Subtype 2

This is a signature record that represents a signature interval and is consumed for signature verification by the IFASMFDL and IFASMFDP utilities.

The SMF type 2 subtype 2 record is mapped as follows.

Offsets Name Length Format Description
0 0 SMF2ILEN 2 binary Record length. This field and the next field (total of 4 bytes) form the record descriptor word (RDW). See Standard and extended SMF record headers for a detailed description.
2 2 SMF2ISEG 2 binary Segment descriptor (see record length field).
4 4 SMF2IFLG 1 binary System indicator:
Bit
Meaning when set
0
Reserved.
1
Subtypes are valid.
2–7
Reserved.
5 5 SMF2IRTY 1 binary Record type 2 (X'02').
6 6 SMF2ITME 4 binary Time since midnight, in hundredths of a second, of the interval.
10 A SMF2IDTE 4 packed Date of the interval, in the form 0cyydddF. See Standard and extended SMF record headers for a detailed description.
14 E SMF2ISID 4 EBCDIC System identification: DUMY
18 12 SMF2IWID 4 EBCDIC Subsystem identification.
22 16 SMF2ISTP 2 binary Subtype 2 (X'0002').
24 18 SMF2IRSID 4 EBCDIC The interval's SID.
28 1C SMF2IFLG2 1 binary Start of changeIntervalEnd of change indicators:
Bit
Meaning when set
0
First interval written.
1
Interval's subtype is valid.
2
This interval is the result of a HALT.
3
This interval contains new cryptography options.
4
Start of changeWhen on, this interval's type is in SMF2IRTYPX.
When off, this interval's type is in SMF2IRTYPE.
This bit will always be on for records generated on a z/OS 2.3 or later system. End of change
Start of change5End of change
Start of changeThis is a "close interval" that occurs at midnight of the end of day.End of change
6
This record was generated on a system where the fix for APAR OA55526 was applied.
Start of changeThis bit will always be on for records generated on a z/OS 2.4 or later system.End of change
7
When on, this record contains a self-defining section.
29 1D SMF2IRTYPE 1 binary The record type for this interval.
Start of changeThis field is only filled in when bit 4 of SMFIGFLG2 is off.End of change
30 1E SMF2ISTYPE 2 binary The record subtype for this interval.
32 20 SMF2IFTME 4 binary Time since midnight, in hundredths of a second, of the first record in the interval.
36 24 SMF2IFDTE 4 EBCDIC Date of the first record in the interval, in the form 0cyydddF. See Standard and extended SMF record headers for a detailed description.
40 28 SMF2ILTME 4 binary Time since midnight, in hundredths of a second, of the last record in the interval.
44 2C SMF2ILDTE 4 EBCDIC Date of the last record in the interval, in the form 0cyydddF. See Standard and extended SMF record headers for a detailed description.
48 30 SMF2INTME 4 binary Time since midnight, in hundredths of a second, of the next interval.
52 34 SMF2INDTE 4 EBCDIC Date of the next interval, in the form 0cyydddF. See Standard and extended SMF record headers for a detailed description.
56 38 SMF2ICNT 4 binary The number of records in this signature interval.
60 3C SMF2IHASHMETH 1 binary A bit array indicating the hash method used for this Start of changeintervalEnd of change.
Bit
Meaning when set
0
SHA1
1
SHA256
2
SHA384
3
SHA512
4–7
Reserved
61 3D SMF2ISIGTYPE 1 binary A bit array indicating the signature type used for this Start of changeintervalEnd of change.
Bit
Meaning when set
0
RSA
1
ECDSA
2–7
Reserved
62 3E SMF2ITOKENNAME 32 EBCDIC The saved CKA_ID of the PKCS#11 token name used to generate this signature.
Start of change94End of change Start of change5EEnd of change Start of changeSMF2IRTYPXEnd of change Start of change2End of change Start of changebinaryEnd of change Start of changeThe record type for this interval.
This field is only filled in when bit 4 of SMFIGFLG2 is on.End of change
96 60 SMF2ISIGLEN 4 binary The digital signature length for this signature interval.
100 64 SMF2ISIG varies EBCDIC The digital signature for this signature interval. It is the result of the hash and sign operation (using the hash method and signature type specified in this record) on the concatenation of the following:
  1. Start of changeHash of the previous interval record's data, from the beginning of the record up to, but not including, the SMF2ISIGLEN field. This will contain zeros for the first interval after signature processing is enabled.End of change
  2. Start of changeRunning hashsum of all this group's records (hash each entire record padded out to a 128-byte boundary with zeros). This will contain zeros if this interval did not contain any groups.End of change
  3. Hash of this interval record's data, from the beginning of the record up to, but not including, the SMF2ISIGLEN field.

The length of this signature is contained in SMF2ISIGLEN.

Note: Start of changeFor hashsums generated with the SHA-384 hash method, each hashsum is 48 bytes of data padded with 16 bytes of zeros.End of change

Subtype 2 - Self-defining section

This section contains the triplet fields (offset, length, and number) that locate other sections in the record. This triplet information should be checked prior to accessing a section of the record. The "number" triplet field is the primary indication of the existence of the section. This section is an extension of the header and physically follows it in the record. It is located at the offset of SMF2ISIG (100 or X'64') plus the length of the digital signature in SMF2ISIGLEN. The self-defining section is present only when bit 7 in the SMF2IFLG2 field in the header is on.

Offsets Name Length Format Description
0 0 SMF2ISDSLEN 2 binary Length of the self-defining section.
2 2 * 2 binary Reserved.
4 4 SMF2ISDSASignOffset 4 binary Start of changeOffset from the beginning of the record, including the record descriptor word (RDW), to the start of the first ARECSIGN section.End of change
8 8 SMF2ISDSASignLen 2 binary Length of ARECSIGN section.
10 A SMF2ISDSASignNum 2 binary Number of ARECSIGN sections.

Subtype 2 - ARECSIGN section

This section contains the alternate signature information. This section is present only when ARECSIGN is in effect at the time the record is generated.

Triplet information: This section is located using the following triplet fields which are located in the self-defining section.
Offset:
SMF2ISDSASignOffset
Length:
SMF2ISDSASignLen
Number:
SMF2ISDSASignNum. This field contains 0 if no ARECSIGN section is present, or non-zero if at least one ARECSIGN section is present.
Offsets Name Length Format Description
0 0 SMF2IASignHashMeth 1 binary A bit array indicating the alternate signature hash method for this Start of changeintervalEnd of change.
Bit
Meaning when set
0–2
Reserved
3
SHA512
4–7
Reserved
1 1 SMF2IASignSigType 1 binary A bit array indicating the alternate signature type used for this Start of changeintervalEnd of change.
Bit
Meaning when set
0–1
Reserved
2
LI2
3–7
Reserved
2 2 SMF2IASignTokenName 32 EBCDIC The saved CKA_ID of the PKCS#11 token name used to generate this signature.
34 22 SMF2IASignFlgs 1 binary Alternate signature indicators.
Bit
Meaning when set
0
This interval contains new cryptography options.
1–7
Reserved.
35 23 * 1 binary Reserved.
36 24 SMF2IASignSigLen 4 binary The length of the alternate digital signature for this signature Start of changeintervalEnd of change.
40 28 SMF2IASignSig varies EBCDIC The digital signature for this signature Start of changeintervalEnd of change. The length of this field is in SMF2IASignSigLen.