|
- Description:
- Detects the existence of retained RSA private keys on a PCICC
or PCIXCC/CEX2C cryptographic card.
This check is inactive by default
- in order to use this check you must activate it. You should run
the check periodically, when the events occur that affect check results.
For example, run the check dynamically when: - The ICSF product release level is being upgraded to any new ICSF
release level.
- The z/OS® product release
level is being upgraded and ICSF is an exploited feature for that z/OS image.
- Reason for check:
- A PCICC or PCIXCC/CEX2C card may possess the only copy of a retained
RSA private key. Customers that run applications and middleware that
utilize the retained key functionality of these cards are exposed
to the loss of keys upon hardware failure, which may result from a
problem as simple as an exhausted or malfunctioning card battery.
Lost retained keys have the further implication of lost data, for
retained key management keys, and an inability to verify signatures,
for retained signature keys. Starting with the Cryptographic
Support for z/OS V1R7-V1R9
and z/OS.e V1R7-V1R8 Web deliverable
(ICSF FMID HCR7750), you no longer have the ability to store new private
RSA keys intended for key management usage in a cryptographic coprocessor.
Existing applications will continue to be able to use the retained
keys and to delete them from the cryptographic coprocessor cards.
- z/OS releases the check
applies to:
- z/OS V1R9 and later.
- Type of check (local or remote):
- Local
- User override of IBM® values:
- The following shows keywords you can use to override check values
on either a POLICY statement in the HZSPRMxx parmlib member or on
a MODIFY command. This statement may be copied and modified to override
the check defaults:
UPDATE
CHECK(IBMICSF, ICSFMIG7731_ICSF_RETAINED_RSAKEY)
INACTIVE
SEVERITY(LOW) INTERVAL(ONETIME) DATE('date_of_the_change')
REASON('Your reason for making the update.'))
- Parameters accepted:
- No.
- Verbose support:
- No
- Debug support:
- No
- Reference:
- For more information see z/OS Cryptographic Services ICSF System Programmer's Guide.
- Messages:
- This check issues the following exception messages:
See in z/OS Cryptographic Services ICSF Messages.
- SECLABEL recommended for multilevel security users:
- SYSLOW - see z/OS Planning for Multilevel Security and the Common Criteria for
information on using SECLABELs.
|