This topic lists programming changes that should be considered
when installing a PCIXCC/CEX2C.
Consideration should be given to:
- The DATAC key type can not be used on the IBM zSeries 900.
- The PIN block format checking on PCIXCC/CEX2C is more
rigorous than with a CCF.
For CSNBPVR, CSNBPTR and CSNBCPA services,
the input PIN block must have the correct format as specified in the
PIN Profile parameter. On a CCF system, the PIN block format checking
is incomplete.
For example, the REFORMAT processing mode of
PIN Translate (CSNBPTR) may now fail on a PCIXCC/CEX2C when
it was previously successful on a CCF. On a CCF, if input to the PIN
verify service (CSNBPVR) is a malformed encrypted PIN block, the
service will fail with return code 4, reason code 3028 (verification
failed); on a PCIXCC/CEX2C, the service may fail with return
code 8 and some appropriate reason code for invalid PIN format.
- 512 to 2048 bit modulus for RSA keys is supported in all PKA services
except SET services (Set Block Compose and Set Block Decompose).
- All CCF functions are now executed on the PCIXCC/CEX2C.
This may cause some impact on the performance of customer applications.
- Reason codes from the PCIXCC/CEX2C may be different from
previous cryptographic hardware.
- With PCIXCCs/CEX2Cs, the requirement that caller must
be in supervisor state to use NOCV tokens is lifted for the CKDS Key Record Write (CSNBKRW) service.
- The z/OS SCHEDULE and IEAMSCHD macros are used to schedule SRBs.
On the IBM zSeries 990, IBM zSeries 890, IBM System Enterprise Class or IBM System
Business Class, since there are no CCFs on the system, applications
should delete FEATURE=CRYPTO on the SCHEDULE and IEAMSCHD macros or
the SRB being scheduled will not run.
- External tokens that are export prohibited are imported differently
on a z990, z890, z9 EC, z9 BC, z10 EC, z10 BC, and z196 system
with PCIXCCs/CEX2C/CEX3Cs. The imported internal token will
have the same control vector as the external token with export prohibited.
These tokens will only be usable on a z990, z890, z9 EC,
z9 BC, z10 EC, z10 BC, and z196 with a PCIXCC/CEX2C or
on CCF systems with PCICCs. On previous hardware (CCF systems) the
imported internal token had a control vector that allowed export,
and export prohibition was enforced by the export flag in the token.
- Prohibit Export service can now be used for MAC and MACVER keys.
- New rule array keyword TDES-MAC added to the MAC Generate
and MAC Verify services.
- New rule array keywords, CFB and PKCS-PAD added to the
Symmetric Key Decipher and Symmetric Key Encipher services.
- A RACF check is added to the Key Generation Utility (CSFKGUP).
- The CSFKGUP utility exit control block has been changed for AES.
See Installation Exits for the new format.
|