Authors: Anna Deng & Gregg Arquero

CSFIQF updated to better query MKVPs

With the new rule STATICSB, the state of all master key registers is checked, and their key check values are calculated using both current and older MKVP methods.

CSFKDMR now returns metadata tags and associated metadata

With new rules TAGS and TAGS-MD, you can now check the variable metadata of a key, to better help you understand the specific details or use case for a key. 

New sample CSFMKRM

The existing sample CSFMKVPR provides the ability to remove Master Key Verification Patterns (MKVPs), along with the associated MKVP date and date flags, from a CKDS or PKDS flat file for any Key Data Set (KDS) format. CSFMKVPR performs this action only when there are no keys in the supplied flat file that require the specified master key.
In contrast, CSFMKRM extends this functionality by also removing any operational key records that have been encrypted under the specified master key. This allows for complete cleanup of both the MKVP information and all related key material associated with that master key.

Improved performance for SHA-2 HMAC, SHA-3, and SHAKE with CPACF

The CP Assist for Cryptographic Function (CPACF) is a hardware feature on IBM Z mainframes that provides high-speed, low-latency cryptographic processing directly within the processor. It’s designed to offload common cryptographic operations from software to hardware, significantly improving performance and reducing CPU overhead for secure workloads. The IBM z17 mainframe introduced new performance optimizations for SHA-2 HMAC and SHA-3 cryptographic operations on the CPACF processor. With APAR OA66518, these performance optimizations can be exploited transparently through ICSF callable services when running on a z17 machine.

The following ICSF services will now offload clear key SHA-2 HMAC operations to the CPACF processor:

• HMAC Generate (CSNBHMG or CSNBHMG1 and CSNEHMG or CSNEHMG1) 
• HMAC Verify (CSNBHMV or CSNBHMV1 and CSNEHMV or CSNEHMV1) 
• MAC Generate2 (CSNBMGN2, CSNBMGN3, CSNEMGN2, and CSNEMGN3) 
• MAC Verify2 (CSNBMVR2, CSNBMVR3, CSNEMVR2, and CSNEMVR3) 
• PKCS #11 Generate Keyed MAC (CSFPHMG and CSFPHMG6) 
• PKCS #11 Verify Keyed MAC (CSFPHMV and CSFPHMV6) 

In addition, SHA-3 and SHAKE cryptographic operations will now experience a marginal performance increase when called through the following ICSF services:

• One-Way Hash Generate (CSNBOWH or CSNBOWH1 and CSNEOWH or CSNEOWH1)
• PKCS #11 Generate Key Pair (CSFPGKP and CSFPGKP6) 

APARs rolled into the base

In addition to the enhancements above, the following new function APARs are also part of the base of HCR77F0 in z/OS 3.2:

OA65205 / OA65206 – Support for CEX8P, CEX7P on z16, z15.

• See ICSF support for IBM Enterprise PKCS #11 FIPS 140-2 compliance modes.

OA64883

• See CCA 8.2, 7.5 for IBM Z and CCA 7.5 for 4769 on IBM Power for a comprehensive description.
• Support for DKYGENKY KMF-MBE / -MBP

OA66519 - Support for PKCS #11 AES PBKDF2 via new callable service CSFPGK2

OA66635 - Improved ICSF storage utilization

OA67794 - ICSF TRSQ includes the following APARs:

• OA66395 / OA66396 - See CCA 8.4 for IBM z17, z16 ML-KEM, ML-DSA for a comprehensive description.
• OA66797 - Additional job, user, or key metadata information in some ICSF SMF records.
• OA66518 - Support for z17 CPACF HMAC and SHA3 / SHAKE.
• OA68180 - Exploitation of CPACF for PKCS #11 AES PBKDF2