Programming considerations

This topic lists setup changes that should be considered when migrating from a IBM eServer zSeries 900.

Consideration should be given to:
  1. The DATAC key type cannot be used on the newer servers.
  2. The PIN block format checking on the new cryptographic coprocessors is more rigorous than with a CCF.

    For CSNBPVR, CSNBPTR and CSNBCPA services, the input PIN block must have the correct format as specified in the PIN Profile parameter. On a CCF system, the PIN block format checking is incomplete.

    For example, the REFORMAT processing mode of PIN Translate (CSNBPTR) may now fail when it was previously successful on a CCF. On a CCF, if input to the PIN verify service (CSNBPVR) is a malformed encrypted PIN block, the service will fail with return code 4, reason code 3028 (verification failed); on newer servers, the service may fail with return code 8 and some appropriate reason code for invalid PIN format.

  3. 512 to 2048 bit modulus for RSA keys is supported in all PKA services except SET services (Set Block Compose and Set Block Decompose).
  4. All CCF functions are now executed on the coprocessors. This may cause some impact on the performance of customer applications.
  5. Reason codes from the new servers may be different from previous cryptographic hardware.
  6. On new servers, the requirement that caller must be in supervisor state to use NOCV tokens is lifted for the CKDS Key Record Write (CSNBKRW) service.
  7. The z/OS SCHEDULE and IEAMSCHD macros are used to schedule SRBs. On the newer servers, since there are no CCFs on the system, applications should delete FEATURE=CRYPTO on the SCHEDULE and IEAMSCHD macros or the SRB being scheduled will not run.
  8. External tokens that are export prohibited are imported differently on z990 and later servers with PCIXCC or CCA Crypto Express coprocessors. The imported internal token will have the same control vector as the external token with export prohibited. These tokens will only be usable on z990 and later servers with a PCIXCC/CEX2C or on CCF systems with PCICCs. On previous hardware (CCF systems) the imported internal token had a control vector that allowed export, and export prohibition was enforced by the export flag in the token.
  9. Prohibit Export service can now be used for MAC and MACVER keys.
  10. A RACF check is added to the Key Generation Utility (CSFKGUP).
  11. The CSFKGUP utility exit control block has been changed for AES. See Installation exits for the new format.