IBM Support

OA64883: NEW FUNCTION - Exploitation for CCA Release 7.5 and 8.2

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as new function.

Error description

  • New Function.

FIXCAT - SMFREC/K , E3931/K

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED: ICSF users                                   *
****************************************************************
* PROBLEM DESCRIPTION: New function - exploitation for CCA     *
*                      5.7, 6.7, 7.5, and 8.2                  *
****************************************************************
PROBLEM SUMMARY
---------------------------------------------------------------
Support for CCA 5.7, 6.7, 7.5, and 8.2 are added to ICSF.

1. Support for CRYSTALS-Kyber 768 R2/R3 & CRYSTALS-Kyber 1024 R3

The following services were updated:
-----------------------------------------------------------
a.  PKA Key Encrypt -- CSNDPKE
b.  PKA Key Decrypt -- CSNDPKD
c.  PKA Key Translate -- CSNDPKT
d.  PKA Key Generate -- CSNDPKG
e.  PKA Key Import -- CSNDPKI
f.  PKA Key Token Build -- CSNDPKB
g.  ECC Diffie-Hellman -- CSNDEDH

===========================================================
2. Support for new Multi-MAC Scheme (CSNBMMS & CSNEMMS)
   callable service.

===========================================================
3. Support for import of CKM_RAKW objects into ICSF.

The following services were updated:
-----------------------------------------------------------
a. Symmetric Key Import2 -- CSNDSY2
b. PKA Key Import -- CSNDPKI

===========================================================
4. Support for specifying different values for the Hash and Mask
   generation function when using the OAEP 2.1 algorithm.

The following services were updated:
-----------------------------------------------------------
a. PKA Encrypt -- CSNDPKE
b. PKA Decrypt -- CSNDPKD

===========================================================
5. Support for generating AES CIPHER and AES MAC keys in the
   Symmetric Key Generate (CSNDSYG) service.

===========================================================
6. Support for new Access Control Points (ACP) to limit
   operations when using ISO-2 PIN blocks.

The following ACPs were added:
-----------------------------------------------------------
a. Disallow ISO-2 PIN block generation operations ('0085'x)
b. Disallow ISO-2 PIN block verify operations ('0086'x)
c. Disallow ISO-2 PIN block translation operations ('0087'x)

===========================================================
7. Support for creating diversified keys where the key
   management fields must be present (MBP) or must be equal
   (MBE) to that of the diversifying key.

The following services were updated:
-----------------------------------------------------------
a. Key Token Build2 -- CSNBKTB2
b. Key Generate2 -- CSNBKGN2
c. Diversified Key Generate2 -- CSNBDKG2
d. Restrict Key Attribute -- CSNBRKA

===========================================================
8. Support for TR-31 key encryption keys that can both wrap and
    unwrap (Mode of use B) with CCA.

The following ACPs were updated:
-----------------------------------------------------------
a. T31X - Permit EXPORTER to K0/K1:B ('02AD'x)
b. T31X - Permit IMPORTER to K0/K1:B ('02AE'x)
c. T31I - Permit K0:B to DES EXPORTER/OKEYXLAT ('015E'x)
d. T31I - Permit K0:B to DES IMPORTER/IKEYXLAT ('015F'x)
e. T31I - Permit K1/K4:B to DES EXPORTER/OKEYXLAT ('0162'x)
f. T31I - Permit K1/K4:B to DES IMPORTER/IKEYXLAT ('0163'x)
g. T31X - Permit AES EXPORTER to K0:E/B ('01D3'x)
h. T31X - Permit AES EXPORTER to K1:E/B ('01D4'x)
i. T31X - Permit AES IMPORTER to K0:D/B ('01D6'x)
j. T31X - Permit AES IMPORTER to K1:D/B ('01D7'x)
k. T31I - Permit K0/K1/K4:E/B to AES EXPORTER: EXPTT31D+
   VARDRV-D ('01E5'x)
l. T31I - Permit AES K0/K1/K4:D/B to AES IMPORTER:
   IMPTT31D+ VARDRV-D ('01E6'x)

Notes:
1. Callable service changes apply to both the 31-bit and
64-bit services equally.

    



Problem conclusion


    

  • 



Temporary fix


    

  • 



Comments


    

  • All the enhancements included in this APAR will be documented
in the HCR77E0 release of the following ICSF publications:

    ICSF Overview                          SC14-7505
    ICSF Administrator's Guide             SC14-7506
    ICSF System Programmer's Guide         SC14-7507
    ICSF Application Programmer's Guide    SC14-7508
×**** PE24/02/20 FIX IN ERROR. SEE APAR OA66155  FOR DESCRIPTION

    



APAR Information




    

  • APAR number
    OA64883
    • 

  • Reported component name
    ICSF/MVS
    • 

  • Reported component ID
    568505101
    • 

  • Reported release
    7E0
    • 

  • Status
    CLOSED  UR1
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    YesSpecatt / New Function / Xsystem
    • 

  • Submitted date
    2023-05-16
    • 

  • Closed date
    2024-01-29
    • 

  • Last modified date
    2024-04-17
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
UJ94551 UJ94552 UJ94553
    

    • 



Modules/Macros


    

  • CSFASPB  CSFBHPK8 CSFBRPK2 CSFBRPK7 CSFCCVE  CSFCCVT  CSFCMPCP
CSFCMPTP CSFDBRCL CSFDBRKA CSFDBRPL CSFDDMRL CSFDDUPU CSFDLL31
CSFDLL3X CSFDLL64 CSFDP04  CSFDPEXP CSFDPIMP CSFDPKEY CSFDS80
CSFENCFM CSFENGSP CSFGICTF CSFGICVT CSFGIFLT CSFGISB  CSFGISPB
CSFGISTK CSFHCADD CSFHCCK0 CSFHDR01 CSFHDR03 CSFHH001 CSFHH003
CSFHL001 CSFHL002 CSFHL003 CSFHS001 CSFHS002 CSFHS003 CSFHS004
CSFHS005 CSFHS006 CSFHS007 CSFHS008 CSFHX001 CSFHX002 CSFHX003
CSFHX004 CSFHX005 CSFHX006 CSFINIT2 CSFINMTI CSFINPV2 CSFINPVT
CSFINXKP CSFKSCS2 CSFKSCS4 CSFKSHTB CSFKSHTM CSFKSIPD CSFKSIPE
CSFKSKDL CSFKSXLT CSFMIAKP CSFMICMP CSFMICPD CSFMIKUT CSFMISTI
CSFMISTT CSFMISTU CSFMITSM CSFMIWMP CSFMMS   CSFMMS6  CSFNCDSG
CSFNCDSV CSFNCEDH CSFNCIQF CSFNCKDL CSFNCKTC CSFNCKY2 CSFNCMMS
CSFNCPCI CSFNCPIC CSFNCPKC CSFNCPKD CSFNCPKE CSFNCPKG CSFNCPKI
CSFNCPKT CSFNCPRB CSFNCRKA CSFNCRKX CSFNCSBC CSFNCSBD CSFNCSXD
CSFNCSY2 CSFNCSYG CSFNCSYI CSFNCSYX CSFNCT4B CSFNCT4C CSFNCT4D
CSFNCT4R CSFNCTBC CSFPHY00 CSFPKY22 CSFSD001 CSFSD002 CSFSD003
CSFSD004 CSFSD005 CSFSD006 CSFSMF82 CSFSMFR  CSFVCAPC CSFVCAUD
CSFVCBRC CSFVCEVT CSFVCIQA CSFVCKB2 CSFVCMLV CSFVCPKB CSFVCPKX
CSFVCPRC CSFVCPRW CSFVCPTV CSFVCPTX CSFVCVCK CSFWTL01 CSFZSM82
CSNPCA3X CSNPCA64 CSNPCAPI CSNPCI3X CSNPCI64 CSNPCINT CSNPCU3X
CSNPCU64 CSNPCUTL

    




Publications Referenced


SC147505.SC147506.SC147507.SC147508. 





Fix information


    

  • Fixed component name
    ICSF/MVS
    • 

  • Fixed component ID
    568505101
    • 



Applicable component levels


    

  • R7D1  PSY  UJ94553
       UP24/01/31  P  F401   
    • 

  • R7D2  PSY  UJ94552
       UP24/01/31  P  F401   
    • 

  • R7E0  PSY  UJ94551
       UP24/01/31  P  F401   
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Business Unit":{"code":"BU011","label":"Systems - zSystems software"},"Product":{"code":"SG19O"},"Platform":[{"code":"PF054","label":"z Systems"}],"Version":"7E0"}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            17 April 2024
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback