This document contains information previously presented in z/OS ICSF Administrator's Guide, SA22-7521-14,
which supports z/OS Version 1 Release 12.
This document is for ICSF FMID HCR7780. This release of ICSF runs
on z/OS V1R10, z/OS V1R11, and z/OS V1R12, and only on zSeries hardware.
New information
- Added support for IBM zEnterprise 196 (z196) Servers.
- Added information on HMAC key support. HMAC key support is to
be enabled with the PTF for APAR OA33260.
The HMAC keys are variable-length
(80-2024 bit) symmetric keys protected by the AES master key and used
to generate and verify MACs using the FIPS-198 algorithm. To support
these variable-length keys, a new variable-length record format is
available for CKDS records. To store HMAC keys in the CKDS, the CKDS
must first have been converted to the variable-length record format.
ICSF provides a CKDS conversion program, CSFCNV2, that converts a
fixed-length record format CKDS to a variable-length record format.
For more information in this utility, refer to z/OS Cryptographic Services ICSF System Programmer’s Guide.
- Added support for an enhanced method of symmetric key wrapping
that is designed to be ANSI X9.24 compliant. Using the enhanced method,
the key value for keys is bundled with other token data and encrypted
using triple DES encryption and cipher block chaining mode. See DES key wrapping for more information.
A CKDS conversion utility is
provided to convert all tokens in the CKDS to use either the original
or the enhanced wrapping method. Refer to Rewrapping DES key token values in the CKDS using the utility
program CSFCNV2 for
more information.
- Added support for ECC master keys.
Changed information
- Modified the description of the ICSF Utility Program CSFPUTIL
This utility can no longer be used to initialize a PKDS. It can still
be used to reencipher a PKDS and to refresh the in-storage copy of
the PKDS.
|