SAF may be invoked to verify the caller is authorized to use this
callable service, the key label, or internal secure key tokens that
are stored in the CKDS or PKDS.
The Digital Signature Generate access
control point controls the function of this service.
The length of the hash for ZERO-PAD is restricted to
36 bytes. If the DSG ZERO-PAD unrestricted hash length access
control point is enabled in the ICSF role, the length of the hash
is not restricted. This access control is disabled by default.
This table lists the required cryptographic hardware for each server
type and describes restrictions for this callable service.
Table 224. Digital signature generate required hardwareServer | Required
cryptographic hardware | Restrictions |
---|
IBM zSeries 900 | Cryptographic Coprocessor Feature |
ECC
not supported.
The request is processed on the CCF when:
- the modulus bit length of the RSA key is less than 512 bits
- the key specified is a DSS key
- the key specified is a X'02' private modulus-exponent RSA key
- the key specified is a X'06' private modulus-exponent RSA key
and the key use bits indicate signature only
- the key specified is a X'06' private modulus-exponent RSA key
and the key use bits indicate key-management use and the SMK is equal
to the KMMK
RSA keys with moduli greater than 1024-bit length
are not supported. | PCI Cryptographic Coprocessor |
ECC
not supported.
The request is processed on the PCICC when
- the key specified is a X'08' CRT RSA key
- the key specified is a retained key. The request will be routed
to the specific coprocessor of the retained key.
- the key specified is a X'06' private modulus-exponent RSA key
and the key use bits indicate signature only
- the key specified is a X'06' private modulus-exponent RSA key
and the key use bits indicate key-management use and the SMK is equal
to the KMMK
- the key specified is a X'06' private modulus-exponent RSA key
and the key use bits indicate key-management use and the SMK is not
equal to the KMMK
RSA keys with moduli greater than 2048-bit length are
not supported. | IBM zSeries 990
IBM zSeries 890 | PCI X Cryptographic Coprocessor
Crypto Express2 Coprocessor |
ECC
not supported.
DSS tokens are not supported.
ZERO-PAD
hash length is controlled by an access control point. When enabled,
the hash length limit is 36 bytes. When disabled, the hash length
limit is the modulus byte length of the RSA key. This access control
point is always disabled and can only be enabled with TKE V4.0 or
higher.
RSA keys with moduli greater than 2048-bit length are
not supported. | IBM
System z9 EC
IBM System z9 BC | Crypto
Express2 Coprocessor |
ECC
not supported.
DSS tokens are not supported.
ZERO-PAD
hash length is controlled by an access control point. When enabled,
the hash length limit is 36 bytes. When disabled, the hash length
limit is the modulus byte length of the RSA key. This access control
point is always disabled and can only be enabled with TKE V4.0 or
higher.
RSA key support with moduli within the range 2048-bit
to 4096-bit requires the Nov. 2007 or later licensed internal code (LIC). |
|