Cryptographic Support for z/OS V2R2 - z/OS V2R4 (HCR77D1)
This download provides ICSF support for:
- · The new Crypto Express7S adapter, configured as a CCA coprocessor, an EP11 coprocessor, or as an accelerator. With the IBM z15, a system can host three generations of crypto express coprocessors simultaneously—the CEX5, CEX6, and the CEX7.
- · A new SMF record whenever a master key is changed. Certain compliance regulations mandate the periodic rotation of encryption keys, including the master keys loaded into coprocessors. As part of the master key change process, an SMF record will now be written every time the new master key is promoted to the current master key as part of the change master key ceremony.
- · A health check that verifies a system’s ability to use the NIST recommended PKCS PSS signature algorithms. It is not obvious that the ECC master key is required when generating and using RSA keys enabled for PKCS PSS signatures, so a health check will help convey the need for this additional master key to exploit the recommended algorithms.
- · New quantum safe algorithms for signing and verification operations. With this release of ICSF, it is now possible to use quantum safe encryption algorithms for digital signature operations, which also includes the ability to generate and store new keys. These algorithms will be clear key only and available via the PKCS#11 interfaces only at this time.
- · ICSF enhancements for Crypto Express5S (CCA Release 5.5) and Crypto Express6S (CCA Release 6.3):
- New services in support of ANSI TR-34 Remote Key Loading
- PCI Compliance for AES and RSA keys
- New PIN services for the DK customers
- NOTE: These functions were made available on HCR77D0 with PTFs for APAR OA57089
Note: Before you install Cryptographic Support for z/OS V2R2 – z/OS V2R4 (HCR77D1), make sure that you review the current Preventive Service Planning (PSP) information (ZOSV2R2/ZOSV2R3/ZOSV2R4 PSP Bucket, subset ICSF77D1).
Publications for this web deliverable are available: z/OS Cryptographic Support Publications for ICSF FMID HCR77D1
The optional Trusted Key Entry Workstation is described in: Cryptographic Services ICSF Trusted KeyEntry Workstation User’s Guide
The IBM Crypto Education Community provides detailed explanations and samples pertaining to IBM cryptographic technology.
Cryptographic Support for z/OS V2R2 - z/OS V2R3 (HCR77D0)
This download provides ICSF support for:
ICSF enhancements for Crypto Express5S (CCA Release 5.4 and later) and Crypto Express6S (CCA Release 6.1 and later):
- ISO-4 format PIN blocks as described in the ISO-9564-4 standard. In addition to a new service, PIN Translate 2 (CSNBPTR2), the following services will be updated to support ISO-4 format PIN blocks: Clear PIN Encrypt (CSNBCPE), DK PIN Verify (CSNBDKPV), DK PIN Change (CSNBDKPC), DK PAN Modify in Transaction (CSNBDKMT).
- Three-key TDES Keys. Currently, only DATA key types are available in 3-key TDES key types. This enhancements allows for the following key types to be operational as a 3-key TDES key: CIPHER, ENCIPHER, DECIPHER, EXPORTER, IMPORTER, MAC, MACVER, IPINENC, OPINENC, PINGEN, PINVER.
- DK Key Diversification. The German Banking Industry Committee (GBIC) has introduced a new key diversification scheme such that a single diversification key can be used to generate keys with different key usage attributes. A new key type is introduced, KDKGENKY, as well as a new callable service Diversify Directed Key (CSNBDDK). The following callable services are updated in support of DK Key Diversification: Diversified Key Generate 2 (CSNBDKG2), Key Token Build 2 (CSNBKTB2), Key Generate 2 (CSKBKGN2).
- ISO-20038 Key Wrapping. In support of the ISO-20038 standard, the TR-31 Import (CSNBT31I) and TR-31 Export (CSNBT31X) callable services will be updated to use AES IMPORTER and EXPORTER key types for key wrapping.
- Symmetric keys can now be restricted from being eligible for CPACF protected key. With updated flags in the control vector, it is possible to mark a key as either eligible or ineligible for being exported for CPACF use as a protected key. In addition, CCA 6.2 provides the ability for 3-key TDES keys to be “tagged” such that they are restricted to PCI HSM compliance usage.
Additional enhancements to ICSF available in this download provide support for:
- CCA redirection for Regional Crypto Enablement. Certain CCA callable services will have the ability to direct the request to a regional crypto device. This enhancement introduces the concept of "RCS Redirection" through a new XFACILIT resource, and adds the concept of an "RCS Token" to existing symmetric key token types.
- ChaCha20 and Poly1305 algorithms. These new algorithms will be available via the PKCS#11 interfaces and clear key only.
- Dynamic Service Update. Applying service to a running ICSF instance without causing an interruption to their applications. When ICSF service is available on a system, ICSF will have a new operator command that will allow running requests to finish, pause incoming requests, prepare to restart with the service libraries, and then stop ICSF. Through system automation (preferred), ICSF will be restarted and the paused requests will be resumed without a visible interruption.
- Early ICSF. ICSF will now be able to start much earlier in the IPL process, such that ICSF should be available for work as early as full function start. ICSF is also adding new ways to provide installation options via a more standard PARMLIB interface.
- KGUP and SAF profile prefixing. KGUP can be made to honor CSFKEYS resource profiles, configured to require higher permission when performing destructive operations on an existing key (such as UPDATE or DELETE), permit a user or group to a CSFKEYS resource but only for specific callable services, and have ICSF prepend a system name to a CSFKEYS resource prior to the SAF check.
- A new ISPF browser added for the PKDS.
- The 32-byte limit on the CKA_LABEL attribute of PKCS#11 key objects
- The limit has been lifted.
- Providing a CKDS label of a clear key to the CSNBKYT service.
- The key verification pattern written to SMF records after a successful Operational Key Load function.
- Will honor the MASTERKCVLEN keyword in the ICSF installation options dataset.
- The Operational Key Load ISPF Panel utility.
- Allows the specification of the key wrapping scheme when importing the key.
- A new BSI mode. BSI 2017 has been added to the EP11 Coprocessor.
- Callable services PKCS#11 Wrap Key (CSFPWPK) and PKCS#11 Unwrap Key (CSFPUWK)
- Updated to accept AES-GCM as a key wrapping mechanism for secret and private clear keys
- A new DISPLAY ICSF, MKVPs operator command.
- Used to display the master key verification patterns recorded in the ICSF key data stores in comparison with the same MKVPs in online crypto coprocessors in such a way that discrepancies can be detected.
Note: Before you install Cryptographic Support for z/OS V2R2 - z/OS V2R3 (HCR77D0), make sure that you have reviewed the current Preventive Service Planning (PSP) information (ZOSV2R2/ZOSV2R3 PSP Bucket, subset ICSF77D0).
Restrictions:
PTFS for the following APARs are available:
- OA56421, PH04377
- OA56463, OA56500, OA56501, OA56502, OA56578, PH05032, – SAF profile prefixing is no longer restricted.
- OA56604, OA56605 - Dynamic Service Update is no longer restricted.
Publications for this web deliverable are available: z/OS Cryptographic Support publications for ICSF FMID HCR77D0.
The optional Trusted Key Entry Workstation is described in: Cryptographic Services ICSF Trusted KeyEntry Workstation User's Guide (SC14-7511-08).
The IBM Crypto Education Community provides detailed explanations and samples pertaining to IBM cryptographic technology.
Cryptographic Support for z/OS V2R1 - z/OS V2R3 (HCR77C1)
This download is no longer available and has been replaced by the Cryptographic Support for z/OS V2R2 - V2R4 (HCR77D1) Web deliverable.
Cryptographic Support for z/OS V2R1 - z/OS V2R2 (HCR77C0)
This download is no longer available and has been replaced by the Cryptographic Support for z/OS V2R2 - V2R4 (HCR77D1) Web deliverable.
Cryptographic Support for z/OS V1R13 - z/OS V2R2 (HCR77B1)
This download is no longer available and has been replaced by the Cryptographic Support for z/OS V2R2 - V2R4 (HCR77D1) Web deliverable.
Enhanced Cryptographic Support for z/OS V1R13 - z/OS V2R1 (HCR77B0)
This download is no longer available and has been replaced by the Cryptographic Support for z/OS V2R2 - V2R4 (HCR77D1) Web deliverable.
Cryptographic Support for z/OS V1R13 - z/OS V2R1 (HCR77A1)
This download is no longer available and has been replaced by the Cryptographic Support for z/OS V2R1 - V2R3 (HCR77C1) Web deliverable.
Cryptographic Support for z/OS V1R12-V1R13(HCR77A0)
This download is no longer available and has been replaced by the Cryptographic Support for z/OS V2R1 - V2R3 (HCR77C1) Web deliverable.
Cryptographic Support for z/OS V1R11-V1R13 (HCR7790)
This download is no longer available and has been replaced by the Cryptographic Support for z/OS V2R1 - V2R2 (HCR77C0) Web deliverable.
Cryptographic Support for z/OS V1R10-V1R12 (HCR7780)
This download is no longer available and has been replaced by the Cryptographic Support for z/OS V2R1 - V2R2 (HCR77C0) Web deliverable.
Cryptographic Support for z/OS V1R9-V1R11
This download is no longer available and has been replaced by the Cryptographic Support for z/OS V1R11-V1R13 Web deliverable.
Cryptographic Support for z/OS V1R8-V1R10 and z/OS.e V1R8
This download is no longer available and has been replaced by the Cryptographic Support for z/OS V1R11-V1R13 Web deliverable.
Cryptographic Support for z/OS V1R7-V1R9 and z/OS.e V1R7-V1R8
This download is no longer available and has been replaced by the Cryptographic Support for z/OS V1R10-V1R12 Web deliverable.
Cryptographic support for z/OS V1R6/R7 and z/OS.e V1R6/R7
This download is no longer available and has been replaced by the Cryptographic Support for z/OS V1R10-V1R12 Web deliverable
Enhancements to Cryptographic Support for z/OS and z/OS.e V1R6/R7
This download is no longer available and has been replaced by the Cryptographic Support for z/OS V1R10-V1R12 Web deliverable.
About
Last modified:
1 Oct 2018
z/OS publications feedback
Questions or comments about z/OS publications?
Email reslink@us.ibm.com
Please include in your email the publication title, order number, topic, and page number your question or comment is about