Cryptography – IBM z/OS User Manual

28

In the on demand era security will be a strong requirement.

The zSeries products will continue to address security with

announcements and deliveries of products and features.

The main focus in cryptography will continue to be very

high and scalable performance for SSL algorithms, and

secondly, to provide security-rich, symmetric performance

for fi nancial and banking applications using PIN/POS type

encryption. As in the past zSeries will be designed to

deliver seamless integration of the cryptography facilities

through use of ICSF. Use of ICSF will that enable applica-

tions to work without change regardless of how and where

the cryptographic functions are implemented, and also

enable the cryptography work to be load balanced across

the hardware resources. Finally we will be focused on

required certifi cations and open standards.

The existing PCI Cryptographic Accelerator (PCICA) con-

tinues to be available on the z990 – for SSL acceleration/

clear key operations. To support the increased number of

LPARs available on z990 the confi guration options for the

PCICA – introduced with the z900 – will be extended to

allow sharing of a PCICA over the whole range of LPARs

with a max of 16 LPARs sharing one PCICA adapter.

In addition to the PCICA, the PCIX Cryptographic Copro-

cessor (PCIXCC) was introduced as a functional replace-

ment for the CMOS Cryptographic Coprocessor and the

PCI Cryptographic Coprocessor. The PCIXCC design

introduces a breakthrough concept which supports high

security demanding applications requiring a FIPS 140-

2 level 4 certifi ed crypto module, also as an execution

environment for customer written programs and a high

performance path for Public Key / SSL operations. The

PCIXCC design supports almost all of the past Crypto-

graphic functions which were provided on the zSeries 900

via the CMOS Cryptographic Coprocessor (CCF) and the

PCI Cryptographic Coprocessor (PCICC). At the system

Software level the SSL related operations will be directed

to the PCICA adapter and the Secure Crypto operations to

the PCIXCC adapter.

The zSeries cryptography is further advanced with the

introduction of the CP Assist for Cryptographic Function

(CPACF) which is designed to deliver cryptographic sup-

port on every Central Processor (CP). With enhanced

scalability and data rates the z990 processor is designed

to provide a set of symmetric cryptographic functions,

synchronously executed, which enormously enhance the

performance of the en/decrypt function of SSL, VPN and

data storing applications which do not require FIPS 140-

2 level 4 security. The on-processor crypto functions run

at z990 processor speed, an order of magnitude faster

than the CMOS Crypto Coprocessor in the zSeries 900.

As these crypto functions are implemented in each and

every CP the affi nity problem of pre-z990 systems (which

had only two CMOS Crypto Coprocessors) is virtually

eliminated. The Crypto Assist Architecture includes DES

and T-DES data en/decryption, MAC message authentica-

tion and SHA-1 secure hashing; all of these functions are

directly available to application programs (zSeries Archi-

tecture instructions) and so will help reduce programming

overhead. To conform with US Export and Import Regula-

tions of other countries a SE panel is provided for proper

enable/disable of ‘strong’ cryptographic functions.

The Trusted Key Entry (TKE) 4.1 code level workstation

is an optional feature that can provide a basic key man-

agement system and Operational Key Entry support. The

key management system allows an authorized person

Cryptography