Description: In z/OS V2R1, System SSL, when running in FIPS 140-2 mode, uses ICSF's random number generation and Diffie-Hellman support. Before running System SSL in FIPS 140-2 mode you must ensure that ICSF is running and that all user IDs that start SSL applications in FIPS 140-2 mode, invoke the gskkyman utility to manage FIPS 140-2 key database files, or invoke the GSKSRVR started task in FIPS mode have access to certain CSFSERV classes.
When it is running in non-FIPS mode, System SSL uses its own implementation of Diffie-Hellman and does not require ICSF. In non-FIPS 140-2 mode, however, System SSL attempts to use ICSF's random number generation as it would when running in FIPS 140-2 mode. If ICSF or the required resource is unavailable, System SSL uses its own random number generation capabilities as in earlier releases.
Element or feature: | Cryptographic Services. |
When change was introduced: | z/OS V2R1. |
Applies to migration from: | z/OS V1R13 and z/OS V1R12. |
Timing: | Before the first IPL of z/OS V2R1. |
Is the migration action required? | Yes, if your installation runs System SSL in FIPS mode. |
Target system hardware requirements: | None. |
Target system software requirements: | None. |
Other system (coexistence or fallback) requirements: | None. |
Restrictions: | None. |
System impacts: | None. |
Related IBM Health Checker for z/OS check: | None |
Steps to take: To run System SSL in FIPS 140-2 mode, you must now make sure that ICSF is running and that all user IDs that start SSL applications in FIPS 140-2 mode, invoke the GSKSRVR started task in FIPS 140-2 mode, or invoke the gskkyman utility to manage FIPS 140-2 key database files can access the necessary ICSF callable services.
DISPLAY A,CSF*
DISPLAY A,ALL
In z/OS V1R12 and V1R13, System SSL is providing capability to identify System SSL applications that are running in FIPS 140-2 mode, which are started before ICSF is available. Identification of these applications is done by using the System SSL started task (GSKSRVR) and the z/OS tracking facility. This migration assistance support is delivered in APAR OA40816. See Brief overview of APAR OA40816 for more information.
To determine which RACF classes are currently active, enter the SETROPTS command with the LIST parameter specified.SETROPTS LIST
PERMIT CSFRNG CLASS(CSFSERV) ID(JASMINE) ACCESS(READ)
If
you do make changes, refresh the in-storage RACF profiles for the
CSFSERV class: SETROPTS RACLIST(CSFSERV) REFRESHBrief Overview of APAR OA40816: the following is a brief overview of the APAR:
In z/OS V1R12 and V1R13, System SSL is providing capability to identify System SSL applications that are running in FIPS 140-2 mode that have been started before ICSF was available. Identification of these applications is done by using the System SSL started task (GSKSRVR) and the z/OS tracking facility. See z/OS MVS Planning: Operations for more information about the z/OS tracking facility.
12.43.50 d o,tr
12.43.50 CNZ1001I 12.43.50 TRACKING DISPLAY 788
STATUS=ON NUM=4 MAX=1000 MEM=n/a EXCL=0 REJECT=0
---- TRACKING INFORMATION---- -VALUE-- JOBNAME PROGNAME+OFF-- ASID NUM
GSK01058I No ICSF for FIPS. 00 GSKSRVR GSKSRVR D9D6 48 1
GSK01059I SSLAPP1 no ICSF. 00 GSKSRVR GSKSRVR DAB0 48 5
GSK01059I SSLAPP2 no ICSF. 00 GSKSRVR GSKSRVR DAB0 48 2
GSK01059I SUIMGVD9 no ICSF. 00 GSKSRVR GSKSRVR DAB0 48 1
------------------------------------------------------------------------ .
Reference information: For additional information about System SSL use of ICSF callable services, see z/OS Cryptographic Services System SSL Programming.
For additional information on the ICSF installation options file, see z/OS Cryptographic Services ICSF System Programmer's Guide.
For additional information about ICSF's CSFSERV resource class and the Installation Option Display panel, see z/OS Cryptographic Services ICSF Administrator's Guide.