ICSF provides key management callable services that are identical
to the 4753-HSP verbs of the same name. Key management applications that
are developed for the 4753-HSP and use these common verbs can be run
on OS/390 ICSF or z/OS ICSF without reassembly. You will, however, need
to relink them.
If your installation is currently using the 4753-HSP and you are migrating
to OS/390 ICSF or z/OS ICSF, consider:
- 4753-HSP cryptographic key storage
Internal key tokens
for ICSF and the 4753-HSP are not interchangeable. Key token migration
for the 4753 exists through the optional TKE Version 3 Workstation for
the S/390 G5, G6, and z900 servers and TKE Version 4 or higher for
z900, z890, z990, z9 EC and z9 BC servers. TKE Version
3, Version 4, and Version 5 supply a 4753 Migration
Utility. It allows you to migrate internal DES key tokens from the
4753 to ICSF. Key exchange between the two systems is through the
external key token. To migrate keys from the 4753-HSP to ICSF, you
must first establish an exporter/importer key relationship between
the 4753-HSP and ICSF. You can then write an application to export
keys from the 4753-HSP key storage and import them into the ICSF CKDS.
You can perform this type of key exchange only with CCA-defined keys,
which have the same control vectors on key-encrypting keys. If your 4753-HSP installation
includes non-CCA key types in key storage, you need to generate a
special exporter/importer key-encrypting key pair on the 4753-HSP. The
exporter key-encrypting key nullifies the CV value that is used on
the 4753-HSP, and the importer key-encrypting key includes the CV value
that is needed at ICSF.
- Key labels
ICSF/MVS Version 1 Release 2 and above supports an extended key label of up
to 64 bytes. Although the 4753-HSP also supports a 64-byte key label,
there are additional key label formatting restrictions that do not
apply to ICSF. The 4753-HSP key label consists of one to five name
tokens that are separated by periods. Each name token includes one
to eight alphanumeric or national string characters. ICSF, therefore,
can accept all 4753-HSP key labels, but the 4753-HSP cannot accept all ICSF key
labels. For more information on key label formatting restrictions,
refer to IBM Transaction Security System: Concepts and Programming Guide: Volume I, Access Controls and DES Cryptography.
ICSF/MVS Version 1 Release 2 and above,
like the 4753-HSP, requires unique key labels for data-encrypting keys,
data-translation keys, and MAC keys. To maintain compatibility with ICSF/MVS Version 1 Release 1,
however, KGUP will continue to allow multiple key types per label
for importer, exporter, and PIN keys under these conditions. Use either
KGUP or the KEU to enter the keys, and ensure that the key labels
do not conflict with other unique label restrictions.
- UDX (User Defined Extension) support
Beginning with OS/390 V2 R10 ICSF, ICSF support is provided for UDX
capabilities. UDX routines are developed by special contract with
IBM and are only distributed to authorized customers.
The UDX
function is invoked by an "installation-defined" or generic callable
service. The callable service is defined in the Installation Options
data set (UDX parameter) and the service stub is link-edited with
the application. The application program calls the service stub which
accesses the UDX installation-defined service.
There is a one-to-one
correspondence between a specific generic service in ICSF and a specific
UDX command processor in the PCICC, PCIXCC, or CEX2C. The
administrator, through ISCF panels, performs UDX authorization processing
on each PCI Cryptographic Coprocessor. Authorization is not LPAR specific. See Managing
User Defined Extensions in z/OS Cryptographic Services ICSF Administrator’s Guide for
additional information.
Support for writing your own UDX for
a PCI Cryptographic Coprocessor is available. Development of a UDX
for a PCIXCC or CEX2C requires a special contract with IBM.
See the UDX Reference and Guide and the 4758 Custom Software Developer's Toolkit Guide for
additional information. These, and other publications related to the
IBM 4758 Coprocessor can be obtained in PDF format from the Library
page located at http://www.ibm.com/security/cryptocards.
See
the UDX parameter and Installation-Defined
Callable Services in z/OS Cryptographic Services ICSF System Programmer’s Guide for additional details.
|