The release of ICSF FMID HCR77E0 on z/OS 3.1 brings with it several highly requested security and compliance features. These new features aim to simplify commonly performed tasks as well as provide additional controls to strengthen your security posture. Learn about each of these new features below:
The Master Key Entry utility allows users to load master key parts into the new master key registers of CCA crypto coprocessors. Each master key must be split into at least 2 key parts and are entered in any order into the panel utility to complete the master key load. With this enhancement, organizations will be able to limit who can load each master key part to enforce of separation of duty amongst the key officers.
To enable this support, the CSF.MASTER.KEY.ENTRY.BY.PART profile must be defined in the XFACILIT class.
To load key parts, users must have READ access to the key part profiles:
-
CSF.MKE.LOAD.FIRST.PART - Authority to load the first key part
-
CSF.MKE.LOAD.MIDDLE.PART - Authority to load one or more middle key parts, if applicable
-
CSF.MKE.LOAD.FINAL.PART - Authority to load the final key part
Additionally, the ability to control who can reset the new master key registers can be configured with READ access to the CSF.MKE.RESET.NMK profile.
AES CIPHER and HMAC ICSF panels
Two new ICSF panels have been added to greatly simplify the generation of AES CIPHER and HMAC keys. For both panels, newly generated keys are written directly to the CKDS using the specified key label.
The AES CIPHER key panel allows administrators to select the key length, encryption mode, and CPACF export setting. This panel is helpful for generating new AES CIPHER keys for z/OS Data Set Encryption as 256-bit length, ANY encryption mode, and CPACF exportable are selected by default.
The HMAC key panel allows you to either generate a new HMAC key or import an existing HMAC clear (unencrypted) key. When generating a new HMAC key, you can select the hash method control, the key bit length, and wether the key is clear or encrypted by the master key. To import a clear HMAC key, you can specify the clear key material directly on the panel and optionally encrypt it with the master key. This panel is helpful when using HMAC keys for RACF Enhanced PassTickets.
New ICSF Health Checks
The ICSF_STATUS health check reports the state of the ICSF task. The check is activated the first time ICSF is initialized and runs on a daily basis. The reporting frequency can be altered to meet your business needs. This check will continue to run and report the ICSF status even after ICSF has been stopped or restarted.
The ICSF_STATUS check will report the following states:
-
Active - ICSF is up and running normally
-
Inactive - ICSF has been stopped and is not running
-
Abended - ICSF has terminated abnormally and is not running
-
Initializing - ICSF is currently going through its initialization process
The ICSF_CLEAR_KEYS detects clear (unencrypted) keys in the active CKDS, PKDS, and TKDS. The key labels of the clear keys will be listed in the health checker report sorted by KDS. You can use this health check to identify keys in use that should be rotated out in favor of encrypted keys.