Skip to main content

ICSF Delivers With the FMID HCR77D0 Release

The ICSF FMID HCR77D0 release updates vary from support for new algorithms and new security features to availability enhancements for the ICSF started task.

Computer algorithms against a blue background

Cryptographic Support for z/OS V2R2 - z/OS V2R3, also known as ICSF FMID HCR77D0 or web deliverable number 18, was released in December of 2018. The updates contained in this release vary from support for new algorithms and new security features to availability enhancements for the ICSF started task. Let’s take a closer look.

Triple-Length DES Keys 

IBM’s Common Cryptographic Architecture (CCA) Release 5.4 came with the ability to generate and use triple-length DES keys. A triple-length DES key is a 24-byte DES key where each eight-byte segment can have a unique value. Prior to this CCA release, the only key type that was available in three-key format was a DES DATA key. With this new function, triple-length DES keys are available as CIPHER, DATA, DECIPHER, ENCIPHER, EXPORTER and IMPORTER including IMP-PKA, IPINENC, MAC, MACVER, OPINENC, PINGEN, and PINVER key types. 

ISO-4 PIN Blocks 

IBM’s CCA Release 5.4 also came with support for ISO-4 PIN blocks based on the ISO-9564-4 standard which introduced AES PIN encrypting keys. The following services have been updated to include support for ISO-4 format PIN blocks: Clear PIN Encrypt (CSNBCPE), DK PAN Modify in Transaction (CSNBDPMT), DK PIN Change (CSNBDPC) and DK PIN Verify (CSNBDPV). In addition, the Encrypted PIN Translate2 (CSNBPTR2) callable service was added. 

Security Enhancements

  • The key generator utility program (KGUP) utility now honors CSFKEYS permissions when the CSF.KGUP.CSFKEYS.AUTHORITY.CHECK profile exists in the XFACILIT class. KGUP also honors “Granular Key Label Access Controls,” which increase the level of access authority required to create, write to or delete a key label. 
  • If the CSF.KGUP.VERB.AUTHORITY.CHECK resource exists in the XFACILIT class, KGUP requires you to have UPDATE authority to the CSFKGUP resource in order to use the KGUP control statements DELETE or UPDATE. This helps prevent accidental destruction of key material.
  • ICSF now allows a security administrator to add criteria to a CSFKEYS resource profile indicating which ICSF services can be used with that key resource. This feature allows an administrator to permit a user to encrypt material with a specific key but prevents that same user from using that key to decrypt material (for example). 
  • ICSF can now prepend the name of the system to the SAF resource name when doing an authorization check. For example, when a set of CSFKEYS or CSFSERV resources are shared between two systems, you may want to separately grant access to ICSF resources on those systems.

Key Data Sets (KDS) Browser Updates 

A browser for public key data sets (PKDS) as well as metadata support for the token data set (TKDS) browser have been added. This completes the set of ISPF data set browsers for all of the key data set types supported by ICSF. Also note that an ISPF-based browser for cryptographic key data sets (CKDS) was introduced with ICSF FMID HCR77C1.

Dynamic Service Update 

With cryptographic services becoming more and more critical to business applications, dynamic service update allows you to apply service updates with minimal impact to ICSF availability. ICSF can activate service without a manual stop and start of ICSF with the new operator command, SETICSF PAUSE. Dynamic service update:
  • Allows all in-flight cryptographic operations to complete
  • Routes all incoming cryptographic requests to a pause queue
  • Stops ICSF
  • Restarts ICSF either automatically via a z/OS Automatic Restart Manager (ARM) policy, customer configured automation or manually by an operator. This restart can optionally point to service data sets, allowing customers to activate ICSF service without a workload outage.
  • Resumes the requests on the pause queue

Starting ICSF During IPL-Time

By pointing to the ICSF procedure (ICSFPROC) and the ICSF options data set in the IEASYSxx parmlib member, ICSF can be automatically started early in the z/OS IPL process.
Additional Updates (subhead)
The FMID HCR77D0 Release also came with the following updates:
  • The ChaCha20 and Poly1305 algorithms
  • The ability to specify the label of a clear key on a call to the Key Test (CSNBKYT) service
  • Users of Operational Key Load can now specify the key wrapping method when the key is imported
  • New GCM and GCMIVGEN rule array keywords on the PKCS #11 Wrap Key (CSFPWPK) and PKCS #11 Unwrap Key (CSFPUWK) services
  • With IBM’s CCA Release 6.2, it is now possible to specify whether a key can be exported by the CCA co-processor for use in a CPACF “protected key” operation during key generation or key import
  • The Field Level Encipher (CSNBFLE) and Field Level Decipher (CSNBFLD) services were updated to access a secure DES cipher key token

Learn More 

IBM z/OS Downloads has additional information on the ICSF FMID HCR77D0 release as well as links to the product publications.
IBM Systems Webinar Icon

View upcoming and on-demand (IBM Z, IBM i, AIX, Power Systems) webinars.
Register now →