U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.

Https

We are building a provable archive!
A lock (Dot gov) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)

This is an archive
(replace .gov by .rip)

Cryptographic Module Validation Program CMVP

Certificate #3909

Details

Module Name
IBM® z/OS® Version 2 Release 4 ICSF PKCS #11 Cryptographic Module
Standard
FIPS 140-2
Status
Active
Sunset Date
4/25/2026
Validation Dates
04/26/2021
Overall Level
1
Caveat
When operated in FIPS mode with module IBM(R) z/OS(R) Version 2 Release 4 Security Server RACF(R) Signature Verification Module validated to FIPS 140-2 under Cert. #2691 operating in FIPS mode
Security Level Exceptions
  • Mitigation of Other Attacks: N/A
Module Type
Software-Hybrid
Embodiment
Multi-Chip Stand Alone
Description
ICSF is a software element of z/OS that works with hardware cryptographic features and the Security Server (RACF) to provide secure, high-speed cryptographic services in the z/OS environment. ICSF, which runs as a started task, provides the application programming interfaces by which applications request the cryptographic services.
Tested Configuration(s)
  • IBM z/OS Version 2 Release 4 running on an IBM z14 with CP Assist for Cryptographic Functions [1]
  • IBM z/OS Version 2 Release 4 running on an IBM z14 with CP Assist for Cryptographic Functions with CEX6A [2] (single-user mode)
FIPS Algorithms
AES Certs. #C79 and #C1635
CKG vendor affirmed
CVL Certs. #C1635 and #C1637
DRBG Certs. #C1633 and #C1635
DSA Cert. #C1635
ECDSA Cert. #C1635
HMAC Cert. #C1635
KTS AES Cert. #C1635; key establishment methodology provides between 128 and 256 bits of encryption strength
KTS AES Cert. #C79 and AES Certs. #C79 and #C1635; key establishment methodology provides between 128 and 256 bits of encryption strength
KTS AES Cert. #C79 and HMAC Cert. #C1635; key establishment methodology provides between 128 and 256 bits of encryption strength
RSA Certs. #C1634, #C1635 and #C1637
SHS Certs. #C79 and #C1635
Triple-DES Cert. #C79
Allowed Algorithms
AES (Cert. #C79, key unwrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); MD5; NDRNG; RSA (key wrapping; key establishment methodology provides between 112 and 149 bits of encryption strength); Triple-DES (Cert. #C79, key unwrapping; key establishment methodology provides 112 bits of encryption strength)
Hardware Versions
COP chips integrated within processor unit [1] and COP chips integrated within processor unit and P/N 01PP167 [2]
Software Versions
ICSF level HCR77D0 with APAR OA58593
Firmware Versions
Feature 3863 (aka FC3863) with System Driver Level 32L [1], and Feature 3863 (aka FC3863) with System Driver Level 32L and CCA 6.0.8z [2]

Vendor

IBM Corporation
2455 South Road
Poughkeepsie, NY 12601-5400
USA

John Monti
jmonti@us.ibm.com
Phone: 845-435-4164

Lab

ATSEC INFORMATION SECURITY CORP
NVLAP Code: 200658-0