IBM Support

OA61253: NEW FUNCTION - Cryptographic services enhancements for CCA

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as new function.

Error description

  • New Function

FIXCAT Keywords:
D/T8561 , D/T8562 , E8562/K , SMFREC/K , D/T2964 , D/T2965 ,
D/T3906 , D/T3907

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED: Users of ICSF cryptographic services         *
****************************************************************
* PROBLEM DESCRIPTION: NEW FUNCTION - Cryptographic services   *
*                      enhancements for CCA and PKCS #11       *
*                                                              *
*                      Enhancements to CCA services            *
*                                                              *
*                        Enhancements for German Banking       *
*                        Industry Committee (DK)               *
*                                                              *
*                        New service Encrypted PIN Verify2     *
*                        (CSNBPVR2 and CSNEPVR2)               *
*                                                              *
*                        Australian Payment Network            *
*                        enhancements in support of standard   *
*                        AS2805.5.4                            *
*                                                              *
*                        Support for the Schnorr digital       *
*                        signature algorithm                   *
*                                                              *
*                        Support for key exchange with Azure   *
*                        Cloud services.                       *
*                                                              *
*                        Digital Signature Verify (CSNDDSV)    *
*                        fails with ABEND S0C4 when rule array *
*                         keyword PKCS-PSS specified and       *
*                         data_length parameter has a value    *
*                         of 3 or less.                        *
*                                                              *
*                      Enhancements to PKCS #11 services       *
*                                                              *
*                        New service PKCS #11 Secret Key       *
*                         Reencrypt (CSFPSKR and CSFPSKR6).    *
*                                                              *
*                        Enhancements for Koblitz elliptic     *
*                        curves.                               *
*                                                              *
*                      When ICSF is restarted, new copies of   *
*                      CSFINLPA, CSFINLP2, CSFMGARC, CSFMGTRC, *
*                       and CSFMIQIH are dynamically added to  *
*                      LPA. If they match the existing copies, *
*                       the new copy should be deleted but are *
*                        not.                                  *
****************************************************************
Summary
------------------------------------------
Cryptographic services enhancements

 PKCS #11 and CCA Algorithm Currency

Cryptographic services enhancements for CCA
--------------------------------------------
* The following enhancements are available on IBM z15 with CEX7
adapter with CCA release 7.4 or CEX6 adapter with CCA release
6.7*

  Diversify Directed Key (CSNBDDK and CSNEDDK)
  A new key type vector for AES PINPROT keys with ISO-4 is
introduced
  The derivation_data parameter enhanced to support longer
lengths.

  DK PIN Change (CSNBDPC and CSNEDPC)
  The input value for the script_MAC_length parameter is used
when MAC length rule array keyword not specified.

  Symmetric Algorithm Decipher (CSNBSAD or CSNBSAD1 and CSNESAD
or CSNESAD1) and Symmetric Algorithm Encipher (CSNBSAE or
CSNBSAE1 and CSNESAE or CSNESAE1)
  Support for X9.23 random padding of text is introduced.

  Diversified Key Generate2 (CSNBDKG2 and CSNEDKG2)
  The derivation_data parameter enhanced to support longer
lengths.

  CSNBPTR and CSNEPTR and CSNBPTR2 and CSNEPTR2
  Additional checking for TRANSLAT processing when new access
control is enabled.

  PIN block error processing mode
  The return codes for PIN block errors in services DK PIN
Verify (CSNBDPV and CSNEDPV) and DK PIN Change (CSNBDPC and
CSNEDPC) will be restricted in this mode enabled by a new access
control.

* The following enhancements are available on IBM z15 with CEX7
adapter with CCA release 7.4*

  New service Encrypted PIN Verify2 (CSNBPVR2 and CSNEPVR2)
  The service will validate an input encrypted PIN-block against
a reference encrypted PIN block. All ISO PIN block formats are
supported.

  Australian Payment Network enhancements in support of standard
AS2805.5.4

    Diversified Key Generate (CSNBDKG and CSNEDKG)
    Support for three AS2805.5.4 key derivation methods

    Random Number Generate Long (CSNBRNGL and CSNERNGL)
    Support for a key identifier parameter for a data-encryption
key to encrypt returned random number.

    Symmetric Algorithm Encipher (CSNBSAE or CSNBSAE1 and
CSNESAE or CSNESAE1)
    Support for AS2805.5.4 MAC generation and verification and
auxiliary functions

  Digital Signature Generate (CSNDDSG and CSNFDSG)
  Digital Signature Verify (CSNDDSV and CSNFDSV)
  Support for the Schnorr digital signature algorithm (ISO
14888-3) with NIST Prime curves 256 and 521 (secp256r1 and
secp521r1) keys.

  Symmetric Key Export (CSNDSYX and CSNFSYX)
  PKA Key Translate (CSNDPKT and CSNFPKT)
  Support for key exchange with Azure Cloud services. Symmetric
and asymmetric keys are exported to a PKCS #11 object with
ephemeral wrapping key.

  Support for triple-length PIN encrypting keys added to
    PIN Change/Unblock (CSNBPCU and CSNEPCU)
    Secure Messaging for PINs (CSNBSPN and CSNESPN)
    SET Block Decompose (CSNDSBD and CSNFSBD)

  Key Generator Utility Program (KGUP)
  Support for AES CIPHER key usage attributes. Five encryption
mode key usage keywords are added for use when adding or
updating AES CIPHER keys.

  Digital Signature Verify (CSNDDSV and CSNFDSV) fails with
ABEND S0C4 when rule array keyword PKCS-PSS specified and
data_length parameter has a value of 3 or less.

Cryptographic services enhancements for PKCS #11
------------------------------------------------

  New service PKCS #11 Secret Key Reencrypt (CSFPSKR and
CSFPSKR6).
    The service re-encrypts cipher text using secure PKCS #11
secret keys and a single call to the EP11 coprocessor.

  Additional support for Koblitz elliptic curves for the Schnorr
algorithm. New support for clear and secure key generation key
creation, ECDSA signature processing, and secret key derivation.


SMF 82 record mappings in C header is introduced.

When ICSF is restarted, new copies of CSFINLPA, CSFINLP2,
CSFMGARC, CSFMGTRC, and CSFMIQIH are dynamically added to LPA.
If they match the existing copies, the new copy should be
deleted but are not.  The code has been change to ensure that
the new copy is removed when it matches the old copy.

A description of the enhancements for this apar is documented in
a pdf file, oa61253.pdf, available at
ftp://public.dhe.ibm.com/eserver/zseries/zos/icsf/pdf/OA61253.pd
f

All of the enhancements included in this APAR will also be
documented in the FMID HCR77D2 release of the following ICSF
publications:

   ICSF Overview                        SC14-7505
   ICSF Administrator's Guide           SC14-7506
   ICSF System Programmer's Guide       SC14-7507
   ICSF Application Programmer's Guide  SC14-7508
   ICSF Writing PKCS #11 Applications       SC14-7510

    



Problem conclusion


    

  • 



Temporary fix


    

  • 



Comments


    

  • NEW FUNCTION - Cryptographic services enhancements for CCA and
PKCS #11

Enhancements to CCA services

  Enhancements for German Banking Industry Committee (DK)

  New service Encrypted PIN Verify2 (CSNBPVR2 and CSNEPVR2)

  Australian Payment Network enhancements in support of standard
AS2805.5.4

  Support for the Schnorr digital signature algorithm

  Support for key exchange with Azure Cloud services.

  Digital Signature Verify (CSNDDSV) fails with ABEND S0C4 when
rule array keyword PKCS-PSS specified and data_length parameter
has a value of 3 or less.

Enhancements to PKCS #11 services

  New service PKCS #11 Secret Key Reencrypt (CSFPSKR and
CSFPSKR6).

  Enhancements for Koblitz elliptic curves.

    



APAR Information




    

  • APAR number
    OA61253
    • 

  • Reported component name
    ICSF/MVS
    • 

  • Reported component ID
    568505101
    • 

  • Reported release
    7D1
    • 

  • Status
    CLOSED  UR1
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    YesSpecatt / New Function / Xsystem
    • 

  • Submitted date
    2021-04-13
    • 

  • Closed date
    2021-09-23
    • 

  • Last modified date
    2021-12-08
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
UJ06715 UJ06716
    

    • 



Modules/Macros


    

  • CSFCCVE  CSFDDMRL CSFDLL31 CSFDLL3X CSFDLL64 CSFDPEXP CSFDPIMP
CSFDTKB1 CSFDTKBC CSFDTKBP CSFDTKBS CSFENCFG CSFENCFM CSFENCPN
CSFENOSA CSFENXCP CSFGIBTM CSFGICP2 CSFGICTF CSFGICVE CSFGIFLT
CSFGISB  CSFHDR01 CSFHDR03 CSFHH001 CSFHH003 CSFHL001 CSFHL002
CSFHL003 CSFHS001 CSFHS002 CSFHS003 CSFHS004 CSFHS005 CSFHS006
CSFHS007 CSFHS008 CSFHX001 CSFHX002 CSFHX003 CSFHX004 CSFHX005
CSFHX006 CSFINIT2 CSFINMTI CSFINPV2 CSFINPVT CSFINXKP CSFKG300
CSFKSTDL CSFMIAKP CSFMICPD CSFMIKUB CSFMIKUT CSFMIKYI CSFMITSM
CSFMIWMP CSFNCCMK CSFNCDDK CSFNCDG2 CSFNCDKG CSFNCDPC CSFNCDSG
CSFNCDSV CSFNCKDU CSFNCMDW CSFNCPCI CSFNCPKD CSFNCPKT CSFNCPV2
CSFNCPXS CSFNCRNC CSFNCRNL CSFNCSAD CSFNCSAE CSFNCSYX CSFNCUKD
CSFPLKST CSFPLKUP CSFPSKR  CSFPSKR6 CSFPVR2  CSFPVR26 CSFSD001
CSFSD002 CSFSD003 CSFSD004 CSFSD005 CSFSD006 CSFSMBTM CSFSMFR
CSFSMTMG CSFTCPA0 CSFTCPA1 CSFTCPA2 CSFTCPA3 CSFTCPA4 CSFTCPA5
CSFTCPA6 CSFTCPAT CSFTCSAV CSFTCSKR CSFTCTRC CSFTCTRL CSFVCAPC
CSFVCBRC CSFVCEVT CSFWTL01 CSFZTKI  CSNPCA3X CSNPCA64 CSNPCAPI
CSNPCI3X CSNPCI64 CSNPCINT CSNPCU3X CSNPCU64 CSNPCUTL

    



Fix information


    

  • Fixed component name
    ICSF/MVS
    • 

  • Fixed component ID
    568505101
    • 



Applicable component levels


    

  • R7D1  PSY  UJ06716
       UP21/09/24  P  F109   
    • 

  • R7D2  PSY  UJ06715
       UP21/09/24  P  F109   
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M"},"Platform":[{"code":"PF054","label":"z\/OS"}],"Version":"7D1"}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            09 December 2021
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback