Skip to Main Content
IBM Z Software


This portal is to open public enhancement requests against IBM Z Software products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Status Future consideration
Created by Guest
Created on Nov 14, 2018

Exploit z/OS specific features to minimise impact of Java security changes to JCE RACF keystores

Why:
Following implementation of OSB 8181692, the KeyProtector.java function increased the number of times that keystore data is encrypted from from 20 to 200,000 times.

This had the effect of significantly increasing the cost when retrieving the keystore data.

In our applications this had the effect of increasing the transaction cost by up to 60 times the cost prior to the change.

What:
The option to choose where the keystore data is accessed from, when the original data held in a RACF keyring, may improve the response time to retrieve the decrypted keystore data plus reduce any impact from security driven changes in Java that may affect performance, both in terms of cost (which may be somewhat mitigated with the use of specialty processors) and response times (which is not mitigated by the use of specialty processors).

RACF is a highly optimised and secure database and which is highly responsive and scales for 10's of thousands of users.

If it were possible to choose to access the relevant keystore data directly from RACF each time it was required to be decrypted, there would be several benefits:
1) To exploit z/OS specific features for their designed purpose, which potentially reduces the impact from changes driven by the Java world.
2) Potentially (to be measured) improve the response time of decrypting the keystore data at the time it is required to be accessed in the clear.

Idea priority Medium