Previous topic |
Next topic |
Contents |
Index |
Contact z/OS |
Library |
PDF
Operating in compliance with FIPS 140-2 z/OS Cryptographic Services ICSF Writing PKCS #11 Applications SA23-2231-05 |
|
The National Institute of Standards and Technology (NIST) is the US federal technology agency that works with industry to develop and apply technology, measurements, and standards. One of the standards published by NIST is the Federal Information Processing Standard Security Requirements for Cryptographic Modules, referred to as FIPS 140-2. FIPS 140-2 provides a standard that can be required by organizations who specify that cryptographic-based security systems are to be used to provide protection for sensitive or valuable data. z/OS PKCS #11 cryptography is designed to meet FIPS 140-2 Level 1 criteria, and can be configured to operate in compliance with FIPS 140-2 specifications. Applications that need to comply with the FIPS 140-2 standard can therefore use the z/OS PKCS #11 services in a way that allows only the cryptographic algorithms (including key sizes) approved by the standard and restricts access to the algorithms that are not approved. There are two modes of FIPS operation:
You can also use FIPS compatibility mode to test individual applications to ensure FIPS compliance before switching to FIPS standard mode. ICSF installation options are described in the z/OS Cryptographic Services ICSF System Programmer’s Guide. The installation option FIPSMODE indicates one of the following:
If any z/OS PKCS #11 application intends to use the services in compliance with the FIPS 140-2 standard, then, in accordance with that standard, the integrity of the load module containing the z/OS PKCS #11 services must be checked when ICSF is started. This load module is digitally signed, and, in order for applications using its services to be FIPS 140-2 compliant, the signature must be verified when ICSF is started. For more information, refer to Requiring signature verification for ICSF module CSFINPV2. If any application will use PKCS #11 objects for AES Galois/Counter Mode (GCM) encryption or GMAC generation, and will have ICSF generate the initialization vectors, then you need to set ECVTSPLX or CVTSNAME to a unique value. Refer to z/OS Cryptographic Services ICSF System Programmer’s Guide for more information. |
Copyright IBM Corporation 1990, 2014
|