If your application programmers intend to use PKCS #11 token key
objects for AES Galois/Counter Mode (GCM) encryption or GMAC generation,
and have ICSF generate the initialization vectors, then you need to
set ECVTSPLX or CVTSNAME to a unique value.
This needs to be done,
because, for AES GCM encryption or GMAC generation, the security of
the algorithm is dependent on never repeating a key, initialization
vector combination for two or more distinct sets of data. In PKCS
#11, applications can request that ICSF generate a new (unique) initialization
vector each time AES GCM or GMAC is initiated. In fact, this is the
only permitted way to perform AES GCM or GMAC when PKCS #11 is operating
in FIPS mode. When ICSF generates initialization vectors, it uses
the ECVTSPLX (sysplex mode) or CVTSNAME (non-sysplex mode) field as
the cryptographic module name. The name ensures uniqueness if such
keys are distributed to multiple systems, but only if each system
is set with a unique name.
When setting ECVTSPLX or CVTSNAME
to unique values, be aware that ICSF uses only the first (left most)
4 characters of these fields. For this reason, these 4 characters
must be set to uniquely identify the system.
For example, suppose
AES key value 123 is created on the current single-image system (known
as System A) and is distributed to another system residing in a Sysplex
(known as Sysplex B). Both systems will be performing GCM encryption
where ICSF generates the initialization vectors. To ensure that unique
initialization vectors are generated, set CVTSNAME=SYSA on System
A and ECVTSPLX=PLXB on Sysplex B.
CVTSNAME is normally set from
the SYSNAME=value statement in the IEASYSxx member of "SYS1.PARMLIB".
For more information, see z/OS MVS Initialization and Tuning Reference.
ECVTSPLX is normally set from
the COUPLE SYSPLEX(value) in the COUPLExx member of "SYS1.PARMLIB".
For more information, see z/OS MVS Setting Up a Sysplex.