A fix is available
APAR status
Closed as new function.
Error description
New Function FIXCAT ICSF7D0C/K , R3906/K , ICSF7D1C/K ZOS0205C/K ZOS0204C/K ZOS0301C/K
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: * * Systems running which share a CKDS with AES * * compliant-tagged keys or a PKDS with RSA * * compliant-tagged keys. * **************************************************************** * PROBLEM DESCRIPTION: * * Releases of ICSF prior to HCR77D0 * * require coexistence support to share * * the CKDS with compliant-tagged AES key * * tokens. * * * * Without this APAR applied: * * * Compliant-tagged AES key tokens in * * the CKDS may be overwritten and * * deleted. * * * CKDS re-encipher will fail with * * indication of a bad token rather * * than an unsupported compliant- * * tagged AES key token. * * * Callable services will fail when * * a compliant-tagged AES key token * * is used indicating a bad token. * * * KGUP can rename, delete or update * * compliant-tagged AES key tokens. * * * * Releases of ICSF prior to HCR77D0 * * require coexistence support to share * * the PKDS with compliant-tagged RSA key * * tokens and AES OPK RSA key tokens with * * new associated data sections. * * * * Without this APAR applied: * * * subject RSA key tokens in the PKDS * * PKDS may be overwritten and deleted. * * * PKDS re-encipher will fail with * * indication of a bad token rather * * than an unsupported RSA key token. * * * Callable services will fail when * * a subject RSA key token is used * * indicating a bad token. * * * * Hardware: D/T3906, D/T3907 * **************************************************************** * RECOMMENDATION: * * Re-encipherment of a CKDS containing * * compliant-tagged AES key tokens MUST be * * done on HCR77D0 or later system with APAR * * OA57089. * * * * Re-encipherment of a PKDS containing * * compliant-tagged RSA key tokens MUST be * * done on HCR77D0 or later system with APAR * * OA57089. * **************************************************************** Summary --------------------------------------------------------- Releases of ICSF prior to HCR77D0 require coexistence support to share a CKDS with compliant-tagged AES key tokens introduced by APAR OA57089. This APAR will NOT allow: * Key management of compliant-tagged AES key tokens. * Use of compliant-tagged AES key tokens in callable services. * A CKDS with compliant-tagged AES tokens to be re-enciphered. * KGUP to rename, delete, or update a compliant-tagged AES token. With this APAR applied, attempts to use or manage compliant- tagged key tokens will result in return code 8 ('8'x) reason code 3538 ('DD2'x). New message CSFG1144 will be issued if KGUP is used to attempt to rename, delete, or overwrite a compliant-tagged AES key token. Releases of ICSF prior to HCR77D0 require coexistence support to share a PKDS with compliant-tagged RSA key tokens introduced by APAR OA57089. This APAR will NOT allow: * Key management of compliant-tagged RSA key tokens. * Use of compliant-tagged RSA key tokens in callable services. * A PKDS with compliant-tagged RSA tokens to be re-enciphered. With this APAR applied, attempts to use or manage compliant- tagged key tokens will result in return code 8 ('8'x) reason code 3538 ('DD2'x). Releases of ICSF prior to HCR77D0 require coexistence support to share a PKDS with RSA AES OPK key tokens (section id x'30') with a new version of the associated data section and RSA AES OPK key tokens (section id x'31') with a new version of the associated data section introduced by APAR OA57089. This APAR will NOT allow: * Key management of the subject RSA key tokens. * Use of the subject RSA key tokens in callable services. * A PKDS with the subject RSA tokens to be re-enciphered. With this APAR applied, attempts to use or manage the subject RSA key tokens will result in return code 8 ('8'x) reason code 3080 ('C08'x). All enhancements include in this APAR will be documented in the HCR77D0 of the following ICSF publications: ICSF Application Programmer's Guide SC14-7508 ICSF Messages SC14-7505
Problem conclusion
Temporary fix
Comments
Releases of ICSF prior to HCR77D0 require coexistence support to share a CKDS with compliant-tagged AES key tokens introduced by APAR OA57089. This APAR will NOT allow: * Key management of compliant-tagged AES key tokens. * Use of compliant-tagged AES key tokens in callable services. * A CKDS with compliant-tagged AES tokens to be re-enciphered. * KGUP to rename, delete, or update a compliant-tagged AES token. With this APAR applied, attempts to use or manage compliant-tagged key tokens will result in return code 8 ('8'x) reason code 3538 ('DD2'x). New message CSFG1144 will be issued if KGUP is used to attempt to rename, delete, or overwrite a compliant-tagged AES key token. CSFG1144 ENTRY label IS COMP-TAGGED KEY TOKEN. verb NOT PERFORMED. Explanation: The entry with the key index label is a key token marked as PCI compliant-taggeg that is not supported by this release of ICSF. Unsupported tokens cannot be deleted, updated, or renamed by KGUP. System action: Processing for the UPDATE, DELETE, or RENAME statement ends. User response: Correct the KGUP control statement so that the label is not for a key token that cannot be managed by this release of ICSF. Releases of ICSF prior to HCR77D0 require coexistence support to share a PKDS with compliant-tagged RSA key tokens introduced by APAR OA57089. This APAR will NOT allow: * Key management of compliant-tagged RSA key tokens. * Use of compliant-tagged RSA key tokens in callable services. * A PKDS with compliant-tagged RSA tokens to be re-enciphered. With this APAR applied, attempts to use or manage compliant-tagged key tokens will result in return code 8 ('8'x) reason code 3538 ('DD2'x). The following reason code is modified and will be documented in the HCR77D0 version of the ICSF Application Programmers Guide (SC14-7508) Appendix A. ICSF and TSS Return and Reason Codes. Reason Codes for Return Code 8 (8) Reason Code Hex (Decimal) Description ================================================================ DD2 (3538) The operation failed because an attempt was made to use or manage a compliant-tagged key token which is not supported on this system. User action: Retry the operation on a system that supports the compliant-tagged token being used. Releases of ICSF prior to HCR77D0 require coexistence support to share a PKDS with RSA AES OPK key tokens (section id x'30') with a new version of the associated data section and RSA AES OPK key tokens (section id x'31') with a new version of the associated data section introduced by APAR OA57089. This APAR will NOT allow: * Key management of the subject RSA key tokens. * Use of the subject RSA key tokens in callable services. * A PKDS with the subject RSA tokens to be re-enciphered. With this APAR applied, attempts to use or manage the subject RSA key tokens will result in return code 8 ('8'x) reason code 3080 ('C08'x). The following reason codes are modified and will be documented in the HCR77D0 version of the ICSF Application Programmers Guide (SC14-7508) Appendix A. ICSF and TSS Return and Reason codes. Reason Codes for Return Code 8 (8) Reason Code Hex (Decimal) Description ================================================================ C08 (3080) The use of an PKA key token has been attempted. The token is not supported on the release of ICSF currently running. User Action: Check the ICSF release for support of this token type. The following section relates to ICSF FMID HCR77C1 only. The complete description of the changes is documented in the z/OS Cryptographic Services ICSF Application Programmer's Guide and System Programmer's Guide. Compliant-tagged DES key tokens Compliant-tagged DES key tokens with key derivation function (KDF) of 01 introduced with CCA code level 6.0 are not considered compliant with the release of CCA code level 6.3. CCA 6.3 introduced support for KDF 02 for DES key tokens which are considered compliant-tagged. With this coexistence APAR applied: - The CKDS KEYS utility will display COMP-TAG only for KDF 02 DES key tokens. - The key auditing SMF records will include COMP-TAG only for KDF 02 DES key tokens. - The Key Translate2 callable service may be used to compliant- tag a DES KDF 01 token - The CSFCMPLC, CSFCMPCC, and CSFCMPTC samples may be used to migrate DES KDF 01 tokens in the CKDS to compliant-tagged key tokens. Compliant-tagged key tokens are defined by two (2) features of the key token: (1) the compliant-tag bit in the key attributes, which is the control vector for DES fixed-length key tokens, and (2) the key derivation function (KDF) value which indicates what generation of compliance is applicable. The KDF value appears at the end of the truncated Master Key Verification Pattern (MKVP) section. See z/OS Cryptographic Services ICSF Application Programmer s Guide "Appendix B. Key Token Formats" for more detail. Beginning with the July 2019 or later licensed internal code (LIC) for the IBM z14 and IBM z14 ZR1 servers, it is important to note that the KDF value for DES compliant-tagged tokens has been incremented. Key tokens with the compliant-tag bit on in the CV and a key derivation function (KDF) of '01'x are no longer considered compliant-tagged. They are referred to as DES KDF 01 tokens throughout the publications. They were either created on a CEX6 CCA coprocessor which doesn't have the July 2019 or later licensed internal code or by the Diversified Key Generate (CSNBDKG/CSNEDKG) or Unique Key Derive (CSNBUKD/ CSNEUKD) services using an input DES KDF 01 token. The only keys they can be used with are other DES KDF 01 tokens (CSNBCTT2/CSNECTT2 being the exception). It is recommended that DES KDF 01 tokens are migrated using the Key Translate2 (CSNBKTR2/CSNEKTR2) callable service with the COMP-TAG keyword. The output will be a key token with the compliant-tag bit set in the CV and a KD greater than '01'x. Only DES tokens with a KDF greater than '01'x are referred to as compliant-tagged key tokens. Key tokens without the compliant-tag bit set or DES KDF 01 tokens are referred to as non-compliant-tagged tokens and this is reflected in ICSF output (ICSF displays as well as SMF records do not show DES KDF 01 tokens as compliant-tagged). The CSFCMPLC, CSFCMPCC, and CSFCMPTC samples may help with identifying DES KDF 01 tokens and migrating them. Though DES KDF 01 tokens are not compliant-tagged, a coprocessor in compliance mode is required to use them. If your CKDS contains DES KDF 01 tokens, the CKDS samples (CSFCMPLC, CSFCMPCC, CSFCMPTC) will help to identify and migrate them. DES KDF 01 tokens are tokens that were created as compliant- tagged using a CEX6 CCA coprocessor without the July 2019 or later licensed internal code. See the z/OS Cryptographic Services ICSF Application Programmer's Guide for more information on DES KDF 01 tokens. All enhancements include in this APAR will be documented in the HCR77D0 of the following ICSF publications: ICSF Application Programmer's Guide SC14-7508 ICSF Messages SC14-7505
APAR Information
APAR number
OA57090
Reported component name
ICSF/MVS
Reported component ID
568505101
Reported release
7B0
Status
CLOSED UR1
PE
NoPE
HIPER
NoHIPER
Special Attention
YesSpecatt / New Function / Xsystem
Submitted date
2019-03-11
Closed date
2019-07-12
Last modified date
2023-04-12
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UJ00036 UJ00037 UJ00038 UJ00039
Modules/Macros
CSFVCKW2 CSFNCCKC CSFDBRKS CSFDBRCL CSFNCHMG CSFNCCT2 CSFNCCKI CSFKG400 CSFNCCKM CSFDBRCM CSFNCDMP CSFVCPTV CSFNCKT2 CSFVCKRW CSFNCDDK CSFKG450 CSFVCKC2 CSFNCKG2 CSFMITSM CSFNCT3X CSFNCSK2 CSFMIKUT CSFNCKEX CSFKSICE CSFNCRKX CSFNCDPM CSFKG410 CSFVCKR2 CSFCMPCC CSFNCDPT CSFNCT3I CSFNCDPV CSFNCPKI CSFNCPT2 CSFNCPKG CSFNCSYX CSFNCKIM CSFNCDKX CSFVCKRD CSFNCSAD CSFVCKRC CSFNCDPC CSFNCSAE CSFVCFLE CSFNCMDR CSFNCDKG CSFNCMDW CSFNCSYG CSFNCDKM CSFNCSYI CSFNCDCG CSFKSIPE CSFNCRKA CSFVCPRR CSFNCDNU CSFMIAKP CSFNCSY2 CSFNCDG2 CSFKG430 CSFMIMGG CSFKSCMV CSFNCDRP CSFNCSXD CSFNCPRB CSFNCKY2 CSFNCKPI CSFNCRNC CSFMIWMP CSFNCEDH CSFNCUKD CSFVCBRC CSFNCKP2 CSFNCSKI CSFNCKGN CSFNCHMV CSFNCSKM CSFNCAPG CSFNCCPE CSFNCDRG
| SC14750808 | SC14750508 |
Fix information
Fixed component name
ICSF/MVS
Fixed component ID
568505101
Applicable component levels
R7B1 PSY UJ00038
UP19/07/17 P F907
R7B0 PSY UJ00037
UP19/07/17 P F907
R7C1 PSY UJ00036
UP19/07/16 P F907
R7C0 PSY UJ00039
UP19/07/17 P F907
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU011","label":"Systems - zSystems software"},"Product":{"code":"SG19M"},"Platform":[{"code":"PF054","label":"z Systems"}],"Version":"7B0"}]
Document Information
Modified date:
12 April 2023