The IBM 4767 CCA Support Program Release 5.5.12 is now available for download, effective November 11, 2019, by all customers who use the IBM 4767 Model 2 on Linux on x64 servers.
MTM CCA Release 5.5.12 is supported on the following 64-bit operating systems:
- Red Hat Enterprise Linux (RHEL) Server 7.6, 7.7, and 7.8
- SUSE Linux Enterprise Server (SLES) 12.4 and 12.5
- Windows Server 2019
Summary of enhancements for Release 5.5.12 are:
1. Optional control is added to the Encrypted_PIN_Translate2 verb for when it is used to reformat an outbound ISO Format 4 PIN block into an ISO Format 1 PIN block. This optional control includes a new required command and a new RFMT4TO1 key-usage attribute added to AES PINPROT keys.
- Required command PTR2 Permit ISO-4 to ISO-1 Only with RFMT4TO1 (offset X'0394') is added to the Encrypted_PIN_Translate2 verb. When reformatting an ISO-4 PIN-block to an ISO-1 PIN-block and offset X'0394' is enabled in the active role, the verb requires the outbound AES PINPROT key to have key usage of RFMT4TO1. Refer to the Required commands section of the Encrypted_PIN_Translate2 verb.
- An AES PINPROT key in a Version X'05' variable-length symmetric key-token has a new RFMT4TO1 attribute added to its key-usage field 2 low-order byte (KUF2 LOB).
- Keyword RFMT4TO1 is added to the Key_Token_Build2 verb for setting KUF2 HOB of an AES PINPROT key to have RFMT4TO1 key usage.
- Support is added to the Key_Token_Parse2 verb to parse an AES PINPROT key that has RFMT4TO1 key usage.
2. For the Encrypted_PIN_Translate2 verb, an additional plaintext PAN field format option has been added for the message used to generate or verify the CMAC contained in the authentication_data variable for authenticated PAN change. In releases before Release 5.5.12, the format for the Old PAN and the New PAN contained in the message is ASCII characters, one character for each PAN digit (that is, Old PAN = input_PAN_data and New PAN = output_PAN_data). Beginning with Release 5.5.12, the verb uses the PAN format specified by ISO 9564-1 when keyword PANAUTI4 is specified in the rule array. If PANAUTI4 is specified, the format of the Old PAN and the New PAN in the message. Otherwise, the format is ASCII characters (either by default or when keyword PANAUTAS is specified in the rule array).
3. Required command Disallow ISO-1 PIN Format Usage (offset X'032F') is added to the Encrypted_PIN_Translate2 verb. When offset X'032F' is enabled in the active role, the verb cannot use an ISO-1 PIN-block.
Scenario: Installing/Uninstalling the CCA host software on Microsoft Windows Server 2019 results in an immediate fatal application error.
Resolution: Installing/Uninstalling the CCA host software on Microsoft Windows Server 2019 must run in Windows 8 compatibility mode. This can be achieved by performing one of the two common options prior to launching the CCA host installer:
- Right click on the CCA host installer. Click Properties. Check the compatibility mode checkbox and select "Windows 8".
- Set the environment variable, __COMPAT_LAYER=WINSRV08SP1
Scenario: Create a smart card profile using the CHIM tool. Insert CA smart card instead of required TKE card and press "Ok" dialog in quick succession. After pressing the "Ok" dialog, the system freezes.
Resolution: Avoid the scenario by inserting the required TKE card instead of an incorrect CA smart card when creating a smart card profile.
Scenario: ACP 0x032F is missing from CHIM and CNM tools.
Resolution: The user can toggle any valued ACP using the CHIM tool.