z/OS 1.12 introduces support for Elliptic Curve Cryptography (ECC) certificates. The CA Top Secret GENCERT command has been modified to allow ECC certificates to be generated. ECC certificates are regarded as providing stronger cryptography with smaller key sizes than RSA certificates. ECC certificate support has been added to the CHKCERT, ADD, GENREQ, EXPORT, REKEY, P11TOKEN BIND and P11TOKEN IMPORT commands as well.
ECC algorithms supported are the 5 NIST supported prime curves (p192, p224, p256, p384 and p521). Also supported are the Brainpool Curves defined in RFC 5639.
ECC support requires the PKCS 11 support found in the z/OS Integrated Cryptographic Service Facility (ICSF). ICSF must be at the HCR7770 level, at the least.
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|