A fix is available
APAR status
Closed as program error.
Error description
PKCS11 CSFPDMK service and C_DeriveKey() incorrectly returning return code 8 reason code 2116 ('844'x) for rule SSL-KM when export key size is not equal to 8 bytes and the IV size is not equal to 0 or 8 bytes. With rule TLS-KM, return code 8 reason code 2116 ('844'x) is returned when the export key size is not equal to the size of the derived key object.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: Users invoking PKCS11 Derive multiple * * keys (CSFPDMK or CSFPDMK6) using * * processing rules SSL-KM or TLS-KM. * **************************************************************** * PROBLEM DESCRIPTION: When PKCS11 Derive multiple keys is * * invoked specifying rule SSL-KM with * * export processing, if the strength * * of the client/server key objects * * derived is not 128 bits, return code 8 * * reason code 2116 ('844'x) is * * incorrectly returned. Also, for rule * * SSL-KM, incorrect data is returned * * for the derived secret key object and * * client/server key/IV values. For rule * * TLS-KM with export processing, * * return code 8 reason code 2116 ('844'x) * * is incorrectly returned when the * * strength of the client/server key * * object is not the same as the derived * * secret key object. * **************************************************************** * RECOMMENDATION: * **************************************************************** Problem Summary -------------------------------------------------------- CSFPDMK PKCS11 Derive multiple keys needs to be modified to allow export key strength size to be less than the strength of the derived key for rules SSL-KM and TLS-KM. CSFPDMK needs to be modified to derive correct secret key and export key/IV values for rule SSL-KM.
Problem conclusion
PKCS11 CSFPDMK Derive multiple keys service has be modified for rules SSL-KM and TLS-KM to allow the strength of the derived client/server key objects to be less than the strength of the derived secret key. CSFPDMK has been updated to derive the correct secret key and client/server key object and IV values for rule SSL-KM.
Temporary fix
Comments
APAR Information
APAR number
OA46414
Reported component name
ICSF/MVS
Reported component ID
568505101
Reported release
7A0
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2014-10-30
Closed date
2015-01-28
Last modified date
2015-02-03
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UA76179 UA76180
Modules/Macros
CSFINPV2
Fix information
Fixed component name
ICSF/MVS
Fixed component ID
568505101
Applicable component levels
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7A0","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":null,"label":null},"Product":{"code":"SG19O","label":"APARs - MVS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7A0","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
03 February 2015