IBM Z10 EC Security Cryptography, Can Do IT securely, CP Assist for Cryptographic Function Cpacf

Page 34

Security

Cryptography

Today’s world mandates that your systems are secure and available 24/7. The z10 EC employs some of the most advanced security technologies in the industry—helping you to meet rigid regulatory requirements that include encryption solutions, access control management, and extensive auditing features. It also provides disaster recov- ery confi gurations and is designed to deliver 99.999% application availability to help avoid the downside of planned downtime, equipment failure, or the complete loss of a data center.

When you need to be more secure, more resilient —

z Can Do IT. The z10 processor chip has on board cryp- tographic functions. Standard clear key integrated crypto- graphic coprocessors provide high speed cryptography for protecting data in storage. CP Assist for Cryptographic Function (CPACF) supports DES, TDES, Secure Hash Algorithms (SHA) for up to 512 bits, Advanced Encryption Standard (AES) for up to 256 bits and Pseudo Random Number Generation (PRNG). Logging has been added to the TKE workstation to enable better problem tracking.

System z is investing in accelerators that provide improved performance for specialized functions. The Crypto Express2 feature for cryptography is an example. The Crypto Express2 feature can be confi gured as a secure key coprocessor or for Secure Sockets Layer (SSL) accel- eration. The feature includes support for 13, 14, 15, 16, 17, 18 and 19 digit Personal Account Numbers for stronger protection of data. And the tamper-resistant cryptographic coprocessor is certifi ed at FIPS 140-2 Level 4.

In 2008, the z10 EC received Common Criteria Evalua- tion Assurance Level 5 (EAL5) certifi cation for security of logical partitions. System z security is one of the many reasons why the world’s top banks and retailers rely on the IBM mainframe to help secure sensitive business transac- tions.

z Can Do IT securely.

The z10 EC includes both standard cryptographic hard- ware and optional cryptographic features for fl exibility and growth capability. IBM has a long history of providing hard- ware cryptographic solutions, from the development of Data Encryption Standard (DES) in the 1970s to delivering integrated cryptographic hardware in a server to achieve the US Government’s highest FIPS 140-2 Level 4 rating for secure cryptographic hardware.

The IBM System z10 EC cryptographic functions include the full range of cryptographic operations needed for e- business, e-commerce, and fi nancial institution applica- tions. In addition, custom cryptographic functions can be added to the set of functions that the z10 EC offers.

New integrated clear key encryption security features on z10 EC include support for a higher advanced encryption standard and more secure hashing algorithms. Performing these functions in hardware is designed to contribute to improved performance.

Enhancements to eliminate preplanning in the cryptogra- phy area include the System z10 function to dynamically add Crypto to a logical partition. Changes to image pro-

les, to support Crypto Express2 features, are available without an outage to the logical partition. Crypto Express2 features can also be dynamically deleted or moved.

CP Assist for Cryptographic Function (CPACF)

CPACF supports clear-key encryption. All CPACF func- tions can be invoked by problem state instructions defi ned by an extension of System z architecture. The function is activated using a no-charge enablement feature and offers the following on every CPACF that is shared between two Processor Units (PUs) and designated as CPs and/or Inte- grated Facility for Linux (IFL):

DES, TDES, AES-128, AES-192, AES-256

SHA-1, SHA-224, SHA-256, SHA-384, SHA-512

Pseudo Random Number Generation (PRNG)

34

Page 33 Page 35
Image 34
Page 33 Page 35
Contents IBM System z10 Enterprise Class z10 EC Reference Guide Table of Contents IBM System z10 Enterprise Class z10 EC Overview Just-in-time deployment of IT resources Specialty engines offer an attractive alternativeOrder of introduction Numerical computing on the chipEvolving for your business ArchitectureLiberating your assets with System z Z10 EC ArchitecturePage Commitment to system integrity Page TPF VSELinux on System z Z10 EC Operating System ESA/390Page Page Z10 EC Design and Technology Z10 EC Model Z10 EC model upgrades Z10 EC Base and Sub-capacity OfferingsLarge System Performance Reference Z10 EC PerformanceCPU Measurement Facility Z10 EC I/O Subsystem System I/O Configuration AnalyzerZ10 EC Channels and I/O Connectivity Support of Spanned Channels and Logical Partitions Concurrent UpdateFicon Express4 and Ficon Express2 Performance Modes of OperationFCP Channels Ficon Support for Cascaded DirectorsFCP increased performance for small block sizes Ficon and FCP for connectivity to disk, tape, and printers Scsi IPL now a base functionFCP Full fabric connectivity Platform and name server registration in Ficon channelIt will register NPort ID Virtualization Program Directed re-IPLOSA-Express3 Ethernet features Summary of benefits Feature Infrastructure Ports perPort density or granularity Purpose/Traffic FeaturesOSA-Express2 availability TypeOSA-Express3 Gigabit Ethernet SX OSA-Express3 10 Gigabit Ethernet SROSA-Express3 Gigabit Ethernet LX Four-port exploitation on OSA-Express3 GbE SX and LXNetwork Traffic Analyzer Dynamic LAN idle for z/OSLink aggregation for z/VM in Layer 2 mode Layer 2 transport mode When would it be used?Hardware data router Direct Memory Access DMAOSA Layer 3 Virtual MAC for z/OS IBM Communication Controller for Linux CCLRemove L2/L3 LPAR-to-LPAR Restriction OSA Integrated Console ControllerOSA/SF Virtual MAC and Vlan id Display Capability HiperSockets HiperSockets Enhancement for zIIP Exploitation Can Do IT securely Security CryptographyCP Assist for Cryptographic Function Cpacf Configurable Crypto Express2 Dynamically add crypto to a logical partition Secure Key AESTKE additional smart cards TKE 5.3 workstation and support for Smart Card ReaderEnhancement with TKE 5.3 LIC System z10 EC cryptographic migrationRemote Key Loading Benefits Remote Loading of Initial ATM KeysImproved Key Exchange With Non-CCA Cryptographic Systems On Demand Capabilities Capacity on Demand Temporary CapacityAmendment for CBU Tests Capacity Provisioning OS Capacity provisioning allows you to set up rules System z9 System z10Reliability, Availability, and Serviceability RAS RAS Design FocusHardware System Area HSA Availability FunctionsEnhanced Book Availability Concurrent Defective Book Replacement Concurrent Physical Memory UpgradeConcurrent Physical Memory Replacement Enhanced Driver MaintenanceTransparent Sparing Plan Ahead MemoryPower Estimation Tool Service EnhancementsPower Monitoring Environmental EnhancementsParallel Sysplex Cluster Technology IBM Systems Director Active Energy ManagerImproved service time with Coupling Facility Duplex Coupling Facility Control Code Cfcc LevelSystem-Managed CF Structure Duplexing Coupling Facility Configuration AlternativesParallel Sysplex Coupling Connectivity Introducing long reach InfiniBand coupling links Coupling Connectivity for Parallel SysplexZ10 Coupling Link Options Z10 EC MaxServer Time Protocol STP Time synchronization and time accuracy on z10 ECPreview Improved STP System Management with Enhanced Network Time Protocol NTP client support Continuous availability of NTP servers used as ExterNTP server on Hardware Management Console HMC Enhanced STP recovery when Internal Battery FeatureApplication Programming Interface API to automate Internal Battery Feature Recommendation Internet Protocol, Version 6 IPv6 HMC System SupportFamily Machine Type HMC/SE Console MessengerHMC z/VM Tower systems management enhancements Implementation Services for Parallel Sysplex GdpsFiber Quick Connect for Ficon LX Environments Z10 EC Environmentals Model O Cage Z10 EC Physical Characteristics Z10 EC Configuration DetailZ10 EC Dimensions Z9 EC Number of Frames 2 Frame Model O CageCPs IFLs Processor Unit Features ModelOSA-Express3 and OSA-Express2 Features Min Max ICFsGeneral Information Coupling Facility CF Level of Support Z9 BCStatement of Direction Following Redbook publications are available now PublicationsResource Link ZSO03018-USEN-02
Top Page Image Contents