Skip to Main Content
IBM Z Hardware and Operating Systems Ideas Portal


This is the public portal for all IBM Z Hardware and Operating System related offerings. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Status Under review
Workspace z/OS
Categories BCP_SMF
Created by Guest
Created on Dec 5, 2024

SMF/ICSF - Increase input validation for SMF record signing

Defining a TOKENNAME for either RECSIGN or ARECSIGN in the SMFPRMxx member is only validated to be exactly 32-characters long. However, one can activate the member with SET SMF=00 without throwing an error (even there is no associated private/public key to the token).
One only notices this issue during the validation as the validation process fails with:
IFA744I SMF SIGNATURE VALIDATION FAILURE DIAGNOSTIC INFORMATION
       RECORD IN ERROR                                        
       <header>       
       TOKENNAME <your.32.character.token.name>          
       HASH SHA512 SERVICE NAME CSFPOWH                       
       RC=00000008 RSN=00000BD2                               
IFA742I SMF SIGNATURE VALIDATION FAILED DUE TO                 
       CRYPTOGRAPHY FAILURE - ICSF RC/RSN=00000008/00000BD2   
       
Which means according to the manual (https://www.ibm.com/docs/en/zos/3.1.0?topic=codes-reason-return-code-8-8):
"The z/OS PKCS #11 token or object handle syntax is invalid."

Which is true as the token has not assigned the proper keys.

This Idea asks for an 'input validation' not only for the token name (length) but also if the token is usable.
The benefit of such a validation is that an error can be prevented:

One shall not be able to activate an SMFPRMxx member where a token is defined for either RECSIGN or ARECSIGN without assigned private/public key to prevent a failure as described above.

Idea priority Medium