ICSF: Determine if applications using hash services have archived hashes of long data

Description

Due to service introduced by APAR OA43937, new Hash Method Rule keywords for the ICSF One-Way Hash Generate (CSNBOWH or CSNBOWH1 and CSNEOWH or CSNEOWH1) and PKCS11 One-Way Hash Services (CSFPOWH and CSFPOWH6) will support generation of legacy hash values for verification of archived hash values generated from pre-OA43937 releases of HCR7770 and higher.
Note: This correction of hashing function does not apply to the case where the sum of the length of hashed text over a series of chained calls exceeds 256 megabytes (or 512, as described further in this topic), but no single invocation supplies an input text_length that exceeds 256 (or 512) megabytes. Correct hashes are created when no single invocation of the callable services exceeds the described limit prior to (and after) application of the PTFs for OA43937.

Applications that wish to verify archived hash values created by pre-OA43937 HCR7770 and higher releases of ICSF callable services One-Way Hash Generate and PKCS11 One-Way Hash may need to invoke these callable services with new rule array keywords that support the creation of legacy hash values. The hash generated using the new rule array keywords must be used to verify the archived hash values.

The ICSF Callable Services One-Way Hash Generate and PKCS11 One-Way Hash, sign, or verify have corrected the way they create hash values when the length of the text on a single invocation of one of these services supplies an input text_length that equals or exceeds 256 megabytes (512 megabytes on z990/z890 or later hardware on HCR7770). The hashing services are corrected with the application of the PTFs for OA43937.

Table 1 provides more details about this migration action. Use this information to plan your changes to the system.

Table 1. Information about this migration action
Element or feature: Cryptographic Services.
When change was introduced: PTFs for OA43937, which are applicable to: ICSF FMIDs HCR7770 - HCR77A1 (z/OS V1R12 - z/OS V2R1).
Applies to migration from: ICSF FMIDs HCR7770 - HCR77A1, without the PTF for OA43937.
Timing: Before the first IPL of z/OS V2R2.
Is the migration action required? Yes, if you have archived hash values created before the installation of the PTFs for OA43937 which meet the length restrictions described here.
Target system hardware requirements: None.
Target system software requirements: None.
Other system (coexistence or fallback) requirements: None.
Restrictions: None.
System impacts: If you do not use the legacy rule array keywords for affected applications, then the application may fail to verify the legacy hashes/signatures.
Related IBM Health Checker for z/OS check: None.

Steps to take

Follow these steps:
  1. Identify if your application needs to verify archived hash values created by either of the ICSF callable service One-Way Hash Generate (CSNBOWH or CSNBOWH1 and CSNEOWH or CSNEOWH1) or PKCS11 One-Way Hash (CSFPOWH and CSFPOWH6) on releases pre-OA43937 at HCR7770 and higher. (See the ICSF Application Programmer's Guide documentation changes in this APAR for new ICSF callable service keywords that support the creation of hashes for the verification of archived hash values and the input text length requirements.)
  2. If your application has these archived hash values and intends to verify them, then invocations of ICSF callable services One-Way Hash Generate, PKCS11 One-Way Hash, sign, or verify that create hashes for verification of the archived hash values may need to be updated to use the new legacy rule array keywords (ONLY if those archived hash values were created with input text length exceeding the limits described).

Reference information

For more information, see z/OS Cryptographic Services ICSF Application Programmer's Guide.

Parent topic: Cryptographic Services actions to perform before the first IPL of z/OS V2R2
Parent topic: Cryptographic Services actions to perform before installing z/OS V2R2