This topic lists setup changes that should be considered when migrating
from a IBM eServer zSeries 900.
Consideration should be given to:
- The DATAC key type cannot be used on the newer servers.
- The PIN block format checking on the new cryptographic coprocessors is
more rigorous than with a CCF.
For CSNBPVR, CSNBPTR and CSNBCPA
services, the input PIN block must have the correct format as specified
in the PIN Profile parameter. On a CCF system, the PIN block format
checking is incomplete.
For example, the REFORMAT processing
mode of PIN Translate (CSNBPTR) may now fail when it was previously
successful on a CCF. On a CCF, if input to the PIN verify service
(CSNBPVR) is a malformed encrypted PIN block, the service will fail
with return code 4, reason code 3028 (verification failed); on newer
servers, the service may fail with return code 8 and some appropriate
reason code for invalid PIN format.
- 512 to 2048 bit modulus for RSA keys is supported in all PKA services
except SET services (Set Block Compose and Set Block Decompose).
- All CCF functions are now executed on the coprocessors.
This may cause some impact on the performance of customer applications.
- Reason codes from the new servers may be different from
previous cryptographic hardware.
- On new servers, the requirement that caller must be in
supervisor state to use NOCV tokens is lifted for the CKDS Key
Record Write (CSNBKRW) service.
- The z/OS SCHEDULE and IEAMSCHD macros are used to schedule SRBs.
On the newer servers, since there are no CCFs on the system,
applications should delete FEATURE=CRYPTO on the SCHEDULE and IEAMSCHD
macros or the SRB being scheduled will not run.
- External tokens that are export prohibited are imported differently
on z990 and later servers with PCIXCC or CCA Crypto Express
coprocessors. The imported internal token will have the same control
vector as the external token with export prohibited. These tokens
will only be usable on z990 and later servers with a PCIXCC/CEX2C
or on CCF systems with PCICCs. On previous hardware (CCF systems)
the imported internal token had a control vector that allowed export,
and export prohibition was enforced by the export flag in the token.
- Prohibit Export service can now be used for MAC and MACVER keys.
- A RACF check is added to the Key Generation Utility (CSFKGUP).
- The CSFKGUP utility exit control block has been changed for AES.
See Installation exits for the new format.