IBM Support

OA47781: NEW FUNCTION - CCA ALGORITHM UPDATES

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as new function.

Error description

  • New Function

New algorithms for CCA callable serivces.
- Support for RSAES-OAEP for PKA Encrypt (CSNDPKE) and
  PKA Decrypt (CSNDPKD)
- Key Generate (CSNBKGN) - CIPHER/DATAC/DATAM - OP, IM, EX
- Operational Key Load support for HMAC keys loaded from the
  TKE workstation
- Master key verification patterns on ICSF Coprocessor Hardware
  status panel
- Access control point offsets on the Domain Role panel

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED: Users of ICSF                                *
****************************************************************
* PROBLEM DESCRIPTION: Enhancements to ICSF:                   *
*                                                              *
*                      - Support for the RSAES-OAEP format for *
*                        PKA Decrypt and PKA Encrypt.          *
*                                                              *
*                      - Support in Key Generate for CIPHER,   *
*                        DATAC and DATAM keys in OP, IM or EX  *
*                        form.                                 *
*                                                              *
*                      - Operational Key Load support for HMAC *
*                        keys loaded from the TKE workstation. *
*                                                              *
*                      - Master key verification patterns on   *
*                        ICSF Coprocessor Hardware Status      *
*                        panel.                                *
*                                                              *
*                      - Access control point offsets on the   *
*                        Domain Role panel.                    *
*                                                              *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
Support for the RSAES-OAEP formatting for the PKA Decrypt
(CSNDPKD and CSNFPKD) and PKA Encrypt(CSNDPKE and CSNFPKE).
SHA-1 and SHA-256 hashing is supported.

New access control points added for this support.
These access controls can be used to disable a format for the
services.

DD - disabled by default in the domain role
ED - enabled by default in the domain role

Access control point name         Callable Service   Usage
--------------------------------  -----------------  --------
PKA Decrypt - Disallow PKCS-1.2   CSNDPKD/CSNFPKD     DD
PKA Decrypt - Disallow ZEROPAD    CSNDPKD/CSNFPKD     DD
PKA Decrypt - Disallow PKCSOAEP   CSNDPKD/CSNFPKD     DD
PKA Encrypt - Disallow PKCS-1.2   CSNDPKE/CSNFPKE     DD
PKA Encrypt - Disallow ZEROPAD    CSNDPKE/CSNFPKE     DD
PKA Encrypt - Disallow MRP        CSNDPKE/CSNFPKE     DD
PKA Encrypt - Disallow PKCSOAEP   CSNDPKE/CSNFPKE     DD

Support in Key Generate (CSNBKGN and CSNEKGN) for
CIPHER, DATAC and DATAM keys in OP, IM or EX form.
The CIPHER, DATAC and DATAM key types can be generated as a
single key in OP, IM, or EX form.

Operational Key Load support for HMAC keys loaded from the
TKE workstation.

The TKE workstation will support the creation of HMAC keys
in the same manner as DES and AES keys. HMAC keys will be
limited to lengths of 128, 192, and 256 bits. ICSF will import
these keys in the same manner as DES and AES keys. The
Operational Key Load utility and KGUP (OPKYLOAD) will support
the importation of HMAC key tokens into the CKDS.

Master key verification patterns on ICSF Coprocessor
Hardware Status panel.
The verification and hash patterns on the ICSF Coprocessor
Hardware Status panel are not in compliance with ISO11568
International/Industry Standard. A new options data set
keyword is added to allow customers to limit the number of
hexadecimal digits displayed.

MASTERKCVLEN( 2 or 3 or 4 or 5 or 6 or ALL )

Defines the number of hexadecimal digits to display on the
ICSF Coprocessor Hardware Status panel for the
verification and hash patterns for the master keys. The patterns
are also referred to as key check values. When an integer value
is specified, that number of digits will be displayed. When ALL
is specified, all digits will be displayed.

The default is ALL.

ICSF will add a new action to the Coprocessor Management panel:
 'V'      Causes the coprocessor CCA domain role to be displayed
          with access control offset.

A new panel, CSFCMP32, will be displayed when action character V
is used for a CCA coprocessor. The new panel will have a option
to sort the access controls by the offset value.


D/T2827
D/T2828
E2964/K

    



Problem conclusion


    

  • 



Temporary fix


    

  • 



Comments


    

  • Enhancements to ICSF
----------------------------------------------------------------
Support for the RSAES-OAEP format for PKA Decrypt and PKA
Encrypt.
Support in Key Generate for CIPHER, DATAC and DATAM keys
in OP, IM or EX form.
Operational Key Load support for HMAC keys loaded from the
TKE workstation.
Master key verification patterns on ICSF Coprocessor
Hardware Status panel.
Access control point offsets on the Domain Role panel.

A description of the enhancements for this apar is documented
in a pdf file, oa47781.pdf, available at
ftp://public.dhe.ibm.com/eserver/zseries/zos/icsf/pdf/
    oa47781.pdf

All of the enhancements included in this APAR will also be
documented in the next release of the following ICSF
publications:

     ICSF Administrator's Guide           SC14-7506
     ICSF System Programmer's Guide       SC14-7507
     ICSF Application Programmer's Guide  SC14-7508

    



APAR Information




    

  • APAR number
    OA47781
    • 

  • Reported component name
    ICSF/MVS
    • 

  • Reported component ID
    568505101
    • 

  • Reported release
    7A0
    • 

  • Status
    CLOSED  UR1
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    YesSpecatt / New Function
    • 

  • Submitted date
    2015-05-06
    • 

  • Closed date
    2015-08-27
    • 

  • Last modified date
    2015-09-01
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
UA78783 UA78784 UA78785
    

    • 



Modules/Macros


    

  • CSFCCVE  CSFCHP00 CSFCHP10 CSFCHP32 CSFCHP40
CSFCHP50 CSFCMP00 CSFCMP32 CSFDCMGT CSFDCST  CSFDDFRL CSFDDMRL
CSFDDOKE CSFDDOPT CSFDS63  CSFGCHP0 CSFGCMP0 CSFGICVE CSFINIT
CSFKG450 CSFMIOPD CSFMIOP1 CSFNCOKL CSFNCPCI CSFNCPKD CSFNCPKE
CSFSOP10 CSFVCHSS

    




Publications Referenced


SC147508XXSC147506XXSC147507XXSA22752216SA22752117


SA22752017    





Fix information


    

  • Fixed component name
    ICSF/MVS
    • 

  • Fixed component ID
    568505101
    • 



Applicable component levels


    

  • R7A0  PSY  UA78783
       UP15/08/28  P  F508
    • 

  • R7A1  PSY  UA78784
       UP15/08/28  P  F508
    • 

  • R7B0  PSY  UA78785
       UP15/08/28  P  F508
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7A0","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":null,"label":null},"Product":{"code":"SG19O","label":"APARs - MVS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7A0","Edition":"","Line of Business":{"code":"","label":""}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            01 September 2015
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback