OA66740: NEW FUNCTION - SUPPORT FOR ICSF PKCS #11 FIPS 140-3 FIPSMODE OPTIONS

Obtain the fix for this APAR.

APAR status

• Closed as new function.

Error description

• New Function
  
  FIXCAT - SMFREC/K
  
  *********************************
  The following PTF is in error: UJ99052 HCR77E0
  The fixing APAR is OA69220
  *********************************
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED: ICSF users of HCR77E0 and HCR77F0.           *
  ****************************************************************
  * PROBLEM DESCRIPTION: New function - support for              *
  *                      clear key PKCS #11 ICSF FIPS 140-3      *
  *                      algorithm checking.                     *
  *                      PKCS #11 Service CSFPPKS requests       *
  *                      using RSA modulus-exponent (ME) keys    *
  *                      return the wrong result when the        *
  *                      modulus size is 1025 to                 *
  *                      2048 bits, inclusive.                   *
  *                      PKCS #11 Service CSFPSKD requests       *
  *                      using RULE GCMTLS13 require an input    *
  *                      clear_text_length that exceeds          *
  *                      the length of the decrypted text.       *
  ****************************************************************
  Summary
  --------------------------------------------------------------
  Support for clear key PKCS#11 ICSF FIPS 140-3 algorithm
  checking.
  
  The ICSF FIPSMODE installation option was updated to allow
  FIPS 140-3 parameter values.
  
  The documentation of ICSF FIPSMODE parameter checking was
  updated to describe FIPS 140-3 modes in the ICSF System
  Programmer's Guide and ICSF Writing PKCS #11 Applications.
  
  The following services were updated with new restrictions:
  --------------------------------------------------------------
  PKA Decrypt (CSNDPKD and CSNFPKD)
  Digital Signature Generate (CSNDDSG)
  ICSF Multi-Purpose Service (CSFMPS and CSFMPS6)
  PKCS #11 Token Record Create (CSFPTRC)
  
  The following services were updated:
  --------------------------------------------------------------
  ICSF Query Facility (CSFIQF)
  ICSF Query Facility2 (CSFIQF2)
  PKCS #11 Derive Key (CSFPDVK)
  PKCS #11 Derive Multiple Keys (CSFPDMK)
  PKCS #11 Generate Key Pair (CSFPGKP)
  PKCS #11 Generate Keyed Mac (CSFPHMG)
  PKCS #11 Generate Secret Key (CSFPGSK)
  PKCS #11 One-Way Hash, Sign, or Verify (CSFPOWH)
  PKCS #11 Private Key Sign (CSFPPKS)
  PKCS #11 Pseudo-Random Function (CSFPPRF)
  PKCS #11 Public Key Verify (CSFPPKV)
  PKCS #11 Secret Key Decrypt (CSFPSKD)
  PKCS #11 Secret Key Encrypt (CSFPSKE)
  PKCS #11 Unwrap Key (CSFPUWK)
  PKCS #11 Verify Keyed MAC (CSFPHMV)
  PKCS #11 Wrap Key (CSFPWPK)
  PKCS #11 Generate Secret Key2 (CSFPGK2)
  PKCS #11 Private Key Structure Decrypt (CSFPPD2)
  PKCS #11 Private Key Structure Sign (CSFPPS2)
  PKCS #11 Public Key Structure Encrypt (CSFPPE2)
  PKCS #11 Public Key Structure Verify (CSFPPV2)
  
  The following service was added:
  --------------------------------------------------------------
  PKCS #11 Pseudo-Random Function2 (CSFPPR2)
  
  The following message was added:
  --------------------------------------------------------------
  CSFM140I SECURE KEY PKCS11 SERVICES RESTRICTED BY ICSF
  FIPSMODE OPTION SETTING.
  
  The following SMF type 82 records were updated:
  -----------------------------------------------------------
  PKCS #11 key lifecycle event (Subtype 42)
  PKCS #11 key usage event (Subtype 46)
  PKCS #11 no key usage event (Subtype 47)
  
  PKCS #11 Service Private key sign (CSFPPKS) has been modified
  to return the correct value when requests using RSA
  modulus-exponent (ME) keys are used.
  PKCS #11 Service Secret Key Decrypt (CSFPSKD) using rule
  GCMTLS13 has been modified to accept an input
  clear_text_length value that is equal to or greater than the
  decrypted text length.
  

Problem conclusion

Temporary fix

Comments

• All the enhancements included in this APAR will be documented
  in the HCR77F0 release of the following ICSF publications
  
      ICSF Overview                          SC14-7505
      ICSF Administrator's Guide             SC14-7506
      ICSF System Programmer's Guide         SC14-7507
      ICSF Application Programmer's Guide    SC14-7508
      ICSF Writing PKCS #11 Applications     SC14-7510
      ICSF Messages                          SC14-7509
  and in
      z/OS 3.2 MVS System Codes              SA38-0665
  
  Note that users of the HCR77E0 or HCR77F0 releases can use
  these same publications.
  ×**** PE26/03/12 FIX IN ERROR. SEE APAR OA69220  FOR DESCRIPTION
  

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UJ99050 UJ99052

Modules/Macros

• CSFASPB  CSFCCVE  CSFCCVT  CSFDDOPT CSFDLL31 CSFDLL3X CSFDLL64
  CSFENAME CSFENCFG CSFENCFM CSFENCRT CSFGICTF CSFGICVE CSFGICVT
  CSFGIFLT CSFGIKDS CSFGIKUS CSFGIOPT CSFGISB  CSFGISPB CSFGISTK
  CSFGITKD CSFHDR02 CSFHDR05 CSFHH002 CSFHH005 CSFHL001 CSFHL002
  CSFHL003 CSFHX001 CSFHX002 CSFHX003 CSFHX004 CSFHX005 CSFHX006
  CSFINIT2 CSFINMTI CSFINPV2 CSFKSNXH CSFKSROP CSFMIKUM CSFMIKUT
  CSFMIMGM CSFMIOP1 CSFMIOPD CSFMISEC CSFMITSM CSFNCDSG CSFNCIQ2
  CSFNCIQF CSFNCPKD CSFPPR2  CSFPPR26 CSFSD001 CSFSD002 CSFSD003
  CSFSD004 CSFSD005 CSFSD006 CSFSMFR  CSFTCPA0 CSFTCPA1 CSFTCPA2
  CSFTCPA3 CSFTCPA4 CSFTCSAF CSFTCSAV CSFTCTR2 CSFTCTRC CSFVCAPC
  CSFVCAUD CSFZSM82 CSFZTKI  CSNPCA3X CSNPCA64 CSNPCAPI CSNPCI3X
  CSNPCI64 CSNPCINT CSNPCU3X CSNPCU64 CSNPCUTL
  

Fix information

• Fixed component name

  ICSF/MVS

• Fixed component ID

  568505101

Applicable component levels

• R7E0 PSY UJ99052

     UP26/02/26 P F602  

• R7F0 PSY UJ99050

     UP26/02/26 P F602  

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.