IBM Support

OA66395: NEW FUNCTION - exploitation for CCA 5.7, 6.7, 7.5, 7.6, 8.2, 8.4

A fix is available

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as new function.

Error description

  • New Function
    
    FIXCAT: SMFREC/K, E9175/K
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED: ICSF Users                                   *
    ****************************************************************
    * PROBLEM DESCRIPTION: New function - exploitation for         *
    *                      CCA 5.7, 6.7, 7.5, 7.6, 8.2, 8.4        *
    ****************************************************************
    PROBLEM SUMMARY
    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    Support for CCA 5.7, 6.7, 7.5, 7.6, 8.2, 8.4 is added to ICSF.
    
    1. Support for CCA ML-KEM 768, 1024 & ML-DSA 44, 65, 87
    (CCA 8.4)
    2. Support for up to 8192 bit CCA RSA keys (CCA 7.6, 8.4)
    3. Allow CCA AES PINPROT keys to be exported to TR-31 P0 mode of
    use B
    (CCA 5.7, 6.7, 7.5, 8.2)
    
    1. Support for CCA ML-KEM 768, 1024 & ML-DSA 44, 65, 87
    ====================================================
    The following services were updated:
    -----------------------------------------------------------
    Digital Signature Generate -- CSNDDSG
    Digital Signature Verify -- CSNDDSV
    ECC Diffie-Hellman -- CSNDEDH
    ICSF Query Algorithm -- CSFIQA
    Key Data Set List -- CSFKDSL
    Key Data Set Metadata Read -- CSFKDMR
    Key Data Set Metadata Write -- CSFKDMW
    Key Data Set Record Retrieve -- CSFRRT
    Key Data Set Update -- CSFKDU
    PKA Key Decrypt -- CSNDPKD
    PKA Key Encrypt -- CSNDPKE
    PKA Key Generate -- CSNDPKG
    PKA Key Import -- CSNDPKI
    PKA Key Token Build -- CSNDPKB
    PKA Key Token Change -- CSNDKTC
    PKA Key Translate -- CSNDPKT
    PKA Public Key Extract -- CSNDPKX
    PKDS Key Record Create -- CSNDKRC
    PKDS Key Record Delete -- CSNDKRD
    PKDS Key Record Read -- CSNDKRR
    PKDS Key Record Read2 -- CSNDKRR2
    PKDS Key Record Write -- CSNDKRW
    
    The following SMF records were updated:
    -----------------------------------------------------------
    Cryptographic usage statistics: Type 82 Subtype 31
    CCA asymmetric key lifecycle event: Type 82 Subtype 41
    CCA asymmetric key usage event: Type 82 Subtype 45
    Compliance warning event: Type 82 Subtype 48
    ICSF Compliance Evidence: Type 1154 Subtype 49
    
    The PKDS KEYS Utility was updated.
    
    The following access control points (ACPs) had a name change:
    -----------------------------------------------------------
    PKA Decrypt - Allow ML-KEM, CRYSTALS-Kyber keys (0084)
    PKA Encrypt - Allow ML-KEM, CRYSTALS-Kyber keys (0083)
    PKA Key Generate - Clear ML-DSA, CRYSTALS-Dilithium keys (027F)
    PKA Key Generate - Clear ML-KEM, CRYSTALS-Kyber keys (020E)
    
    The following access control point (ACP) had a name change
    and now affects multiple services:
    -----------------------------------------------------------
    Permit Regeneration Data (027D)
    
    
    2. Support for up to 8192 bit CCA RSA keys
    ====================================================
    The following services were updated:
    -----------------------------------------------------------
    Digital Signature Generate -- CSNDDSG
    Digital Signature Verify -- CSNDDSV
    ICSF Query Algorithm -- CSFIQA
    ICSF Query Facility -- CSFIQF
    Key Data Set List -- CSFKDSL
    Key Data Set Metadata Read -- CSFKDMR
    Key Data Set Metadata Write -- CSFKDMW
    Key Data Set Record Retrieve -- CSFRRT
    Key Data Set Update -- CSFKDU
    Key Test2 -- CSNBKYT2
    PKA Key Decrypt -- CSNDPKD
    PKA Key Encrypt -- CSNDPKE
    PKA Key Generate -- CSNDPKG
    PKA Key Import -- CSNDPKI
    PKA Key Token Build -- CSNDPKB
    PKA Key Token Change -- CSNDKTC
    PKA Key Translate -- CSNDPKT
    PKA Public Key Extract -- CSNDPKX
    PKDS Key Record Create -- CSNDKRC
    PKDS Key Record Delete -- CSNDKRD
    PKDS Key Record Read -- CSNDKRR
    PKDS Key Record Read2 -- CSNDKRR2
    PKDS Key Record Write -- CSNDKRW
    Public Infrastructure Certificate -- CSNDPIC
    Symmetric Key Export -- CSNDSYX
    Symmetric Key Export with Data -- CSNDSXD
    Symmetric Key Generate -- CSNDSYG
    Symmetric Key Import -- CSNDSYI
    Symmetric Key Import2 -- CSNDSYI2
    
    The following SMF records were updated:
    -----------------------------------------------------------
    Cryptographic usage statistics: Type 82 Subtype 31
    CCA asymmetric key lifecycle event: Type 82 Subtype 41
    CCA asymmetric key usage event: Type 82 Subtype 45
    Compliance warning event: Type 82 Subtype 48
    ICSF Compliance Evidence: Type 1154 Subtype 49
    
    The PKDS KEYS Utility was updated.
    
    The ICSF_WEAK_CCA_KEYS health check was updated to list RSA
    keys less than 2048 bits.
    
    
    3. Allow CCA AES PINPROT keys to be exported to TR-31 P0 mode of
    use B
    ====================================================
    The following service was updated:
    -----------------------------------------------------------
    TR-31 Translate -- CSNBT31X
    
    The following access control point (ACP) was added:
    -----------------------------------------------------------
    T31X - Permit AES PINPROT to P0:B (050A)
    
    
    Notes:
    1. Callable service changes apply to both the 31-bit and
    64-bit services equally.
    

Problem conclusion

Temporary fix

Comments

  • All the enhancements included in this APAR will be documented
    in the HCR77E0 release of the following ICSF publications:
    
        ICSF Overview                          SC14-7505
        ICSF Administrator's Guide             SC14-7506
        ICSF System Programmer's Guide         SC14-7507
        ICSF Application Programmer's Guide    SC14-7508
    

APAR Information

  • APAR number

    OA66395

  • Reported component name

    ICSF/MVS

  • Reported component ID

    568505101

  • Reported release

    7E0

  • Status

    CLOSED UR1

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    YesSpecatt / New Function / Xsystem

  • Submitted date

    2024-04-16

  • Closed date

    2025-06-03

  • Last modified date

    2025-07-02

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UJ97339 UJ97342

Modules/Macros

  • CSFBHPK8 CSFDBRKA CSFDDMRL CSFDPIMP CSFENCFM CSFGICVT CSFGISB
    CSFINIT2 CSFKSCS2 CSFKSCS4 CSFKSHTB CSFKSHTM CSFKSIPD CSFKSIPE
    CSFMIAKP CSFMICMP CSFMIKUT CSFMISTI CSFMISTT CSFMISTU CSFMIWMP
    CSFNCDSG CSFNCDSV CSFNCEDH CSFNCKDL CSFNCMDW CSFNCPCI CSFNCPKC
    CSFNCPKD CSFNCPKE CSFNCPKG CSFNCPKI CSFNCPKT CSFNCPRB CSFNCSYG
    CSFNCSYX CSFPHY00 CSFPKY22 CSFSMF82 CSFSMFR  CSFVCAUD CSFVCBRC
    CSFVCEVT CSFVCIQA CSFVCPKB CSFVCPTV CSFZSM82
    

Publications Referenced
SC147505.SC147506.SC147507.SC147508. 

Fix information

  • Fixed component name

    ICSF/MVS

  • Fixed component ID

    568505101

Applicable component levels

  • R7D2 PSY UJ97342

       UP25/06/04 P F506  

  • R7E0 PSY UJ97339

       UP25/06/04 P F506  

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU011","label":"Systems - zSystems software"},"Product":{"code":"SG19O"},"Platform":[{"code":"PF054","label":"z Systems"}],"Version":"7E0"}]

Document Information

Modified date:
02 July 2025