RACF RACDCERT TLS1.3 RSAPSS support

Description: RACF® is enhanced to support RACDCERT TLS1.3 RSAPSS. The new function changes the RACF RACDCERT command from handling certificates signed by the hash/signature algorithm pair to the signature algorithm used in the ClientHello message in the TLS1.3 protocol. The support will include the RACDCERT functions GENCERT, REKEY, LIST, LISTCHAIN, and CHECKCERT.

The new algorithm supported is RSA Probalistic Signature Scheme (RSASSA-PSS). It is a signature algorithm and an RSA key. The new functionality requires that the parameter field in AlgorithmIdentifier cannot be null if present, it must be omitted if there is no value.

Beginning in V2R4, the RACDCERT will store the RSA private key in PKDS protected by the ECC master key. This change will cause the RACDCERT command with RSA(PKDS) sub keyword to fail if the ECC master key is not activated in the system.

The new supported signature algorithms are:

SHA1RSAPSS
SHA224RSAPSS
SHA256RSAPSS
SHA384RSAPSS
SHA512RSAPSS

When change was introduced: z/OS® V2R4

Reference information: