Overview

This article will discuss the necessary prerequisites in order to properly run the NIST Post-Quantum Cryptography (PQC) support for the ML-KEM and ML-DSA algorithms with IBM Semeru Runtimes.

Step 1: Download an IBM Semeru Runtimes SDK

An IBM Semeru Runtimes SDK must first be installed on your IBM Z system. Specifically, versions Java 17.0.15.0 or Java 21.0.7.0 or later must be downloaded to run PQC algorithms. PQC is not supported on Java 8 or 11.

Additionally, see section How to obtain an IBM Semeru Runtimes SDK for steps and links to downloading a JDK on your system.

Step 2: Run on IBM z16 or z17 hardware

IBM z16 and z17 hardware provides the capability to use quantum-safe APIs that can protect the system from attacks, including threats that might use quantum computers. These APIs are available through ICSF and the CCA APIs, which are then made available in the IBM Semeru Runtimes SDK. IBM Semeru Runtimes only supports PQC calls when IBM z16 or z17 hardware is used.

Step 3: Install ICSF HCR77D2 (z/OS 2.5) or later

The PQC functionality in IBM Semeru Runtimes depends on the availability and capabilities of ICSF. Support for PQC algorithms was introduced with ICSF APAR OA66395, which applies to ICSF version HCR77D2 on z/OS 2.5 and HCR77E0 on z/OS 3.1. To use the PQC algorithms, you must ensure that your IBM Z system is running z/OS 2.5 or 3.1 and has the appropriate ICSF version (HCR77D2 or HCR77E0) with APAR OA66395 installed.

Step 4: Equip a Crypto Express8S coprocessor or later

PQC algorithm support requires a Crypto Express8S (CEX8S) coprocessor with CCA release 8.4 or later licensed internal code (LIC). The CEX8S is the minimum Hardware Security Module (HSM) needed to run PQC with Java on IBM Semeru Runtimes.

Step 5: Convert your PKDS to KDSRL format

If a PKDS is allocated and you want to store ML-KEM or ML-DSA CCA key tokens, you must convert your PKDS over to a large common record format (KDSRL).

Considering PQC keys are extremely large in size, the PKDS must be configured to accommodate these new key types. KDSRL format increases the logical record length (LRECL) of the PKDS. If you plan to store CCA PQC key tokens in your ICSF PKDS, you must be on ICSF HCR77D2 or HCR77E0 and have a KDSRL PKDS.

Step 6: Enable CPACF feature code 3863

z/OS Integrated Cryptographic Services Facility (ICSF) uses CPACF to accelerate cryptographic functions. For ICSF to use these functions, Feature Code (FC) 3863 must be enabled. This FC is not enabled by default.

Conclusion

This article should give you everything you need to configure your IBM Z environment and begin using the ML-KEM and ML-DSA PQC capabilities in your Java applications. You are taking the first step in protecting your applications from the inevitable risk of quantum computers.

References

1. ICSF Quantum-Safe Cryptography

2. IBM Z17 Release PQC Cryptography Enhancements

How to obtain an IBM Semeru Runtimes SDK

The IBM Java SAF APIs are included in the IBM Semeru Runtime Certified Edition for z/OS download. Please follow the links below to download the IBM Semeru SDK onto your own machines.

 How to obtain IBM Semeru Runtime Certified Edition for z/OS?
IBM Semeru Runtime Certified Edition for z/OS is available for zero license charge through Shopz SMP/E, or you can download the non-SMP/E here. The subscription and service number is 5655-I48.

Supporting Links:
IBM Semeru Runtime Certified Edition for z/OS product page
For additional information on installation, troubleshooting and support please visit IBM Documentation.