PTF Cover Letter
PTF ( Program Temporary Fixes ) Cover letter
OSP-CCA CSNDPKX ERROR 8/47 WITH AES MODULUS-EXPONENT FORMAT
Pre/Co-Requisite PTF / Fix List
REQ LICENSED PTF/FIX LEVEL
TYPE PROGRAM RELEASE NUMBER MIN/MAX OPTION
---- -------- --------- ------- ------- ------
PRE 5770999 V7R2M0 MF62827 00/00 0000
DIST 5733CY3 V7R2M0 SI63440 NONE 0000
DIST 5770SS1 V7R2M0 SI63095 NONE 0034
NOTICE:
-------
Application of this PTF may disable or render ineffective programs that
use system memory addresses not generated by the IBM translator,
including programs that circumvent control technology designed to limit
interactive capacity to purchased levels. This PTF may be a prerequisite
for future PTFs. By applying this PTF you authorize and agree to the
foregoing.
This PTF is subject to the terms of the license agreement which
accompanied, or was contained in, the Program for which you are obtaining
the PTF. You are not authorized to install or use the PTF except as part
of a Program for which you have a valid Proof of Entitlement.
SUBJECT TO ANY WARRANTIES WHICH CAN NOT BE EXCLUDED OR EXCEPT AS EXPLICITLY
AGREED TO IN THE APPLICABLE LICENSE AGREEMENT OR AN APPLICABLE SUPPORT
AGREEMENT, IBM MAKES NO WARRANTIES OR CONDITIONS EITHER EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OR CONDITIONS OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON INFRINGEMENT,
REGARDING THE PTF.
The applicable license agreement may have been provided to you in printed
form and/or may be viewed using the Work with Software Agreements (WRKSFWAGR)
CL command.
APAR Error Description / Circumvention
-----------------------------------------------
Using CCA API CSNDPKX to extract a public key that was generated
using option RSA-AESM results in return code 8 reason code 47
which means the source key token is unusable because it contains
data that is not valid or is undefined.
CORRECTION FOR APAR SE70425 :
-----------------------------
The CSNDPKX API is updated to support the key token format.
CIRCUMVENTION FOR APAR SE70425 :
--------------------------------
None.
Activation Instructions
If you are not using or do not intend to use a cryptographic
coprocessor, nothing further needs to be done.
There are 3 master key registers: New, Current, and Old.
When "Loading" master key parts, only the New master key register
gets updated. The Current and Old registers are not changed.
When "Setting" master key parts, the Current master key gets moved
to the Old master key register, and the New master key gets moved to
the Current master key register.
When "Re-encrypting" keys in a keystore that are encrypted with a
master key, the Old master key is used to decrypt the keys, the
Current master key is used to encrypt the keys. It is therefore very
important to re-encrypt keys residing in a keystore immediately after
setting the master key to ensure the correct Old master key is
accessible for decryption.
The following steps describe how to load and set the master key parts.
If you have an APKA master key in addition to an AES master key, you
may set the APKA master key parts after setting the AES master key
so the re-encrypt process is only ran once. The process to load, set,
and re-encrypt keys is performed using the Cryptographic Coprocessor
Configuration web-based utility found by clicking on IBM i Tasks page
link on the IBM Navigator for i welcome page at
http://server-name:2001.
- Click on "Manage configuration".
- Click on "Master keys" and provide information to manage keys on
desired coprocessor.
- Click on "Load".
- Select "AES" and click on "Manual load".
- Fill in the four 8-byte values and click "Continue" to set the
First key part.
- Repeat to set the Middle and Last key parts, and then click
"Done".
- Click "Set", select "AES", and then click "Continue" to have the
new master key set as the current master key.
- Click "Done" to complete the Master key entering process.
- Click on "AES keys", specify the key store name and library, and
click "Continue" to manage the existing AES keys.
- Click on "Re-encrypt" and provide profile information, then click
"Re-encrypt" to have the keys enciphered using the current master
key.
APKA master keys are used to encrypt Elliptic Curve Cryptography (ECC)
keys and RSA with Object Protection Keys (OPK). These keys reside in
the AES keystore. To re-encrypt these keys with a new APKA master key,
follow the process above specifying to load and set the APKA master
key instead of an AES master key, and then re-encrypt keys in the AES
keystore.
If you have keys that are not in a keystore or if you would prefer to
write your own application to re-encrypt keys, you can do so by using
the key token change (CSNBKTC and CSNDKTC) API verbs.
Special Instructions
********************************************************************
THE FOLLOWING ARE SUPERSEDED SPECIAL INSTRUCTIONS. IF THE SUPERSEDED
PTF HAS ALREADY BEEN APPLIED AND ITS SPECIAL INSTRUCTION FOLLOWED,
IT IS NOT NECESSARY TO FOLLOW THAT SPECIAL INSTRUCTION AGAIN.
********************************************************************
SPECIAL INSTRUCTIONS FOR SUPERSEDED PTF SI64296 :
=================================================
After applying or removing this PTF,
end and restart the HTTP administration server.
If you are not using or do not intend to use a cryptographic
coprocessor, nothing further needs to be done.
If you are using or intend to use a cryptographic coprocessor, follow
these steps:
- End all jobs that are using the CCA APIs in 5770SS1 Option 35.
This includes the *ADMIN server instance.
- Load and apply the PTF.
- Start the jobs again.
Run the following CL command to determine if any jobs are currently
using any type cryptographic coprocessor:
WRKCFGSTS *DEV *CRP
If there are jobs using a cryptographic coprocessor, end and then start
them again after applying this PTF.
Default Instructions
THIS PTF CAN BE APPLIED IMMEDIATE OR DELAYED.
Supersedes
PTF/FIX NO(S). APAR TITLE LINE
-------------- ------------------------------------------------------------
SI64296 OSP-CRYPTO: AES MASTER KEY NOT LOADED WITH CORRECT KEY PARTS
SI64321 CCA Updates for 4.4 and 5.3 verbs
SI63797 OSP-SECURITY CCA APIs UPDATED FOR D/T 4765, 4767
SI63272 OSP-SECURITY APIs UPDATED FOR DEVICE 4767
SI63097 CRYPTO: Native support for Sentry Cryptographic Co-processo
SI52232 CCA-INCORROUT RE-ENCRYPT FUNCTION IN CCA CRYPTO GUI FAILS
SI52232 CCA Reencrypt of PKA files fails in Crypto GUI
SI51335 CCA CSNBKPI2 return reason code 8/343
Summary Information
System.............................. | i |
Models.............................. | |
Release............................. | V7R2M0 |
Licensed Program............... | 5770SS1 |
APAR Fixed.......................... | View details for APAR SE70425 |
Superseded by:...................... | View fix details for PTF SI77983 |
Recompile........................... | N |
Library............................. | QCCA |
MRI Feature ........................ | NONE |
Cum Level........................... | C9123720 |
IBM disclaims all warranties, whether express or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. By furnishing this document, IBM grants no licenses to any related patents or copyrights. Copyright © 1996,1997,1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021 IBM Corporation. Any trademarks and product or brand names referenced in this document are the property of their respective owners. Consult the Terms of use link for trademark information.
Was this topic helpful?
Document Information
Modified date:
02 December 2021