IBM Crypto Education Community - Group home

New enhancements in ICSF FMID HCR77E0 (z/OS 3.1)

By GREGG ARQUERO posted Thu September 28, 2023 09:30 AM


Authors: Gregg Arquero & John Craig

The release of ICSF FMID HCR77E0 on z/OS 3.1 brings with it several highly requested security and compliance features. These new features aim to simplify commonly performed tasks as well as provide additional controls to strengthen your security posture. Learn about each of these new features below:

Key part control for Master Key Entry Utility

The Master Key Entry utility allows users to load master key parts into the new master key registers of CCA crypto coprocessors. Each master key must be split into at least 2 key parts and are entered in any order into the panel utility to complete the master key load. With this enhancement, organizations will be able to limit who can load each master key part to enforce of separation of duty amongst the key officers.

To enable this support, the CSF.MASTER.KEY.ENTRY.BY.PART profile must be defined in the XFACILIT class. 

To load key parts, users must have READ access to the key part profiles:

  • CSF.MKE.LOAD.FIRST.PART - Authority to load the first key part

  • CSF.MKE.LOAD.MIDDLE.PART - Authority to load one or more middle key parts, if applicable

  • CSF.MKE.LOAD.FINAL.PART - Authority to load the final key part

Additionally, the ability to control who can reset the new master key registers can be configured with READ access to the CSF.MKE.RESET.NMK profile.


Two new ICSF panels have been added to greatly simplify the generation of AES CIPHER and HMAC keys. For both panels, newly generated keys are written directly to the CKDS using the specified key label.

The AES CIPHER key panel allows administrators to select the key length, encryption mode, and CPACF export setting. This panel is helpful for generating new AES CIPHER keys for z/OS Data Set Encryption as 256-bit length, ANY encryption mode, and CPACF exportable are selected by default.

The HMAC key panel allows you to either generate a new HMAC key or import an existing HMAC clear (unencrypted) key. When generating a new HMAC key, you can select the hash method control, the key bit length, and wether the key is clear or encrypted by the master key. To import a clear HMAC key, you can specify the clear key material directly on the panel and optionally encrypt it with the master key. This panel is helpful when using HMAC keys for RACF Enhanced PassTickets.

New ICSF Health Checks

The ICSF_STATUS health check reports the state of the ICSF task. The check is activated the first time ICSF is initialized and runs on a daily basis. The reporting frequency can be altered to meet your business needs. This check will continue to run and report the ICSF status even after ICSF has been stopped or restarted.

The ICSF_STATUS check will report the following states:

  • Active - ICSF is up and running normally

  • Inactive - ICSF has been stopped and is not running

  • Abended - ICSF has terminated abnormally and is not running

  • Initializing - ICSF is currently going through its initialization process

The ICSF_CLEAR_KEYS detects clear (unencrypted) keys in the active CKDS, PKDS, and TKDS. The key labels of the clear keys will be listed in the health checker report sorted by KDS. You can use this health check to identify keys in use that should be rotated out in favor of encrypted keys.

Bcrypt hashing algorithm

Bcrypt is a password hashing algorithm designed to be deliberately slow. This algorithm protects against brute force and rainbow table attacks. In z/OS 3.1, The One-way Hash Generate (CSNBOWH & CSNEOWH) service has been updated to support the Bcrypt hashing algorithm. You can adjust the time it takes to compute the hash by modifying the cost parameter. The output hash in returned in a base-64 encoded string.

Example output:

Input text - “password”

Cost factor - 5

APARs rolled into the base 

In addition to the enhancements described above, the following new function APARs are now part of the base of HCR77E0 in z/OS 3.1:

  • OA61253

    • CCA

      • Support for Encrypted PIN Verify2 service (CSNBPVR2 & CSNEPVR2).

      • Support for Schnorr digital signature algorithm.

    • PKCS #11

      • Support for PKCS #11 Secret Key Reencrypt Service (CSFPSKR & CSFPSKR6).

      • Support for Koblitz elliptic curves.

  • OA62763

    • Support for larger CRLs and TR-34 Key blocks and the ability to programmatically allow expired KRDs credentials and CRLs.

  • OA61609

    • Support for z16 hardware and CEX8.

    • Support for CRYSTALS-Dilithium 65 Round 3 and CRYSTALS-Dilithium 87 Round 2 and 3 .

    • Support for CRYSTALS-Kyber 1024 Round 2.

  • OA61977

    • Support for ICSF Compliance evidence collection using SMF Type 1154 Subtype 49 records

  • OA63531

    • Support for Access Control Points to control the export of an IMPORTER/EXPORTER key as ‘K0’ key usage with ‘B’ Mode of use.

    • CSNBT31I and CSNBT31X have been updated to allow Mode of Use 'N' with B, C, and D key block version IDs.

  • OA61978

    • Support for operational X9.143 key blocks

    • Support for OAEP 2.1 algorithm