (CSFPHMV and CSFPHMV6) New access control for Enterprise PKCS #11 coprocessors "BTC-related including blockchain, altcoins, and digital assets" number 42 All of the enhancements included in this APAR will also be documented in the FMID HCR77D1 release of the following ICSF publications: ICSF System Programmer's Guide SC14-7507 ICSF Application Programmer's Guide SC14-7508 ICSF Overview SC14-7509 ICSF Writing PKCS #11 Applications SC14-7510
Temporary fix
Comments
Support for clear HMAC keys for CCA services ICSF is adding support to generate and verify MACs using clear HMAC keys. These callable services have been enhanced to support clear HMAC keys: HMAC Generate (CSNBHMG or CSNBHMG1 and CSNEHMG or CSNEHMG1) HMAC Verify (CSNBHMV or CSNBHMV1 and CSNEHMV or CSNEHMV1) MAC Generate2 (CSNBMGN2, CSNBMGN3, CSNEMGN2, and CSNEMGN3) MAC Verify2 (CSNBMVR2, CSNBMVR3, CSNEMVR2, and CSNEMVR3) The CPACF instructions will be used to generate and verify clear keys MACs using the HMAC algorithm. SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 algorithms are supported. Theses services have been enhanced to exploit CPACF instructions: HMAC Generate (CSNBHMG or CSNBHMG1 and CSNEHMG or CSNEHMG1) HMAC Verify (CSNBHMV or CSNBHMV1 and CSNEHMV or CSNEHMV1) MAC Generate2 (CSNBMGN2, CSNBMGN3, CSNEMGN2, and CSNEMGN3) MAC Verify2 (CSNBMVR2, CSNBMVR3, CSNEMVR2, and CSNEMVR3) PKCS #11 Generate Keyed MAC (CSFPHMG and CSFPHMG6) PKCS #11 Verify Keyed MAC (CSFPHMV and CSFPHMV6) New access control for Enterprise PKCS #11 coprocessors "BTC-related including blockchain, altcoins, and digital assets" number 42 All of the enhancements included in this APAR will also be documented in the FMID HCR77D1 release of the following ICSF publications: ICSF System Programmer's Guide SC14-7507 ICSF Application Programmer's Guide SC14-7508 ICSF Overview SC14-7509 ICSF Writing PKCS #11 Applications SC14-7510
APAR Information
APAR number
OA60317
Reported component name
ICSF/MVS
Reported component ID
568505101
Reported release
7D1
Status
CLOSED UR1
PE
NoPE
HIPER
NoHIPER
Special Attention
YesSpecatt / New Function / Xsystem
Submitted date
2020-10-08
Closed date
2020-12-17
Last modified date
2021-01-05
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UJ04665
Modules/Macros
CSFINPV2 CSFVCIQA CSFNCHMG CSFNCHMV CSFDDMRL CSFNCPCI
SC147505 | SC147508 | SC147507 |
Fix information
Fixed component name
ICSF/MVS
Fixed component ID
568505101
Applicable component levels
R7D1 PSY UJ04665
UP20/12/19 P F012
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Platform":[{"code":"PF054","label":"z\/OS"}],"Version":"7D1"}]
Document Information
Modified date:
06 January 2021