IBM Z10 BUISNESS CLASS Z10 BC User Manual

Enhancements to CP Assist for Cryptographic Func-

tion (CPACF):

CPACF has been enhanced to include support of the fol-

lowing on CPs and IFLs:

• Advanced Encryption Standard (AES) for 192-bit keys

and 256-bit keys

• SHA-384 and SHA-512 bit for message digest

SHA-1, SHA-256, and SHA-512 are shipped enabled and

do not require the enablement feature.

Support for CPACF is also available using the Integrated

Cryptographic Service Facility (ICSF). ICSF is a com-

ponent of z/OS, and is designed to transparently use

the available cryptographic functions, whether CPACF

or Crypto Express2, to balance the workload and help

address the bandwidth requirements of your applications.

The enhancements to CPACF are exclusive to the System

z10 and supported by z/OS, z/VM, z/VSE, and Linux on

System z.

Confi gurable Crypto Express2

The Crypto Express2 feature has two PCI-X adapters.

Each of the PCI-X adapters can be defi ned as either a

Coprocessor or an Accelerator.

Crypto Express2 Coprocessor – for secure-key encrypted

transactions (default) is:

• Designed to support security-rich cryptographic func-

tions, use of secure-encrypted-key values, and User

Defi ned Extensions (UDX)

• Designed to support secure and clear-key RSA opera-

tions

• The tamper-responding hardware and lower-level fi rm-

ware layers are validated to U.S. Government FIPS 140-

2 standard: Security Requirements for Cryptographic

Modules at Level 4

Crypto Express2 Accelerator – for Secure Sockets Layer

(SSL) acceleration:

• Is designed to support clear-key RSA operations

• Offl oads compute-intensive RSA public-key and private-

key cryptographic operations employed in the SSL pro-

tocol Crypto Express2 features can be carried forward

on an upgrade to the System z10 BC, so users may con-

tinue to take advantage of the SSL performance and the

confi guration capability

The confi gurable Crypto Express2 feature is supported by

z/OS, z/VM, z/VSE, and Linux on System z. z/VSE offers

support for clear-key operations only. Current versions of

z/OS, z/VM, and Linux on System z offer support for both

clear-key and secure-key operations.

Crypto Express2-1P

An option of one PCI-X adapter per feature, in addition

to the current two PCI-X adapters per feature, is being

offered for the z10 BC to help satisfy small and midrange

security requirements while maintaining high performance.

The Crypto Express2-1P feature, with one PCI-X adapter,

can continue to be defi ned as either a Coprocessor or an

Accelerator. A minimum of two features must be ordered.

Additional cryptographic functions and features with

Crypto Express2 and Crypto Express2-1P.

Key management – Added key management for remote

loading of ATM and Point of Sale (POS) keys. The elimina-

tion of manual key entry is designed to reduce downtime

due to key entry errors, service calls, and key manage-

ment costs.

37