U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.

Https

We are building a provable archive!
A lock (Dot gov) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)

This is an archive
(replace .gov by .rip)

Cryptographic Module Validation Program CMVP

Certificate #3924

Details

Module Name
IBM® z/OS® Version 2 Release 4 ICSF PKCS #11 Cryptographic Module
Standard
FIPS 140-2
Status
Active
Sunset Date
5/9/2026
Validation Dates
05/10/2021
Overall Level
1
Caveat
When operated in FIPS mode with module IBM(R) z/OS(R) Version 2 Release 4 Security Server RACF(R) Signature Verification Module validated to FIPS 140-2 under Cert. #2691 operating in FIPS mode
Security Level Exceptions
  • Mitigation of Other Attacks: N/A
Module Type
Software-Hybrid
Embodiment
Multi-Chip Stand Alone
Description
ICSF is a software element of z/OS that works with hardware cryptographic features and the Security Server (RACF) to provide secure, high-speed cryptographic services in the z/OS environment. ICSF, which runs as a started task, provides the application programming interfaces by which applications request the cryptographic services.
Tested Configuration(s)
  • IBM z/OS Version 2 Release 4 running on an IBM z15 with CP Assist for Cryptographic Functions [1]
  • IBM z/OS Version 2 Release 4 running on an IBM z15 with CP Assist for Cryptographic Functions with CEX7A [2] (single-user mode)
FIPS Algorithms
AES Certs. #A389 and #C1772
CKG vendor affirmed
CVL Certs. #C1772 and #C1799
DRBG Certs. #C1763 and #C1772
DSA Cert. #C1772
ECDSA Cert. #C1772
HMAC Cert. #C1772
KTS AES Cert. #C1772; key establishment methodology provides between 128 and 256 bits of encryption strength
KTS AES Cert. #A389 and AES Certs. #A389 and #C1772; key establishment methodology provides between 128 and 256 bits of encryption strength
KTS AES Cert. #A389 and HMAC Cert. #C1772; key establishment methodology provides between 128 and 256 bits of encryption strength
RSA Certs. #C1766, #C1772 and #C1799
SHS Certs. #A389 and #C1772
Triple-DES Cert. #A389
Allowed Algorithms
AES (Cert. #A389, key unwrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); MD5; NDRNG; RSA (key wrapping; key establishment methodology provides between 112 and 149 bits of encryption strength); Triple-DES (Cert. #A389, key unwrapping; key establishment methodology provides 112 bits of encryption strength)
Hardware Versions
COP chips integrated within processor unit [1] and COP chips integrated within processor unit and P/N 02WN654-N37880 (Low Power) [2]
Software Versions
ICSF level HCR77D0 with APAR OA59040
Firmware Versions
Feature 3863 (aka FC3863) with System Driver Level 41C [1], and Feature 3863 (aka FC3863) with System Driver Level 41C and CCA 7.0.68z [2]

Vendor

IBM Corporation
2455 South Road
Poughkeepsie, NY 12601-5400
USA

John Monti
jmonti@us.ibm.com
Phone: 845-435-4164

Lab

ATSEC INFORMATION SECURITY CORP
NVLAP Code: 200658-0