IBM Support

OA66395: NEW FUNCTION - exploitation for CCA 5.7, 6.7, 7.5, 7.6, 8.2, 8.4

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as new function.

Error description

  • New Function

FIXCAT: SMFREC/K, E9175/K

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED: ICSF Users                                   *
****************************************************************
* PROBLEM DESCRIPTION: New function - exploitation for         *
*                      CCA 5.7, 6.7, 7.5, 7.6, 8.2, 8.4        *
****************************************************************
PROBLEM SUMMARY
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Support for CCA 5.7, 6.7, 7.5, 7.6, 8.2, 8.4 is added to ICSF.

1. Support for CCA ML-KEM 768, 1024 & ML-DSA 44, 65, 87
(CCA 8.4)
2. Support for up to 8192 bit CCA RSA keys (CCA 7.6, 8.4)
3. Allow CCA AES PINPROT keys to be exported to TR-31 P0 mode of
use B
(CCA 5.7, 6.7, 7.5, 8.2)

1. Support for CCA ML-KEM 768, 1024 & ML-DSA 44, 65, 87
====================================================
The following services were updated:
-----------------------------------------------------------
Digital Signature Generate -- CSNDDSG
Digital Signature Verify -- CSNDDSV
ECC Diffie-Hellman -- CSNDEDH
ICSF Query Algorithm -- CSFIQA
Key Data Set List -- CSFKDSL
Key Data Set Metadata Read -- CSFKDMR
Key Data Set Metadata Write -- CSFKDMW
Key Data Set Record Retrieve -- CSFRRT
Key Data Set Update -- CSFKDU
PKA Key Decrypt -- CSNDPKD
PKA Key Encrypt -- CSNDPKE
PKA Key Generate -- CSNDPKG
PKA Key Import -- CSNDPKI
PKA Key Token Build -- CSNDPKB
PKA Key Token Change -- CSNDKTC
PKA Key Translate -- CSNDPKT
PKA Public Key Extract -- CSNDPKX
PKDS Key Record Create -- CSNDKRC
PKDS Key Record Delete -- CSNDKRD
PKDS Key Record Read -- CSNDKRR
PKDS Key Record Read2 -- CSNDKRR2
PKDS Key Record Write -- CSNDKRW

The following SMF records were updated:
-----------------------------------------------------------
Cryptographic usage statistics: Type 82 Subtype 31
CCA asymmetric key lifecycle event: Type 82 Subtype 41
CCA asymmetric key usage event: Type 82 Subtype 45
Compliance warning event: Type 82 Subtype 48
ICSF Compliance Evidence: Type 1154 Subtype 49

The PKDS KEYS Utility was updated.

The following access control points (ACPs) had a name change:
-----------------------------------------------------------
PKA Decrypt - Allow ML-KEM, CRYSTALS-Kyber keys (0084)
PKA Encrypt - Allow ML-KEM, CRYSTALS-Kyber keys (0083)
PKA Key Generate - Clear ML-DSA, CRYSTALS-Dilithium keys (027F)
PKA Key Generate - Clear ML-KEM, CRYSTALS-Kyber keys (020E)

The following access control point (ACP) had a name change
and now affects multiple services:
-----------------------------------------------------------
Permit Regeneration Data (027D)


2. Support for up to 8192 bit CCA RSA keys
====================================================
The following services were updated:
-----------------------------------------------------------
Digital Signature Generate -- CSNDDSG
Digital Signature Verify -- CSNDDSV
ICSF Query Algorithm -- CSFIQA
ICSF Query Facility -- CSFIQF
Key Data Set List -- CSFKDSL
Key Data Set Metadata Read -- CSFKDMR
Key Data Set Metadata Write -- CSFKDMW
Key Data Set Record Retrieve -- CSFRRT
Key Data Set Update -- CSFKDU
Key Test2 -- CSNBKYT2
PKA Key Decrypt -- CSNDPKD
PKA Key Encrypt -- CSNDPKE
PKA Key Generate -- CSNDPKG
PKA Key Import -- CSNDPKI
PKA Key Token Build -- CSNDPKB
PKA Key Token Change -- CSNDKTC
PKA Key Translate -- CSNDPKT
PKA Public Key Extract -- CSNDPKX
PKDS Key Record Create -- CSNDKRC
PKDS Key Record Delete -- CSNDKRD
PKDS Key Record Read -- CSNDKRR
PKDS Key Record Read2 -- CSNDKRR2
PKDS Key Record Write -- CSNDKRW
Public Infrastructure Certificate -- CSNDPIC
Symmetric Key Export -- CSNDSYX
Symmetric Key Export with Data -- CSNDSXD
Symmetric Key Generate -- CSNDSYG
Symmetric Key Import -- CSNDSYI
Symmetric Key Import2 -- CSNDSYI2

The following SMF records were updated:
-----------------------------------------------------------
Cryptographic usage statistics: Type 82 Subtype 31
CCA asymmetric key lifecycle event: Type 82 Subtype 41
CCA asymmetric key usage event: Type 82 Subtype 45
Compliance warning event: Type 82 Subtype 48
ICSF Compliance Evidence: Type 1154 Subtype 49

The PKDS KEYS Utility was updated.

The ICSF_WEAK_CCA_KEYS health check was updated to list RSA
keys less than 2048 bits.


3. Allow CCA AES PINPROT keys to be exported to TR-31 P0 mode of
use B
====================================================
The following service was updated:
-----------------------------------------------------------
TR-31 Translate -- CSNBT31X

The following access control point (ACP) was added:
-----------------------------------------------------------
T31X - Permit AES PINPROT to P0:B (050A)


Notes:
1. Callable service changes apply to both the 31-bit and
64-bit services equally.

    



Problem conclusion


    

  • 



Temporary fix


    

  • 



Comments


    

  • All the enhancements included in this APAR will be documented
in the HCR77E0 release of the following ICSF publications:

    ICSF Overview                          SC14-7505
    ICSF Administrator's Guide             SC14-7506
    ICSF System Programmer's Guide         SC14-7507
    ICSF Application Programmer's Guide    SC14-7508

    



APAR Information




    

  • APAR number
    OA66395
    • 

  • Reported component name
    ICSF/MVS
    • 

  • Reported component ID
    568505101
    • 

  • Reported release
    7E0
    • 

  • Status
    CLOSED  UR1
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    YesSpecatt / New Function / Xsystem
    • 

  • Submitted date
    2024-04-16
    • 

  • Closed date
    2025-06-03
    • 

  • Last modified date
    2025-07-02
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
UJ97339 UJ97342
    

    • 



Modules/Macros


    

  • CSFBHPK8 CSFDBRKA CSFDDMRL CSFDPIMP CSFENCFM CSFGICVT CSFGISB
CSFINIT2 CSFKSCS2 CSFKSCS4 CSFKSHTB CSFKSHTM CSFKSIPD CSFKSIPE
CSFMIAKP CSFMICMP CSFMIKUT CSFMISTI CSFMISTT CSFMISTU CSFMIWMP
CSFNCDSG CSFNCDSV CSFNCEDH CSFNCKDL CSFNCMDW CSFNCPCI CSFNCPKC
CSFNCPKD CSFNCPKE CSFNCPKG CSFNCPKI CSFNCPKT CSFNCPRB CSFNCSYG
CSFNCSYX CSFPHY00 CSFPKY22 CSFSMF82 CSFSMFR  CSFVCAUD CSFVCBRC
CSFVCEVT CSFVCIQA CSFVCPKB CSFVCPTV CSFZSM82

    




Publications Referenced


SC147505.SC147506.SC147507.SC147508. 





Fix information


    

  • Fixed component name
    ICSF/MVS
    • 

  • Fixed component ID
    568505101
    • 



Applicable component levels


    

  • R7D2  PSY  UJ97342
       UP25/06/04  P  F506   
    • 

  • R7E0  PSY  UJ97339
       UP25/06/04  P  F506   
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Business Unit":{"code":"BU011","label":"Systems - zSystems software"},"Product":{"code":"SG19O"},"Platform":[{"code":"PF054","label":"z Systems"}],"Version":"7E0"}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            02 July 2025
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback