A fix is available
APAR status
Closed as new function.
Error description
New Function SHA224: RFC4880 lists this algorithm under the "supported hash algorithms" section . Encryption Facility will now provide support for the SHA224 digest algorithm. ASCII Armor OpenPGP Messages: The RFC4880 notes implementations "SHOULD" support ASCII armor as they are useful in situations where raw binary data cannot be transmitted over certain networks/protocols. Encryption Facility will now support ASCII Armor for OpenPGP Messages. RACF Password Disablement: Currently users are prompted to supply passwords for RACF based keys/keystores even though they are not required/used. Encryption Facility will now provide the option to disable RACF based password prompts.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: Encryption Facility for OpenPGP users * **************************************************************** * PROBLEM DESCRIPTION: Support for SHA224 * * -------------------------------------- * * RFC4880 lists SHA224 under the list of * * supported hash algorithms which may be * * implemented but are not required. EF * * will simply add support for processing * * the SHA224 digest name while the actual * * algorithm processing will be handled by * * the existing IBM Java SDK API's. * * * * Support for ASCII Armor for OpenPGP * * Messages * * --------------------------------------- * * The RFC4880 notes that implementations * * SHOULD provide support for ASCII * * Armor encoding of OpenPGP Messages but * * is not required. Currently EF only * * supports ASCII Armor encoding of * * Public Key OpenPGP Certificates. ASCII * * Armor encodings are useful in * * situations where binary data cannot be * * transmitted over certain network/ * * protocol mediums. * * * * Support for RACF Password Prompt * * Disablement * * --------------------------------------- * * Currently users are prompted to supply * * passwords when using RACF based * * keystores/keys even though they are not * * actually used or needed. * **************************************************************** * RECOMMENDATION: * **************************************************************** Support for SHA224 SHA224 is listed in the RFC4880 under digest algorithms that may be supported. Support for ASCII Armor for OpenPGP Messages ASCII Armor Encoding of OpenPGP Messages is listed as a feature that SHOULD be supported in the RFC4880. Support for RACF Password Prompt Disablement Passwords are not required or used by RACF to control access to its keystores and keys.
Problem conclusion
Temporary fix
Comments
Enhancements to Encryption Facility for OpenPGP which add: * Support for SHA224 digests, * Support for ASCII Armor encoding of OpenPGP messages, * Option to disable prompts for passwords when using RACF based keystores/keys. All of the enhancements included in this APAR will also be documented in the next refresh, if there is one, of the IBM Encryption Facility for z/OS: Using Encryption Facility for OpenPGP SA23-2230. The following updates to this publication are related to this new support: Chapter 1. Overview of IBM Encryption Facility for OpenPGP Java algorithm support for Encryption Facility for OpenPGP Digital Signature Support Table 5 on page 9 summarizes the type of digital signature algorithms that Encryption Facility for OpenPGP uses and where they are supported for OpenPGP. Table 5. Digital signature algorithm support --------------------------------------------------------------- Digital | signature | algorithm | Support for digital signature algorithm --------------------------------------------------------------- DSA/SHA1 | For a z900 processor, CCA JCE provider. | For all other hardware types, software JCE | provider. --------------------------------------------------------------- RSA/SHA1 | Software JCE provider/CCA JCE provider. --------------------------------------------------------------- RSA/SHA224 | Software JCE provider/CCA JCE provider. --------------------------------------------------------------- RSA/SHA256 | Software JCE provider/CCA JCE provider. --------------------------------------------------------------- RSA/SHA384 | Software JCE provider/CCA JCE provider. --------------------------------------------------------------- RSA/SHA512 | Software JCE provider/CCA JCE provider. --------------------------------------------------------------- RSA/MD2 | CCA JCE provider. --------------------------------------------------------------- RSA/MD5 | CCA JCE provider. --------------------------------------------------------------- Message digest algorithm support Table 6 summarizes the type of message digest algorithms that Encryption Facility for OpenPGP uses and where they are supported for OpenPGP. Table 6. Message digest algorithm support --------------------------------------------------------------- Message | digest | algorithm | Support for message digest algorithm --------------------------------------------------------------- MD2 | CCA JCE provider. --------------------------------------------------------------- MD5 | CCA JCE provider. --------------------------------------------------------------- SHA1 | Software JCE provider/CCA JCE provider. --------------------------------------------------------------- SHA224 | Software JCE provider/CCA JCE provider. --------------------------------------------------------------- SHA256 | Software JCE provider/CCA JCE provider. --------------------------------------------------------------- SHA384 | Software JCE provider/CCA JCE provider. --------------------------------------------------------------- SHA512 | Software JCE provider/CCA JCE provider. --------------------------------------------------------------- Chapter 4. Encryption Facility for OpenPGP commands USE_ASCII_ARMOR ---------------- Format USE_ASCII_ARMOR Description Specifies that when you export an OpenPGP certificate or create an OpenPGP Message (Encrypt, Sign or Compress) the output will be encoded using the ASCII Armor format. Default: If not specified, do not use ASCII armor. Equivalent command option: "-a Use ASCII Armor for the message output" on page 51. Arguments None. ARMOR_COMMENT ------------- Format ARMOR_COMMENT user-specified-comment Description Adds a comment to an OpenPGP Certificate or Message that is encoded with ASCII Armor. Default: None. Equivalent command option: "-comment Add a comment header to ASCII Armorized messages" on page 54. Arguments For user-specified-comment, a comment string. DISABLE_RACF_PASSWORD_PROMPTS ----------------------------- Format DISABLE_RACF_PASSWORD_PROMPTS Description Disables prompts for passwords when using RACF based keystores/keys. By default Encryption Facility prompts users to enter a password when using RACF based keystores/ keys even though they are not actually used to protect access. Default: If this option is omitted then by default Encryption Facility prompts for RACF passwords will be enabled. Equivalent command option: None. Arguments None. Chapter 6. JCL, command examples, and reference Common error messages ----------------------- Bullet 4 - The following message is returned by Java. When this message is issued, it usually indicates that an incorrect Java keystore password has been specified or an incorrect key password has been specified. Additionally, if configured with a RACF Keyring, a keystore and key password must be specified even though they are not used by RACF. The password prompts can safely be disabled by using the DISABLE_RACF_PASSWORD_PROMPTS configuration option listed in Chapter 4 Encryption Facility for OpenPGP commands. If these passwords do not match this message might be issued. Given final block not properly padded
APAR Information
APAR number
OA49127
Reported component name
ENCRYPTION FACI
Reported component ID
5752XXFIL
Reported release
740
Status
CLOSED UR1
PE
NoPE
HIPER
NoHIPER
Special Attention
YesSpecatt / New Function / Xsystem
Submitted date
2015-10-13
Closed date
2015-12-10
Last modified date
2016-12-05
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UA80056
Modules/Macros
CSDENCRY
SA23223007 |
Fix information
Fixed component name
ENCRYPTION FACI
Fixed component ID
5752XXFIL
Applicable component levels
R740 PSY UA80056
UP15/12/11 P F512
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":null,"label":null},"Product":{"code":"SG19O","label":"APARs - MVS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"740","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
05 December 2016