z/OS SunPKCS11 Guide

Configuring the PKCS#11 Support

Configuration changes for PKCS#11 are required in two main areas. They are:

Configuration of the ICSF token data set (TKDS) and PKCS#11 token access control setup
Configuration changes required to the Java environment.

The TKDS is a VSAM data set that serves as the repository for cryptographic keys and certificates used by PKCS#11 applications. This must be set up before any z/OS PKCS#11 applications can be run. See z/OS Cryptographic Services ICSF Writing PKCS#11 Applications. Refer to the applicable z/OS release documentation, in the z/OS library.

PKCS#11 token access control setup is required on z/OS. On the non-z/OS platforms, access to token information is granted based on the knowledge of a PIN and it is a requirement that a user log into a device to access the private information on a token such as private keys and secret keys. On z/OS, the PKCS#11 support does not require a user to login and logout as the PKCS#11 token access is controlled by two SAF CRYPTOZ Class resources. They are:

USER.token-label - Controls the User role
SO.token-label - Controls the security officer (SO) role

Further details about the SAF CRYPTOZ Class resources and access level (READ, UPDATE, or CONTROL) to one or both of these resources are documented in z/OS Cryptographic Services ICSF Writing PKCS#11 Applications. Refer to the applicable z/OS release documentation, in the z/OS library.

In addition to the SAF CRYPTOZ Class resources, ICSF will perform access control checks on the underlying PKCS#11 callable services if the CSFSERV class is active. This is similar to the way ICSF controls the access to keys and services via the CSFKEYS and CSFSERV classes. The user must have READ access to appropriate CSFSERV class resource for the Java PKCS#11 support. These include:

CSF1TRC - Token or object creation
CSF1TRD - Token or object deletion
CSF1TRL - Token or object find
CSF1SAV - Set object attributes
CSF1GAV - Get object attributes
CSF1GSK - Generate secret key
CSF1GKP - Generate key pair
CSF1PKS - Private key signature or decrypt
CSF1PKV - Public key signature or encrypt
CSF1SKD - Symmetric key decrypt
CSF1SKE - Symmetric key encryption
CSFOWH - One-way hash
CSF1WPK - Wrap key
CSF1UWK - Unwrap key

Configuration changes to the Java environment for the SunPKCS11 provider include adding the SunPKCS11 provider to the list of security providers in the $JAVA_HOME/conf/security/java.security file and creating a SunPKCS11 configuration file. A sample of the java.security file and SunPKCS11 configuration file are shown below. Several items to note are:

When the configuration file is specified on the SunPKCS11 line of the provider list, the SunPKCS11 provider is automatically initialized with the information in it as part of the JVM loading the provider.
The SunPKCS11 configuration file must reside in an OMVS directory (not in a z/OS data set).

Provider list from the java.security file

          security.provider.1=OpenJCEPlus
          security.provider.2=SUN
          security.provider.3=SunRsaSign
          security.provider.4=SunEC
          security.provider.5=SunJSSE
          security.provider.6=SunJCE
          security.provider.7=SunJGSS
          security.provider.8=SunSASL
          security.provider.9=XMLDSig
          security.provider.10=SunPCSC
          security.provider.11=JdkLDAP
          security.provider.12=JdkSASL
          security.provider.13=SunPKCS11-PKCS11Config  <path>/pkcs11.cfg

SunPKCS11 Configuration file (pkcs11.cfg)

          name = PKCS11Config
          library = /usr/lpp/pkcs11/lib/csnpca64.so
          description = z/OS PKCS#11 Configuration
          tokenLabel = PKCS11Config

Note that the "name" attribute is concatenated with "SunPKCS11-" to produce the provider's instance name (see example testPKCS11A shown in this document).

Descriptions of the attributes in the SunPKCS11 configuration file are shown in the SunPKCS11 Reference Guide.

Several items specific to z/OS are:

For z/OS, the "library" attribute can be specified in either of two ways:
- By specifying the Unix System Services(USS) or zFS absolute path name of the z/OS UNIX PKCS#11 DLL file. For 64-bit mode, the XPLINK DLL file name is csnpca64.so. So if the DLL were installed in /usr/lpp/pkcs11/lib, the absolute path name would be specified as /usr/lpp/pkcs11/lib/csnpca64.so for 64-bit mode. The non-XPLINK version of the ICSF C API DLL (csnpcapi.so) is NOT supported by the SunPKCS11 provider. The beginning slash ("/") is required for the path name to be validated as an absolute path. The DLL path and file name are case-sensitive.
- By specifying the member name of the MVS partitioned dataset containing the ICSF C API DLL. For 64-bit mode, the member name must be specified as //CSNPCA64. These are the XPLINK ICSF C API DLL file names. The non-XPLINK version of the ICSF C API DLL (//CSNPCAPI) is NOT supported by the SunPKCS11 provider. The beginning double slash ("//") is required. The DLL member name is case-insensitive. z/OS will load the DLL by name, according to the MVS load library search order (in order: STEPLIB/JOBLIB, LPA, Link List).
- Examples:
  1. library = /usr/lpp/pkcs11/lib/csnpca64.so
  2. library = //csnpca64
It is strongly recommended that the tokenLabel attribute be used instead of using either the slot or slotListIndex attributes. The number of slots that a user sees and the order that they appear is dependent upon the number of tokens in the ICSF token database, the token values, and the SAF CRYPTOZ class protection profiles currently defined. The slot with which a given token is associated may change from one SunPKCS11 application invocation to another. For example, a given token will exist on slot 5 today but be in slot 2 tomorrow. Assuming a target token is not deleted, the ICSF PKCS#11 support guarantees that the token resides in its current slot only for the life of a PKCS#11 session. If a user restarts a SunPKCS11 application, the token may reside in a different slot. Therefore, using either the slot or slotListIndex attributes may cause a SunPKCS11 application to fail.

Creation of a new empty token is required before a SunPKCS11 application can be run. Token creation can be done using the RACF RACDCERT command with the ADDTOKEN parameter or the System SSL gskkyman program. Information is available in:

z/OS Security Server RACF Command Language Reference for RACDCERT information
z/OS Security Server RACF Security Administrator's Guide for RACDCERT information
z/OS Cryptographic Services System SSL Programming for gskkyman information
z/OS Cryptographic Services ICSF Administrator's Guide to create a PKCS#11 token using ISPF panels

Refer to the applicable z/OS release documentation, in the z/OS library.

The decision on whether to create clear or secure PKCS#11 keys happens during key creation. ICSF introduced a new CRYPTOZ resource in web deliverable #12, CLEARKEY.token-label, that controls the policy on clear and secure key creation. For more information on this CRYPTOZ resource and how it is being used by ICSF, see z/OS Cryptographic Services ICSF Writing PKCS#11 Applications. Refer to the applicable z/OS release documentation, in the z/OS library.

Initializing the SunPKCS11 Provider

The recommended way on z/OS to initialize the PKCS11 provider is to use the SunPKCS11 configuration file.

This file name can be included on the SunPKCS11 provider line in the list of security providers in the $JAVA_HOME/conf/security/java.security file.
The SunPKCS11 provider can also be initialized using the configuration file name and location programmatically with the Provider.configure() method.
```
               Provider provider = Security.getProvider("SunPKCS11");
               AuthProvider authProv = provider.configure(path);
               
```
Where path is the path and file name of the SunPKCS11 configuration file.

A sample program where the SunPKCS11 configuration file is included on the SunPKCS11 line in the list of security providers in $JAVA_HOME/conf/security/java.security is shown below. Note that a PKCS#11 session is created and initialized with the PKCS#11 configuration file information when the JVM loads the SunPKCS11 provider.

          public class testPKCS11A {
               public static void main(String argv[]) {
                    Provider p = null;

                    // Get the SunPKCS11 provider whose PKCS#11
                    // config fileattribute name is PKCS11Config
                    p = Security.getProvider("SunPKCS11-PKCS11Config");

                    // Your Java PKCS11 program goes here

               }
          }

A sample program using the SunPKCS11 configuration file to initialize the SunPKCS11 provider programmatically is shown below. This is required in the case when no Java PKCS#11 configuration file is specified on the SunPKCS11 line of the java.security provider list.

          public class testPKCS11B {
               public static void main(String argv[]) {
                    Provider p = null;
                    AuthProvider authProv = null;

                    // Get the un-initialized SunPKCS11 provider
                    p = Security.getProvider("SunPKCS11");

                    try {
                         // Create a PKCS#11 session and initialize it
                         // using the /home/user/pkcs11.cfg PKCS#11
                         // configuration file
                         authProv = p.configure("/home/user/pkcs11.cfg");
                    } catch (Exception ex) {
                         System.out.println(ex.getMessage());
                         System.exit(1);
                    }

                    // Your Java PKCS11 program goes here

               }
          }

Algorithms supported by the z/OS SunPKCS11 Provider

The following list shows the algorithms supported by the z/OS SunPKCS11 Provider. The z/OS SunPKCS11 Provider will only support those algorithms which are provided through services implemented by the z/OS Integrated Cryptographic Service Facility (ICSF). ICSF supported algorithms are described in z/OS Cryptographic Services ICSF Writing PKCS#11 Applications. Refer to the applicable z/OS release documentation, in the z/OS library. The z/OS SunPKCS11 Provider will throw an exception for algorithms that are not supported.

Cipher.AES/CBC/NoPadding
Cipher.AES/CBC/PKCS5Padding
Cipher.AES/ECB/NoPadding
Cipher.AES/ECB/PKCS5Padding
Cipher.AES/GCM/NoPadding
Cipher.AES_128/CBC/NoPadding
Cipher.AES_128/ECB/NoPadding
Cipher.AES_128/GCM/NoPadding
Cipher.AES_192/CBC/NoPadding
Cipher.AES_192/ECB/NoPadding
Cipher.AES_192/GCM/NoPadding
Cipher.AES_256/CBC/NoPadding
Cipher.AES_256/ECB/NoPadding
Cipher.AES_256/GCM/NoPadding
Cipher.ARCFOUR
Cipher.Blowfish/CBC/NoPadding
Cipher.Blowfish/CBC/PKCS5Padding
Cipher.DES/CBC/NoPadding
Cipher.DES/CBC/PKCS5Padding
Cipher.DES/ECB/NoPadding
Cipher.DES/ECB/PKCS5Padding
Cipher.DESede/CBC/NoPadding
Cipher.DESede/CBC/PKCS5Padding
Cipher.DESede/ECB/NoPadding
Cipher.DESede/ECB/PKCS5Padding
Cipher.RSA/ECB/NoPadding,
Cipher.RSA/ECB/PKCS1Padding
KeyAgreement.DiffieHellman
KeyAgreement.ECDiffieHellman
KeyFactory.DiffieHellman
KeyFactory.DSA
KeyFactory.EC
KeyFactory.RSA
KeyGenerator.AES
KeyGenerator.ARCFOUR (RC4)
KeyGenerator.Blowfish
KeyGenerator.DES
KeyGenerator.DESede
KeyGenerator.SunTLSKeyMaterial
KeyGenerator.SunTlsMasterSecret
KeyGenerator.SunTlsPrf
KeyPairGenerator.DiffieHellman
KeyPairGenerator.DSA
KeyPairGenerator.EC
KeyPairGenerator.RSA
Mac.HmacMD5
Mac.HmacSHA1
Mac.HmacSHA224
Mac.HmacSHA256
Mac.HmacSHA386
Mac.HmacSHA512
Mac.SslMacMD5
Mac.SslMacSHA1
MessageDigest.MD2
MessageDigest.MD5
MessageDigest.SHA1
MessageDigest.SHA-224
MessageDigest.SHA-256
MessageDigest.SHA-386
MessageDigest.SHA-512
SecretKeyFactory.AES
SecretKeyFactory.ARCFOUR (RC4)
SecretKeyFactory.Blowfish
SecretKeyFactory.DES
SecretKeyFactory.DESede
Signature.DSA
Signature.DSAinP1363Format
Signature.MD2withRSA
Signature.MD5withRSA
Signature.NONEwithECDSA
Signature.NONEwithECDSAinP1363Format
Signature.RSASSA-PSS
Signature.RawDSA
Signature.RawDSAinP1363Format
Signature.SHA1withECDSA
Signature.SHA1withECDSAinP1363Format
Signature.SHA1withRSA
Signature.SHA1withRSASSA-PSS
Signature.SHA224withECDSA
Signature.SHA224withECDSAinP1363Format
Signature.SHA224withRSA
Signature.SHA224withRSASSA-PSS
Signature.SHA256withECDSA
Signature.SHA256withECDSAinP1363Format
Signature.SHA256withRSA
Signature.SHA256withRSASSA-PSS
Signature.SHA384withECDSA
Signature.SHA384withECDSAinP1363Format
Signature.SHA384withRSA
Signature.SHA384withRSASSA-PSS
Signature.SHA512withECDSA
Signature.SHA512withECDSAinP1363Format
Signature.SHA512withRSA
Signature.SHA512withRSASSA-PSS

Managing an X509 certificate and private key in the ICSF PKCS11 token database

Managing a X509 certificate and a private key in the ICSF PKCS#11 token data set can be done using System SSL's gskkyman, RACF's RACDCERT command, and hwkeytool. Information is available in:

z/OS Cryptographic Services System SSL Programming for gskkyman information
z/OS Security Server RACF Command Language Reference for RACDCERT information
z/OS Security Server RACF Security Administrator's Guide for RACDCERT information
z/OS Cryptographic Services ICSF Administrator's Guide to view objects such as an X509 certificate or private key object in the TKDS and make limited updates to those objects, using ISPF panels
For hwkeytool information refer to hwkeytool - Key and Certificate Management Tool

Refer to the applicable z/OS release documentation, in the z/OS library.

The SunPKCS11 provider allows a Java application to access the ICSF PKCS#11 token data set through java.security.KeyStore methods.

The IBMJCECCA keystore application hwkeytool now supports PKCS11 keystores when the IBMJCECCA and SunPKCS11 providers are present in the security properties file. -keystore must be NONE if -storetype is PKCS11. The following example is how to list a PKCS11 keystore:

               hwkeytool -list -storetype PKCS11 -keystore NONE

The Java tools ikeyman and ikeycmd (the command line version of ikeyman) that may be used to manage PKCS#11 tokens and objects on other platforms are not supported on z/OS.

Restrictions / Considerations when using the SunPKCS11 provider on z/OS

Java PKCS#11 applications that require stronger cryptography than the default strength as defined by the jurisdiction policy files in $JAVA_HOME/conf/security should do the following:
- Get the unrestricted policy files from this web site.
- Copy the unrestricted policy files US_export_policy.jar and local_policy.jar to $JAVA_HOME/conf/security overwriting the default strength policy files.
If a SunPKCS11 Template is inconsistent" exception is thrown and the attributes option in the SunPKCS11 configuration file are set, please verify that the attributes are compatible. For example, a "Template is inconsistent" Exception would be thrown when the public / private RSA key pair is generated and the following attributes was set in the SunPKCS11 configuration file.
```
               attributes(generate, CKO_PUBLIC_KEY, CKK_RSA) = {
                    CKA_SIGN = true
               }
               
```
Note that this example causes the exception because the CKA_SIGN attribute is normally associated with an RSA private key.
If a Exception is thrown that includes the string "Vendor defined error", the bad code displayed is an ICSF return code and reason code. It is in the format 0x'pxxxyyyy' where xxx is the ICSF return code and yyyy is the ICSF reason code (the p value can be ignored). To determine the meaning of these codes, see the z/OS Cryptographic Services ICSF Application Programmer's Guide. Refer to the applicable z/OS release documentation, in the z/OS library.
If a Exception "Vendor defined error" return code is "0xc00c008", it may be due to a generated RSA private key that has a longer Modulus Exponent than permitted. If this is the case, the size of Modulus Exponent is limited to 1024 bits in your z/OS hardware cryptographic environment. To determine the permitted sizes for a Modulus Exponent, consult z/OS Cryptographic Services ICSF Writing PKCS#11 Applications. Refer to the applicable z/OS release documentation, in the z/OS library. Refer to the section "Key types and mechanisms supported", in Chapter 2.
The exception may be resolved in one of the following ways:
1. by programmatically defining the size of the Modulus Exponent to a permitted size
2. by activating a z/OS hardware cryptographic accelerator card; in this case, contact your system administrator
Note, it is recommended that z/OS PKCS #11 RSA private keys be generated in Chinese Remainder Theorem (CRT) format. They circumvent this exception and normally perform better.
If a java.security.NoSuchAlgorithmException is thrown when running a SunPKCS11 application and the algorithm is one that is supported in the above algorithm list for z/OS, this may be due to the z/OS hardware cryptographic cards not being available. If that's the case, then contact your system administrator.
Key wrapping is supported through the javax.crypto.Cipher wrap and unwrap methods. Only certain wrapping scenarios are supported on z/OS. They are:
- Wrapping an RSA private key using a DES, DESede, or AES key
- Wrapping a DES, DESede, or AES key using an RSA public key
- Wrapping a DES, DESede, or AES key using a DES, DESede, or AES key is not supported. Also, wrapping an RSA private key with an RSA public key is not supported.
When an SunPKCS11 key is set into the PKCS11 key store using the KeyStore setKeyEntry method, the key object is copied to the TKDS and the token attribute is set to true. The SunPKCS11 key passed into setKeyEntry is no longer valid. A call to the KeyStore getKey method must be done to retrieve the valid key object from the TKDS.
It is strongly recommended that separate tokens should be used if your Java PKCS11 application runs in multiple JVMs / processes and adds and deletes objects in the TKDS. For example, if you run a Java PKCS11 application that creates a new RSA public and private key pair, then does a KeyStore.load, followed by a Keystore.setKeyEntry for the new RSA private key, followed by a Keystore.deleteEntry of that RSA private key on JVM #1 using TOKEN1. And on JVM #2, the Java PKCS11 application does a Keystore.load using TOKEN1 prior to the KeyStore.deleteEntry being done in JVM #1, unpredictable results may occur.
When using the tokenlabel attribute in the Java PKCS11 configuration file, it is recommended that token access (controlled by the SAF CRYPTOZ class resources) be limited to the tokens created for / by each Java PKCS#11 user. For example, user ADMIN would have a SAF CRYTPOZ profiles defined for SO.ADMIN* and USER.ADMIN*, and would have CONTROL access to these 2 CRYPTOZ profiles. Tokens created for / by user ADMIN with the RACF RACDCERT or System SSL gskkyman tools would have a token name of ADMIN1, for example. Setting up token access using this sort of technique limits the PKCS#11 object visibility. It allows methods like SunPKCS11's KeyStore engineLoad that loads a keystore with a token's private key, certificate, and secret key objects to complete faster as fewer objects need to be loaded.
Tracing for the SunPKCS11 provider can be enabled by adding "-Djava.security.auth.debug=sunpkcs11" to the java command. Details for enabling tracing for the z/OS PKCS#11 ICSF C-API are described in the z/OS Cryptographic Services ICSF Writing PKCS#11 Applications. Refer to the applicable z/OS release documentation, in the z/OS library.

PKCS #11: Cryptographic Token Interface Standard

Oracle PKCS#11 Reference Guide

Trademarks

IBM is a trademark or registered trademark of International Business Machines Corporation in the United States, or other countries, or both.

Oracle and Java are registered trademarks of Oracle and/or its affiliates.

Other company, product, or service names may be trademarks or service marks of others.

z/OS SunPKCS11 Guide

for the IBM® Semeru Runtime Certified Edition for z/OS®, Version 11.0

(Last Updated January, 2023)

Table of Contents

Overview