ICSF Enhancements for HCR77C1 (Web Deliverable 17)
Bob Petti, z/OS ICSF Product Owner
On September 13th 2017, the z/OS ICSF team released their 17th downloadable web deliverable, Cryptographic Support for z/OS V2R1 - z/OS V2R3 (HCR77C1). The updates contained in this release vary from usability improvements such as an ISPF based browser for CKDS key material to integrated support for a PCI HSM configured CCA coprocessor.
Let’s take a look:
z14 CPACF enhancements
The latest ICSF release was in support of the new IBM z14 mainframe server which includes enhancements to the CP Assist for Cryptographic Functions (CPACF) feature:
- Support for SHA-3 hash algorithms, complementing the existing SHA-1 and SHA-2 algorithms. ICSF’s One Way Hash (CSNBOWH) callable service has been updated to support the SHA-3 and SHAKE options, taking advantage of the new hashing techniques.
- Support for a True Random Number Generation instruction. ICSF’s exploitation of this is transparent to the user. Internally, if ICSF is using CPACF instructions to load its random number cache, the new TRNG instruction will be used when running on IBM z14 processors. NOTE: ICSF draws random data from several sources depending on how the system is configured.
- Performance improvements that will improve the throughput of AES GCM encryption. While there are no new externals with this enhancements, workloads that make use of AES GCM should observe a performance improvement.
Support for a CEX6S coprocessor and CCA Release 6.0
With the release of z14 came the CEX6S crypto coprocessor and CCA Release 6.0 which allows a coprocessor to be configured in “PCI HSM” mode.
- “PCI HSM Compliant Mode” restricts DES keys to PCI HSM approved usage:
- Multi-use keys (e.g. Keys of type “DATA”) are not eligible for PCI HSM requests
- Single length (8-byte) DES keys are not eligible for PCI HSM requests.
- Keys must be wrapped using the “enhanced wrap” method. ECB wrapped keys are not eligible for PCI HSM requests.
- To make a key eligible for use in a PCI HSM compliant mode coprocessor, it must be “tagged” as PCI compliant
- The DES key token’s control vector has been updated to include a flag indicating whether a key is restricted to PCI HSM compliant use.
- New keys can be tagged at the time they are generated when a coprocessor has been configured in PCI HSM Compliance mode. Existing keys can be tagged using the Key Token Translate 2 (CSNBKTR2) callable service only when a coprocessor is in “migrate” mode.
- A DES key that is tagged is only usable by a compliant mode coprocessor. When ICSF detects a tagged DES key, it will route the request to an eligible coprocessor, or reject the request with an appropriate error code if no compliant mode coprocessor is available.
- NOTE: Requests that do not contain PCI HSM tagged keys can be routed to any coprocessor. Even a PCI HSM mode coprocessor will satisfy requests that contain non-tagged keys. This is referred to as “normal mode”. The PCI HSM restrictions only come into play for DES keys that have been tagged as PCI HSM compliant.
- ICSF supports a configuration option keyword COMPLIANCEWARN that causes SMF type 82 audit records to be generated for existing workloads indicating a request’s eligibility for PCI HSM compliance, allowing customers to determine what application and/or key changes will be needed in order to exploit a PCI HSM configured coprocessor.
- A TKE (“Trusted Key Entry”) workstation is required to administer a PCI HSM compliant coprocessor.
- In addition to PCI HSM support, CEX6S and CCA 6.0 also introduce the use of x.509 certificates in CCA.
- Certificate validation is done within the coprocessor. A TKE is used to manage root and signing certificates that are installed within the coprocessor.
- A new ICSF callable service – Public Infrastructure Request (CSNDPIC) – is available to generate PKCS#10 certificate requests.
- The Digital Signature Verify (CSNDDSV) callable service has been enhanced to accept an x.509 certificate to be used when verifying a signature.
An ISPF based browser for the CKDS
The Cryptographic Key Data Set (CKDS) is used to store symmetric key material – DES and AES key tokens. With HCR77C1, customers have access to an ISPF based key browser that can be used to list and perform basic management operations on key material, including for the first time the ability to generate a new key from an ISPF panel.
Secure Key Token Support for Format Preserving Encryption
The Field Level Encipher (CSNBFLE) and Field Level Decipher (CSNBFLD) callable services have been updated to accept a key specified as a secure key token. This “protected key” support retains the security of a key that has been encrypted by the CCA coprocessor’s master key, but the performance advantages of doing the encryption operations on the system’s CPACF feature.
A new way to monitor crypto usage statistics
With the introduction of ICSF HCR77C1, it is now possible for system administrators to monitor their system’s usage of cryptographic resources. When enabled, ICSF will generate new SMF records that can be used to indicate:
- Which applications are using different cryptographic features.
- If workloads are correctly balanced across their crypto features.
- When requests are satisfied in operating system software vs offloaded to HW features.
- Peak periods of crypto utilization
- The interplay between z/OS components and their use of cryptography
- Whether applications are not using recommended algorithms or keys
Crypto usage tracking can be enabled or disabled either with a new keyword in the ICSF Installation Options Dataset or with a new option on the SETICSF operator command. When enabled, new SMF type 82 records (subtype 31) will be created to accumulate statistics regarding crypto usage.
Improvements in auditing for CICS applications
When the new options dataset keyword CICSAUDIT(YES) is present, ICSF ensure the SMF records generated by SAF checks made on behalf of CICS crypto requests will contain the CICS client identity and the application id (APPLID).
Key Dataset List (CSFKDSL) Enhancements
The Key Dataset List (CSFKDSL and CSFKDSL6) service has been updated to accept a new rule array keyword that allows filtering based on key algorithm as well as a new output format to return more detailed information about the keys that satisfy the input search criteria.
Alleviation of 2038/2042 Date Restrictions
With HCR77C1, ICSF removes the restrictions associated with 2038/2042 time stamps. Where needed, a new timestamp has been appended to the bottom of ICSF SMF records containing a full 16-byte timestamp.
Regional Crypto Enablement for International Algorithms
ICSF’s support for RCE (Regional Crypto Enablement) was expanded in HCR77C1 to provide the common international algorithms DES, AES, RSA, and ECC.
Where to go for more information
The IBM download page has additional information on the ICSF release as well as links to the product publications. See here: