z/OS Version 2 Release 4 Open Cryptographic Services Facility Application Programming IBM SC14-7513-40 Note Before using this information and the product it supports, read the information in “Notices” on page 281. This edition applies to Version 2 Release 4 of z/OS (5650-ZOS) and to all subsequent releases and modifications until otherwise indicated in new editions. Last updated: 2020-03-25 © Copyright International Business Machines Corporation 1999, 2020. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Figures............................................................................................................... xiii Tables................................................................................................................. xv About this document...........................................................................................xix OCSF Architecture..................................................................................................................................... xix Who should use this information............................................................................................................... xx Requirements............................................................................................................................................ xxi Conventions used in this information....................................................................................................... xxi Where to Find More Information ..............................................................................................................xxi Internet Sources ................................................................................................................................. xxi How to send your comments to IBM...................................................................xxiii If you have a technical problem.............................................................................................................. xxiii Summary of changes.......................................................................................... xxv Summary of changes for z/OS Version 2 Release 4 (V2R4).................................................................... xxv Summary of changes for z/OS Version 2 Release 3 (V2R3).................................................................... xxv Summary of changes for z/OS Version 2 Release 2 (V2R2).................................................................... xxv Chapter 1. Configuring and Getting Started ........................................................... 1 Setting Up the Necessary Security Authorizations .................................................................................... 1 Security Administration..........................................................................................................................1 RACF FACILITY Class Profiles Required by OCSF ................................................................................ 1 Program Control .....................................................................................................................................2 APF Authorization...................................................................................................................................3 OSCF User Identities and Permissions ................................................................................................. 3 Granting Permission to Use OCSF Service ............................................................................................ 3 Using Groups.......................................................................................................................................... 4 Refreshing z/OS Security Server Data ...................................................................................................4 Running the Installation Script ................................................................................................................... 4 Running the Installation Verification Procedure ........................................................................................ 5 Common Problems ......................................................................................................................................6 Chapter 2. Open Cryptographic Services Facility Framework ..................................7 Module Management................................................................................................................................... 7 Installing and Uninstalling Service Provider Modules .......................................................................... 7 Listing Service Provider Modules and Services .................................................................................... 8 Attaching and Detaching Service Provider Modules .............................................................................8 Managing Calls Between Service Provider Modules .............................................................................9 Memory Management................................................................................................................................10 Security Context Management ................................................................................................................. 10 OCSF Security Context Changes ...............................................................................................................12 Integrity Verification Services .................................................................................................................. 13 Chapter 3. OCSF Policy Modules ..........................................................................15 Usage of OCSF Policy Modules ................................................................................................................. 15 OCSF Behavior When Only the OCSF Base is Installed ......................................................................15 OCSF Behavior When the OCSF Security Level 3 Feature is Installed ...............................................15 iii Implementation of OCSF Policy Modules .................................................................................................15 Chapter 4. Cryptographic Module Manager .......................................................... 17 Supporting Legacy CSPs............................................................................................................................ 17 Cryptography Services API ....................................................................................................................... 17 Dependencies with the Policy Modules ....................................................................................................18 Chapter 5. Trust Policy Module Manager .............................................................. 21 Trust Policy API .........................................................................................................................................22 Chapter 6. Certificate Library Module Manager .................................................... 23 Certificate Library Services API ................................................................................................................23 Chapter 7. Data Storage Library Module Manager .................................................25 Data Storage Library Services API ............................................................................................................25 Chapter 8. Service Provider Modules ................................................................... 27 Cryptographic Service Provider Modules ................................................................................................. 27 Trust Policy Modules .................................................................................................................................27 Certificate Library Modules .......................................................................................................................28 Data Storage Library Module .................................................................................................................... 28 OCSF Service Provider Modules ............................................................................................................... 28 IBM Software Cryptographic Service Provider, Version 1.0 .................................................................... 29 IBM Weak Software Cryptographic Service Provider, Version 1.0 .......................................................... 33 IBM Software Cryptographic Service Provider 2, Version 1.0 ................................................................. 34 IBM Weak Software Cryptographic Service Provider 2, Version 1.0 ....................................................... 38 IBM CCA Cryptographic Module Version 1.0 ............................................................................................39 IBM Standard Trust Policy Library, Version 1.0 ....................................................................................... 44 IBM Extended Trust Policy Library, Version 1.0 .......................................................................................45 IBM Certificate Library, Version 1.0 ........................................................................................................