IBM Support

OA61609: NEW FUNCTION - Enhancements for z16

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as new function.

Error description

  • New Function

FIXCAT - R3931/K , SMFREC/K

**********************************************************
THE FOLLOWING PTFS ARE IN ERROR:  UJ08368 R7D1 UJ08368 R7D2
THESE PTFS ARE FIXED BY APAR OA64736
***********************************************************

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED:                                              *
* ICSF users                                                   *
****************************************************************
* PROBLEM DESCRIPTION:                                         *
* New function - exploitation and                              *
* toleration support for z16                                   *
*                                                              *
* Support for z16 hardware is added to                         *
* ICSF (CEX8S)                                                 *
*                                                              *
* Dilithium 6-5 R3, 8-7 R2, and 8-7 R3                         *
* support in CCA and PKCS #11                                  *
*                                                              *
* Kyber support in CCA and PKCS #11                            *
*                                                              *
* Installation options data set support                        *
* for WRAPENH3                                                 *
*                                                              *
* PKCS #11 attribute processing is                             *
* updated to more closely match                                *
* standards                                                    *
*                                                              *
* DISPLAY ICSF,CARDS command is enhanced                       *
*                                                              *
* ICSF Query Facility (CSFIQF and                              *
* CSFIQF6) rule STATP11 updated                                *
*                                                              *
* New access control points are added to                       *
* both EP11 and CCA.                                           *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************

Summary
---------------------------------------------------------------
Support for z16 hardware is added to ICSF
1. All messages and panels will report CEX8S when configured.
2. SMF records will report CEX8S when configured.
3. The TKE Host Transaction Program will fully support CEX8S.

Dilithium 6-5 R3, 8-7 R2, and 8-7 R3 support is added to
appropriate PKCS #11 and CCA callable services. All the
services that supported Dilithium 6-5 R2 will also support the
new Dilithium key types and sizes.

PKCS #11 callable services that support CRYSTALS-Kyber key
operations are:
- PKCS #11 Derive Key (CSFPDVK and CSFPDVK6)
- PKCS #11 Get Attribute Value (CSFPGAV and CSFPGAV6)
- PKCS #11 Generate Key Pair (CSFPGKP and CSFPGKP6)
- PKCS #11 Set Attribute Value (CSFPSAV and CSFPSAV6)
- PKCS #11 Token Record Create (CSFPTRC and CSFPTRC6)
CCA callable services that support CRYSTALS-Kyber key
operations are:
- PKA Encrypt (CSNDPKE and CSNFPKE)
- PKA Decrypt (CSNDPKD and CSNFPKD)
- PKA Key Generate (CSNDPKG and CSNFPKG)
- PKA Key Import (CSNDPKI and CSNFPKI)
- PKA Key Token Build (CSNDPKB and CSNFPKB)
- PKA Key Token Change (CSNDKTC and CSNFKTC)
- PKA Public Key Extract (CSNDPKX and CSNFPKX)
- PKA Key Translate (CSNDPKT and CSNFPKT)
- ECC Diffie-Hellman (CSNDEDH and CSNFEDH)

On HCR77D2 only, PKDS management services will support the new
keys (both Dilithium and Kyber):
- PKDS Key Record Create (CSNDKRC and CSNFKRC)
- PKDS Key Record Delete (CSNDKRD and CSNFKRD)
- PKDS Key Record Read and PKDS Key Record Read2 (CSNDKRR or
  CSNDKRR2 and CSNFKRR or CSNFKRR2)
- PKDS Key Record Write (CSNDKRW and CSNFKRW)

Installation options data set parameter DEFAULTWRAP has new
value (WRAPENH3) for both the internal and external keywords.

PKCS #11 attribute processing is updated to more closely match
standards. This applies to both the callable services and the
TKDS browser.

DISPLAY ICSF,CARDS command is enhanced in two ways:
1. Redrive cryptographic coprocessor data collection to reflect
   the most up-to-date status(es) available.
2. Display more detail about EP11 coprocessor firmware version

ICSF Query Facility (CSFIQF and CSFIQF6) with rule STATP11 will
return more detail about the EP11 coprocessor firmware version.

New access control points are added to both EP11 and CCA.

    



Problem conclusion


    

  • 



Temporary fix


    

  • 



Comments


    

  • All the enhancements included in this APAR will be documented
in the HCR77D2 release of the following ICSF publications:

    ICSF Overview                          SC14-7505
    ICSF Administrator's Guide             SC14-7506
    ICSF System Programmer's Guide         SC14-7507
    ICSF Application Programmer's Guide    SC14-7508
    ICSF Messages                          SC14-7509
    ICSF Writing PKCS #11 Applications     SC14-7510

Note that users of the HCR77D1 release can use these same
publications with the caveat that QSA tokens cannot be
stored in the PKDS.
×**** PE22/06/06 FIX IN ERROR. SEE APAR OA63363  FOR DESCRIPTION
×**** PE23/04/24 FIX IN ERROR. SEE APAR OA64736  FOR DESCRIPTION
×**** PE24/05/01 FIX IN ERROR. SEE APAR OA66472  FOR DESCRIPTION

    



APAR Information




    

  • APAR number
    OA61609
    • 

  • Reported component name
    ICSF/MVS
    • 

  • Reported component ID
    568505101
    • 

  • Reported release
    7D1
    • 

  • Status
    CLOSED  UR1
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    YesSpecatt / New Function / Xsystem
    • 

  • Submitted date
    2021-06-09
    • 

  • Closed date
    2022-05-05
    • 

  • Last modified date
    2024-06-04
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
UJ08367 UJ08368
    

    • 



Modules/Macros


    

  • CSFKG400 CSFVCPTV CSFKSHTM CSFBHPN3 CSFDDOPT CSFMITSM CSFNCKEX
CSFTCSAV CSFVCHSS CSFDCST  CSFTBR31 CSFTBR32 CSFDBRKA CSFDPEXP
CSFTBR39 CSFTBR37 CSFTBR38 CSFTBR35 CSFTBR36 CSFCCVE  CSNPCAPI
CSFSMIT  CSFBRPN3 CSFNCIQF CSFMKIDT CSFGIOPI CSFMICOL CSFGIOPT
CSFBHPK8 CSFVCPRW CSFINXKP CSFMIAKP CSFNCDG2 CSFGISB  CSFENOCX
CSFDPIMP CSFNCSTC CSFTCTRC CSFGITKD CSFCHP00 CSFNCT4R CSFKSHTB
CSFNCHMV CSFVCPRC CSFENGSP CSFNCKTC CSFNCCKC CSFNCCKE CSFMISTU
CSFENOSA CSFMISTT CSFNCCKI CSFNCCKM CSFSD001 CSFSD002 CSFSD003
CSFSD004 CSFSD005 CSFSD006 CSFSMFR  CSFMIDGP CSFENXCP CSFMIKUT
CSFMIDGM CSFNCFPE CSNPCA3X CSFNCPCU CSFMIMGM CSFINAPC CSNPCI3X
CSFNCFPT CSFMISTI CSFVCCVG CSFNCKIM CSFNCSYX CSFHL001 CSFNCDKX
CSFBHPK3 CSFHL003 CSFNCPCI CSFHL002 CSFNCFPD CSFVCFLE CSFNCDKG
CSFNCSYG CSFKG420 CSFDTKBC CSFNCDKM CSFNCSYI CSFNCSY2 CSFVCIQA
CSFDTKBS CSFDTKBP CSFKSCMV CSNPCI64 CSFTHTP3 CSFNCSXD CSFNCPRB
CSFNCKY2 CSFENICP CSFNCUKD CSFVCBRC CSFVCAPC CSFVCKTB CSFNCKGN
CSFDTKB1 CSFBRPK8 CSNPCA64 CSFNCVMK CSFGISMA CSFBRPK3 CSFVCEVT
CSFHH003 CSFHH002 CSFHH001 CSFZTKI  CSFKSCS4 CSFKSCS2 CSFNCPIC
CSFMIKYI CSFHS005 CSFHS006 CSFKSTDL CSFHS007 CSFENCFG CSFNCPXS
CSFHS008 CSFHS001 CSFHS002 CSFHS003 CSFHS004 CSFNCPXX CSFENCFM
CSFNCRKX CSFVCPKB CSFHX004 CSFHX005 CSFHX002 CSFHX003 CSFGICPA
CSFHX001 CSFGICPD CSFPLMRT CSFKSIPD CSFMIOPC CSFHX006 CSFMIOPD
CSFVCPKX CSFVCKB2 CSFGICP2 CSFINIT2 CSFNCDPC CSFTCPA6 CSFNCCMK
CSFZCOMP CSFNCRKA CSFDDMRL CSFTTKE  CSFCV100 CSFMIOP1 CSFHDR01
CSFHDR03 CSFHDR02 CSFGISPB CSFDDUPU CSFGIDTA CSFNCPEX CSFMIWMP
CSFNCSKI CSFNCSKM CSFKSROP CSFNCTDR CSFNCT4B CSFDLL64 CSFNCHMG
CSFNCT4C CSFNCT4D CSFNCKT2 CSFNCDDK CSFGIPKT CSFNCSBD CSFNCSBC
CSNPCU3X CSFINPV2 CSFASPB  CSNPCUTL CSFSMCRV CSFSMF82 CSFNCT3I
CSFNCPKI CSFNCPKG CSFTCPA4 CSFTCPA5 CSFTCPA2 CSFTCPA3 CSFNCPKT
CSFTCPA0 CSFGICST CSFTCPA1 CSFDS61  CSFGISTK CSFNCMDW CSFTBR45
CSFTBR42 CSFTBR43 CSFNCPKD CSFTBR40 CSFNCDSV CSFNCPKE CSFKSIPE
CSFNCPKC CSFGIKTB CSFTBR48 CSFNCSPN CSFTBR49 CSFTBR46 CSFCMP41
CSFTBR47 CSNPCU64 CSFGISTC CSFNCTBC CSFENCPN CSFDLL3X CSFGIAPT
CSFNCDSG CSFMIDS  CSFDLL31 CSFNCKPI CSFTBR55 CSFCHP40 CSFTBR56
CSNPCINT CSFTBR53 CSFGICVE CSFTBR52 CSFNCRNC CSFNCEDH CSFTBR50
CSFGIKDS CSFNCUSK

    




Publications Referenced


SC147505.SC147506.SC147507.SC147508.SC147509.


SC147510.    





Fix information


    

  • Fixed component name
    ICSF/MVS
    • 

  • Fixed component ID
    568505101
    • 



Applicable component levels


    

  • R7D2  PSY  UJ08367
       UP22/05/06  P  F205
    • 

  • R7D1  PSY  UJ08368
       UP22/05/06  P  F205
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Business Unit":{"code":"BU011","label":"Systems - zSystems software"},"Product":{"code":"SG19O"},"Platform":[{"code":"PF054","label":"z Systems"}],"Version":"7D1"}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            04 June 2024
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback