OA60318: NEW FUNCTION - Cryptographic services enhancements for CCA

Obtain the fix for this APAR.

APAR status

• Closed as new function.

Error description

• New Function
  
  FIXCAT Keywords:
  D/T8561 , D/T8562 , E8562/K , SMFREC/K , D/T2964 , D/T2965 ,
  D/T3906 , D/T3907
  
  **********************************************
  THE FOLLOWING PTF IS IN ERROR:  UJ05512 R7D1
  THIS PTF IS FIXED BY APAR OA64602
  **********************************************
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED:                                              *
  * Users of ICSF CCA cryptographic services                     *
  ****************************************************************
  * PROBLEM DESCRIPTION:                                         *
  * Cryptographic services enhancements for CCA                  *
  *                                                              *
  * Support for a new wrapping method for DES keys, WRAPENH3.    *
  * All DES keys except keys with a zero control vector may be   *
  * wrapped with the WRAPENH3 method.                            *
  *                                                              *
  * Enhanced callable services                                   *
  * - Services with a rule array parameter and a key wrapping    *
  * method keyword will have two additional keywords, WRAPENH2   *
  * and WRAPENH3.                                                *
  *                                                              *
  * When a DES KDF 01 or 02 token that is wrapped under the old  *
  * master key is passed as input to the Key Translate2          *
  * (CSNBKTR2/CSNEKTR2) service with the COMP-TAG keyword, the   *
  * request hangs.                                               *
  *                                                              *
  * When the Crypto Express Adapter is in PCI-HSM mode and the   *
  * security log is nearly full, CSFM625I is issued incorrectly. *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  

Problem conclusion

• Summary
  ------------------------------------------
  
  Cryptographic services enhancements for CCA
  
  * Available on IBM z15 with CEX7 adapter with CCA release 7.3,
  CEX6 adapter with CCA release 6.6, or CEX5 adapter with CCA
  release 5.7*
  * Available on IBM z14 with CEX6 adapter with CCA release 6.6 or
  CEX5 adapter with CCA release 5.7*
  * Available on IBM z13 with CEX5 adapter with CCA release 5.7*
  
  Support for new wrapping method for DES keys, WRAPENH3. All DES
  keys except keys with a zero control vector may be wrapped with
  the WRAPENH3 method.
  
  WRAPENH3: This method is based on the enhanced wrapping method
  using SHA-256 with the addition of an authentication code. The
  wrapping and MAC keys are derived using the NIST KDF with
  SHA-256 HMAC. A TDES-CMAC authentication code is generated over
  the complete key token. The authentication code is stored in the
  token where the right control vector was stored. There will
  always be three key parts encrypted and placed in the key token
  to obfuscate the key length. All keys with the exception of DATA
  keys with a zero control vector can be wrapped with this method.
  
  
  Enhanced callable services
  Services with a rule array parameter and key wrapping method
  keywords will have two additional keywords, WRAPENH2 and
  WRAPENH3.
  
  Key Test2 (CSNBKYT2 and CSNEKYT2) has been updated with a new
  rule array keyword, KEY-LEN. The service will return the length
  of the secure AES or DES key token specified in the
  key_identifier parameter. The length will be returned as an
  integer in the verification_pattern parameter.
  
  MAC Generate (CSNBMGN and CSNEMGN) and MAC Verify (CSNBMVR and
  CSNEMVR) have been updated to support the TDES-CMAC algorithm
  for double- and triple-length keys.
  
  Changes to the DES fixed-length key token to store a TDES-CMAC
  in the token.
  
  The CKDS conversion utility, CSFCNV2, enables you to convert all
  tokens in the CKDS to use the WRAP-ECB, WRAP-ENH, or WRAPENH3
  wrapping methods.
  
  ICSF has been changed to not hang a request when a DES KDF 01 or
  02 token that is wrapped under the old master key is passed as
  input to the Key Translate2  (CSNBKTR2/CSNEKTR2) service with
  the COMP-TAG keyword.
  
  ICSF has been changed to no longer incorrectly issue CSFM625I
  when the security log is nearly full when the Crypto Express
  Adapter is in PCI-HSM mode.
  
  The Key Generator Utility Program (KGUP) has been updated to
  support the WRAPENH3 wrapping method for DES keys.
  
  The Operational Key Load utility and OPKYLOAD verb for KGUP have
  been updated to support the WRAPENH3 wrapping method for DES
  keys.
  
  All of the enhancements included in this APAR will also be
  documented in the FMID HCR77D1 release of the following ICSF
  publications:
  
       ICSF Overview      SC14-7505
       ICSF Administrator's Guide   SC14-7506
       ICSF System Programmer's Guide   SC14-7507
       ICSF Application Programmer's Guide  SC14-7508
       ICSF Messages     SC14-7509
       ICSF Trusted Key Entry Workstation User's Guide  SC14-7511
  

Temporary fix

Comments

• Cryptographic services enhancements for CCA
  
  * Available on IBM z15 with CEX7 adapter with CCA release 7.3,
  CEX6 adapter with CCA release 6.6, or CEX5 adapter with CCA
  release 5.7*
  * Available on IBM z14 with CEX6 adapter with CCA release 6.6 or
  CEX5 adapter with CCA release 5.7*
  * Available on IBM z13 with CEX5 adapter with CCA release 5.7*
  
  Support for new wrapping method for DES keys, WRAPENH3. All DES
  keys except keys with a zero control vector may be wrapped with
  the WRAPENH3 method.
  
  WRAPENH3: This method is based on the enhanced wrapping method
  using SHA-256 with the addition of an authentication code. The
  wrapping and MAC keys are derived using the NIST KDF with
  SHA-256 HMAC. A TDES-CMAC authentication code is generated over
  the complete key token. The authentication code is stored in the
  token where the right control vector was stored. There will
  always be three key parts encrypted and placed in the key token
  to obfuscate the key length. All keys with the exception of DATA
  keys with a zero control vector can be wrapped with this method.
  
  
  Enhanced callable services
  Services with a rule array parameter and key wrapping method
  keywords will have two additional keywords, WRAPENH2 and
  WRAPENH3.
  
  Key Test2 (CSNBKYT2 and CSNEKYT2) has been updated with a new
  rule array keyword, KEY-LEN. The service will return the length
  of the secure AES or DES key token specified in the
  key_identifier parameter. The length will be returned as an
  integer in the verification_pattern parameter.
  
  MAC Generate (CSNBMGN and CSNEMGN) and MAC Verify (CSNBMVR and
  CSNEMVR) have been updated to support the TDES-CMAC algorithm
  for double- and triple-length keys.
  
  Changes to the DES fixed-length key token to store a TDES-CMAC
  in the token.
  
  The CKDS conversion utility, CSFCNV2, enables you to convert all
  tokens in the CKDS to use the WRAP-ECB, WRAP-ENH, or WRAPENH3
  wrapping methods.
  
  ICSF has been changed to not hang a request when a DES KDF 01 or
  02 token that is wrapped under the old master key is passed as
  input to the Key Translate2  (CSNBKTR2/CSNEKTR2) service with
  the COMP-TAG keyword.
  
  ICSF has been changed to no longer incorrectly issue CSFM625I
  when the security log is nearly full when the Crypto Express
  Adapter is in PCI-HSM mode.
  
  The Key Generator Utility Program (KGUP) has been updated to
  support the WRAPENH3 wrapping method for DES keys.
  
  The Operational Key Load utility and OPKYLOAD verb for KGUP have
  been updated to support the WRAPENH3 wrapping method for DES
  keys.
  
  All of the enhancements included in this APAR will also be
  documented in the FMID HCR77D1 release of the following ICSF
  publications:
  
       ICSF Overview      SC14-7505
       ICSF Administrator's Guide   SC14-7506
       ICSF System Programmer's Guide   SC14-7507
       ICSF Application Programmer's Guide  SC14-7508
       ICSF Messages     SC14-7509
       ICSF Trusted Key Entry Workstation User's Guide  SC14-7511
  ×**** PE23/03/29 FIX IN ERROR. SEE APAR OA64602  FOR DESCRIPTION
  

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UJ05512

Modules/Macros

• CSFCNV2  CSFNCCKC CSFNCIQF CSFNCDKG CSFNCSYG CSFNCSYI CSFNCCKM
  CSFNCKT2 CSFVCKRW CSFINXKP CSFNCSY2 CSFDDMRL CSFKG450 CSFENCFM
  CSFNCRKX CSFMIMGM CSFNCKPI CSFNCKY2 CSFVCCVA CSFGICVE CSFCMPCC
  CSFMIMGV CSFNCT3I CSFMIWMP CSFNCEDH CSFNCMVR CSFNCUKD CSFNCRWP
  CSFVCBRC CSFVCKTB CSFNCKIM CSFNCT4R CSFDDOKE CSFNCOKL CSFCCVE
  CSFNCMGN CSFNCSKM CSFNCPCI CSFTCC2P CSFVCTCK CSFVCINF CSFNCKTC
  CSFVCKW2 CSFNCCKI CSFKG400 CSFNCT4D CSFVCKC2 CSFNCT3X CSFMIKUT
  CSFNCKEX CSFKG410 CSFNCPKI CSFNCPKG CSFNCSYX CSFKG220 CSFNCDKX
  CSFVCKRD CSFVCKRC CSFNCMDW CSFKG300 CSFKG420 CSFNCDKM CSFMIAKP
  CSFKG230 CSFNCSXD CSFNCSKI CSFNCKGN CSFCHP50 CSFDS64  CSFCMP50
  CSFNCCSV CSFNCCSG CSFVCEVT CSFDS61  CSFMIMGG CSFNCEVF CSFGIKGC
  CSFKG430 CSFNCCMK
  

Fix information

• Fixed component name

  ICSF/MVS

• Fixed component ID

  568505101

Applicable component levels

• R7D1 PSY UJ05512

     UP21/05/06 P F105  

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.