5 tke workstation feature, 4 cryptographic features comparison – IBM 990 User Manual

128

IBM

^

zSeries 990 Technical Guide

5.3.5 TKE workstation feature

A TKE workstation is part of a customized solution for using the Integrated Cryptographic
Service Facility for z/OS program product to manage cryptographic keys of a z990 that has
PCIX Cryptographic Coprocessor features installed and configured for using Data Encryption
Standard (DES) and Public Key Algorithm (PKA) cryptographic keys.

The TKE workstation provides secure control of the PCIX Cryptographic Coprocessor
features, including loading of master keys.

If one or more logical partitions are customized for using PCIX Cryptographic Coprocessors,
the TKE workstation can be used to manage DES master keys and PKA master keys for all
cryptographic domains of each PCIX Cryptographic Coprocessor feature assigned to logical
partitions defined to the TKE workstation.

Each logical partition using a domain managed through a TKE workstation connection is
either a TKE host or a TKE target. A logical partition with TCP/IP connection to the TKE is
referred to as TKE host; all other partitions are TKE targets.

The cryptographic controls set for a logical partition, through the z990 Support Element,
determine whether it can be a TKE host or TKE target.

5.4 Cryptographic features comparison

Table 5-2 summarizes the functions and attributes of the cryptographic hardware features.

Table 5-2 Cryptographic features comparison

Functions or attributes

CPACF

PCIXCC

PCICA

Supports z/OS applications using ICSF

X

X

X

Supports OS/390 applications using ICSF

X

X

X

Encryption and decryption using secret-key algorithm

X

Provides highest SSL handshake performance

X

(1)

Provides highest symmetric (clear key) encryption performance

X

Provides highest asymmetric (clear key) encryption performance

X

Provides highest asymmetric (encrypted key) encryption
performance

X

Disruptive process to enable

(2)

(2)

Requires IOCDS definition

Uses CHPID numbers

Is assigned PCHIDs

X

(4)

X

(4)

Physically embedded on each Central Processor (CP)

X

Requires CP Assist for Cryptographic Function enablement

X

X

X

(3)

Requires ICSF to be active

X

X

Offers user programming function support (UDX)

X

Usable for data privacy - encryption and decryption processing

X

X