System SSL: Ensure ICSF is available when running System SSL in FIPS 140-2 mode
Description
In z/OS V2R1, System SSL, when running in FIPS 140-2 mode, uses ICSF's random number generation and Diffie-Hellman support. Before running System SSL in FIPS 140-2 mode you must ensure that ICSF is running and that all user IDs that start SSL applications in FIPS 140-2 mode, invoke the gskkyman utility to manage FIPS 140-2 key database files, or invoke the GSKSRVR started task in FIPS mode have access to certain CSFSERV classes.
When it is running in non-FIPS mode, System SSL uses its own implementation of Diffie-Hellman and does not require ICSF. In non-FIPS 140-2 mode, however, System SSL attempts to use ICSF's random number generation as it would when running in FIPS 140-2 mode. If ICSF or the required resource is unavailable, System SSL uses its own random number generation capabilities as in earlier releases.
Table 1 provides more details about this migration action. Use this information to plan your changes to the system.
Element or feature: | Cryptographic Services. |
---|---|
When change was introduced: | z/OS V2R1. |
Applies to migration from: | z/OS V1R13. |
Timing: | Before the first IPL of z/OS V2R2. |
Is the migration action required? | Yes, if your installation runs System SSL in FIPS mode. |
Target system hardware requirements: | None. |
Target system software requirements: | None. |
Other system (coexistence or fallback) requirements: | None. |
Restrictions: | None. |
System impacts: | None. |
Related IBM Health Checker for z/OS check: | None |
Steps to take
To run System SSL in FIPS 140-2 mode, you must now make sure that ICSF is running and that all user IDs that start SSL applications in FIPS 140-2 mode, invoke the GSKSRVR started task in FIPS 140-2 mode, or invoke the gskkyman utility to manage FIPS 140-2 key database files can access the necessary ICSF callable services.
- Make sure that ICSF is running. Assuming CSF is the name of the
ICSF started task, you would enter:
DISPLAY A,CSF*
To display status about all started tasks, you would enter:DISPLAY A,ALL
In z/OS V1R13, System SSL is providing capability to identify System SSL applications that are running in FIPS 140-2 mode, which are started before ICSF is available. Identification of these applications is done by using the System SSL started task (GSKSRVR) and the z/OS tracking facility. This migration assistance support is delivered in APAR OA40816. See Brief overview of APAR OA40816 for more information.
- System SSL applications that are running in FIPS 140-2 mode, the
GSKSRVR started task that is running in FIPS 140-2 mode, and the gskkyman utility
(if managing FIPS 140-2 key database files) must be able to access
ICSF's PKCS #11 pseudo-random function callable service for random
number generation. In addition, applications and the gskkyman utility
must access the following callable services to use ICSF's Diffie-Hellman
capabilities:
- PKCS #11 Token record create
- PKCS #11 Derive key
- PKCS #11 Generate key pair
- PKCS #11 Generate secret key
- PKCS #11 Get attribute value
- PKCS #11 Token record delete
- Determine if the CSFSERV class is active. If active, this class
restricts access to the ICSF programming interface. If it is not active,
access to the ICSF programming interface (and the necessary callable
services) is unrestricted. No configuration is necessary.
To determine which RACF classes are currently active, enter the SETROPTS command with the LIST parameter specified.SETROPTS LIST
- If the SETROPTS LIST command shows that the CSFSERV class is active,
identify the profile or profiles that cover the following resources:
- CSFRNG (which represents the PKCS #11 Pseudo-random function callable service)
- CSF1TRC (which represents the PKCS #11 Token record create callable service)
- CSF1DVK (which represents the PKCS #11 Derive key callable service)
- CSF1GKP (which represents the PKCS #11 Generate key pair callable service)
- CSF1GSK (which represents the PKCS #11 Generate secret key callable service)
- CSF1GAV (which represents the PKCS #11 Get attribute value callable service)
- CSF1TRD (which represents the PKCS #11 Token record delete callable service)
- If the RLIST command output reveals that there is a discrete or
generic profile that covers the resource, examine the command output
to ensure that all RACF user IDs that might start System SSL applications
in FIPS 140-2 mode have at least READ access to the resource. If necessary,
use the PERMIT command to give the appropriate users or groups access.
For example, if a discrete profile CSFRNG exists, the following command
would give the user JASMINE access:
If you do make changes, refresh the in-storage RACF profiles for the CSFSERV class: SETROPTS RACLIST(CSFSERV) REFRESHPERMIT CSFRNG CLASS(CSFSERV) ID(JASMINE) ACCESS(READ)
Overview of APAR OA40816: In z/OS V1R13, System SSL is providing capability to identify System SSL applications that are running in FIPS 140-2 mode that have been started before ICSF was available. Identification of these applications is done by using the System SSL started task (GSKSRVR) and the z/OS tracking facility. See z/OS MVS Planning: Operations for more information about the z/OS tracking facility.
12.43.50 d o,tr
12.43.50 CNZ1001I 12.43.50 TRACKING DISPLAY 788
STATUS=ON NUM=4 MAX=1000 MEM=n/a EXCL=0 REJECT=0
---- TRACKING INFORMATION---- -VALUE-- JOBNAME PROGNAME+OFF-- ASID NUM
GSK01058I No ICSF for FIPS. 00 GSKSRVR GSKSRVR D9D6 48 1
GSK01059I SSLAPP1 no ICSF. 00 GSKSRVR GSKSRVR DAB0 48 5
GSK01059I SSLAPP2 no ICSF. 00 GSKSRVR GSKSRVR DAB0 48 2
GSK01059I SUIMGVD9 no ICSF. 00 GSKSRVR GSKSRVR DAB0 48 1
------------------------------------------------------------------------ .
- The GSK01058I message is the generic message that is written to the z/OS tracking facility once for the life of the System SSL started task. This message is issued the first time when either the System SSL started task or a System SSL application is running in FIPS 140-2 mode before ICSF being available.
- The SSLAPP1 job was started or submitted 5 times
- The SSLAPP2 job was started or submitted 2 times.
- The SUIMGVD9 job was started or submitted just 1 time.
Reference information
- For information about System SSL use of ICSF callable services, see z/OS Cryptographic Services System SSL Programming
- For information about the ICSF installation options file, see z/OS Cryptographic Services ICSF System Programmer's Guide
- For information about the ICSF CSFSERV resource class and the Installation Option Display panel, see z/OS Cryptographic Services ICSF Administrator's Guide.