z/OS Communications Server: IP Messages Volume 2 (EZB, EZD)
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


EZD1918I

z/OS Communications Server: IP Messages Volume 2 (EZB, EZD)
SC27-3655-01

EZD1918I
A cryptographic key in use is too short for the chosen Auth or PRF algorithm when FIPS140 is enabled: key length keylen bytes, minimum required minlen bytes

Explanation

When Federal Information Processing Standard publication 140 (FIPS 140) support is enabled for the IKE daemon, all of the cryptographic keys that are used by the chosen authentication (Auth) or pseudo random function (PRF) algorithm must be at least half the length of the PRF digest size. These cryptographic keys can be the configured pre-shared key that is used for IKE authentication, or, if you are using Internet Key Exchange version 2 (IKEv2), they can be the keys that are used by the IKE daemon to internally generate keying material for a prior IKE SA.

In the message text:
keylen
The length of the key.
minlen
The minimum key length that is required for the chosen Auth or PRF algorithm.

System action

IKED phase 1 tunnel negotiation fails. IKE daemon processing continues.

Operator response

Contact the system programmer.

System programmer response

Examine the surrounding IKED messages in the syslogd log file to determine which tunnel is affected. The following criteria apply when FIPS 140 support is enabled for the IKE daemon:
  • If a pre-shared key is configured, it must be at least half as long as the key used by the configured Auth and PRF algorithms. If the pre-shared key is not that length, the IKED phase 1 tunnel negotiation fails, and message EZD1918I is issued. To prevent the negotiation from failing, modify the tunnel policy to configure a longer pre-shared key, or modify the tunnel policy to use an Auth or PRF algorithm with a shorter key. Policy changes must be coordinated across all endpoints that are involved in the tunnel negotiation.
  • You should not modify the policy for an active IKEv2 tunnel to specify a PRF algorithm that uses a key that is more than twice the length of the originally specified PRF algorithm. You need to deactivate the IKE tunnel before you make such a modification; otherwise, a refresh of the active tunnel might fail and message EZD1918I will be issued. For example, if you switch from the HMAC_SHA1 algorithm to the HMAC_SHA2_256 algorithm, message EZD1918I will be issued during the tunnel refresh, but if you switch from the HMAC_SHA2_256 algorithm to the HMAC_SHA1 algorithm, the message will not be issued.

See FIPS 140 and IP security in z/OS Communications Server: IP Configuration Guide for information about FIPS 140 support in your environment.

User response

Not applicable.

Problem determination

None.

Source

z/OS® Communications Server TCP/IP: IKE daemon

Module

icsf_hmac.cpp, IKEv2IKESAKEP.cpp

Routing code

Not applicable.

Descriptor code

Not applicable.

Automation

Not applicable.

Example

EZD1918I A cryptographic key in use is too short for the chosen Auth or PRF algorithm when FIPS140 is 
         enabled: key length 12 bytes, minimum required 16  bytes
Parent topic: EZD1xxxx messages

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014