Why don't you enable ICSF? It doesn't require CEX# cards anymore. Of course if CFB functionality supported by ICSF depends on the CEX# card, then you will still be out of luck. I haven't really researched this.. but maybe you could use an ICSF exit(s) to provide a CFB function? It certainly wouldn't be for the faint of heart. It might just be cheaper to by the CEX# feature.
Rob Schramm On Tue, Sep 29, 2015 at 9:33 AM Dazzo, Matt < [email protected]> wrote: > Greg, we are told by a third party vendor that their program uses CFB if > available and will have a marked performance improvement. I sent them job > listing and they are telling me that only CBC is being used and that CFB > may not be enabled. Is it possible that CFB is not enabled? No where can I > find a procedure to configure CFB. We do not have ICSF but have CPACF #3863. > Tks Matt > > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:[email protected]] On > Behalf Of Greg Boyd > Sent: Saturday, September 26, 2015 11:57 AM > To: [email protected] > Subject: Re: CP Assist for Cryptographic Functions (CPACF) > > Cipher Feedack Mode in the hardware was introduced with MSA-4 which came > with the z196/z114 machines. That means that these machines (and later) > support new assembler instructions that prefrom chaining operations: KMF > (Cipher Message with CFB (Cipher Feedback Mode)), KMCTR (Cipher Message > with Counter) and KMO (Cipher Message with OFB (Output Feedback Mode)). > > You can read more about these instructions in the Principles of Operations > manuals. I don't remember whether these instructions were retrofitted to > the z10 CPACF hardware. Although according to IBM's TechDoc 'Cryptographic > Support for for z/OS V1R10-V1R12 (HCR7780)' at > https://www.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/FLASH10716, > similar support was retrofitted to the CEX3C on the z10. > > Prior to this hardware technology being available, ICSF supported cipher > feedback mode. That is, by specifying the appropriate parm in the rule > array, ICSF would handle the chaining while using the KM and KMC > instructions to perform the encryption. The new instructions provided a) > better performance by doing the work in hardware instead of relying on > software to do the chaining and b) some new chaining options. > > All that said, do you want to use CFB in your app (using the new > instructions)? or in an app using the ICSF APIs? or with System SSL (since > you reference the SSL messages)? If you want to use the native > instructions on a z10, I'd try coding a simpler assembler routine to > perform a KMF instruction and see if you get an OC1. If you want to use > the APIs, that should also work, even if the hardware support isn't there. > > However, if your concern is about System SSL support, then you have to > refer the System SSL manuals. I just did a quick search in both the z/OS > 1.13 and z/OS 2.1 System SSL Programming manuals and found no reference to > 'Cipher Feedback'. I found one reference, in a message, about 'Cipher > Block Chaining'. And https://www.ietf.org/rfc/rfc5246.txt, the RFC for > TLS Protocol V1.2, says 'All block cipher encryption is done in CBC (Cipher > Block Chaining) mode ...'. So I don't think CFB is even supported by the > SSL protocol. > > Greg Boyd > Mainframe Crypto > www.mainframecrypto.com > > > On Thu, 24 Sep 2015 10:17:13 -0400, Dazzo, Matt <[email protected]> wrote: > > >I have searched the archives but not finding the specific answer I need. > We have feature CPACF (#3863) on our z10-BC 2098 (zos1.13) but I am told > that CFB (Cipher FeedBack) is not enabled on our CPACF. I looked at out > HMC Activation profiles and can't determine if CFB feature is enabled but > appears crypto is enabled. Can one point me in the right direction to get > the info? How is CFB enabled? And how do you determine if it's enabled or > not? > > > >I do see this in the TN3270 start up. > > > >System SSL: SHA-1 crypto assist is available System SSL: SHA-224 crypto > >assist is available System SSL: SHA-256 crypto assist is available > >System SSL: SHA-384 crypto assist is available System SSL: SHA-512 > >crypto assist is available System SSL: DES crypto assist is available > >System SSL: DES3 crypto assist is available System SSL: AES 128-bit > >crypto assist is available System SSL: AES 256-bit crypto assist is > >available System SSL: ICSF services are not available > > > >Thanks, > > > >Matt Dazzo > >Senior Systems Programmer > >Publishers Clearing House > > > > > >---------------------------------------------------------------------- > >For IBM-MAIN subscribe / signoff / archive access instructions, send > >email to [email protected] with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send email > to [email protected] with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
