IBM Z10 EC manual Configurable Crypto Express2

Page 35

Enhancements to CP Assist for Cryptographic Function (CPACF):

CPACF has been enhanced to include support of the fol- lowing on CPs and IFLs:

Advanced Encryption Standard (AES) for 192-bit keys and 256-bit keys

SHA-384 and SHA-512 bit for message digest

SHA-1, SHA-256, and SHA-512 are shipped enabled and do not require the enablement feature.

Support for CPACF is also available using the Integrated Cryptographic Service Facility (ICSF). ICSF is a com- ponent of z/OS, and is designed to transparently use the available cryptographic functions, whether CPACF or Crypto Express2, to balance the workload and help address the bandwidth requirements of your applications.

The enhancements to CPACF are exclusive to the System z10 and supported by z/OS, z/VM, z/VSE, and Linux on System z.

Configurable Crypto Express2

The Crypto Express2 feature has two PCI-X adapters. Each of the PCI-X adapters can be defi ned as either a Coprocessor or an Accelerator.

Crypto Express2 Coprocessor – for secure-key encrypted transactions (default) is:

Designed to support security-rich cryptographic func- tions, use of secure-encrypted-key values, and User Defi ned Extensions (UDX)

Designed to support secure and clear-key RSA opera- tions

The tamper-responding hardware and lower-level fi rm- ware layers are validated to U.S. Government FIPS 140- 2 standard: Security Requirements for Cryptographic Modules at Level 4.

Crypto Express2 Accelerator – for Secure Sockets Layer (SSL) acceleration:

Is designed to support clear-key RSA operations

Offl oads compute-intensive RSA public-key and private- key cryptographic operations employed in the SSL pro- tocol Crypto Express2 features can be carried forward on an upgrade to the System z10 EC, so users may con- tinue to take advantage of the SSL performance and the confi guration capability.

The confi gurable Crypto Express2 feature is supported by z/OS, z/VM, z/VSE, and Linux on System z. z/VSE offers support for clear-key operations only. Current versions of z/OS, z/VM, and Linux on System z offer support for both clear-key and secure-key operations.

Additional cryptographic functions and features with Crypto Express2

Key management – Added key management for remote loading of ATM and Point of Sale (POS) keys. The elimina- tion of manual key entry is designed to reduce downtime due to key entry errors, service calls, and key manage- ment costs.

Improved key exchange – Added Improved key exchange with non-CCA cryptographic systems.

New features added to IBM Common Cryptographic Architecture (CCA) are designed to enhance the ability to exchange keys between CCA systems, and systems that do not use control vectors by allowing the CCA system owner to defi ne permitted types of key import and export while preventing uncontrolled key exchange that can open the system to an increased threat of attack.

These are supported by z/OS and by z/VM for guest exploitation.

35

Page 34 Page 36
Image 35
Page 34 Page 36
Contents IBM System z10 Enterprise Class z10 EC Reference Guide Table of Contents IBM System z10 Enterprise Class z10 EC Overview Specialty engines offer an attractive alternative Just-in-time deployment of IT resourcesNumerical computing on the chip Order of introductionZ10 EC Architecture ArchitectureLiberating your assets with System z Evolving for your businessPage Commitment to system integrity Page Linux on System z VSETPF Operating System ESA/390 Z10 ECPage Page Z10 EC Design and Technology Z10 EC Model Z10 EC Base and Sub-capacity Offerings Z10 EC model upgradesCPU Measurement Facility Z10 EC PerformanceLarge System Performance Reference System I/O Configuration Analyzer Z10 EC I/O SubsystemZ10 EC Channels and I/O Connectivity Modes of Operation Concurrent UpdateFicon Express4 and Ficon Express2 Performance Support of Spanned Channels and Logical PartitionsFCP increased performance for small block sizes Ficon Support for Cascaded DirectorsFCP Channels Platform and name server registration in Ficon channel Scsi IPL now a base functionFCP Full fabric connectivity Ficon and FCP for connectivity to disk, tape, and printersIt will register Program Directed re-IPL NPort ID VirtualizationPort density or granularity Feature Infrastructure Ports perOSA-Express3 Ethernet features Summary of benefits Type FeaturesOSA-Express2 availability Purpose/TrafficFour-port exploitation on OSA-Express3 GbE SX and LX OSA-Express3 10 Gigabit Ethernet SROSA-Express3 Gigabit Ethernet LX OSA-Express3 Gigabit Ethernet SXDynamic LAN idle for z/OS Network Traffic AnalyzerLayer 2 transport mode When would it be used? Link aggregation for z/VM in Layer 2 modeIBM Communication Controller for Linux CCL Direct Memory Access DMAOSA Layer 3 Virtual MAC for z/OS Hardware data routerOSA/SF Virtual MAC and Vlan id Display Capability OSA Integrated Console ControllerRemove L2/L3 LPAR-to-LPAR Restriction HiperSockets HiperSockets Enhancement for zIIP Exploitation CP Assist for Cryptographic Function Cpacf Security CryptographyCan Do IT securely Configurable Crypto Express2 Secure Key AES Dynamically add crypto to a logical partitionSystem z10 EC cryptographic migration TKE 5.3 workstation and support for Smart Card ReaderEnhancement with TKE 5.3 LIC TKE additional smart cardsImproved Key Exchange With Non-CCA Cryptographic Systems Remote Loading of Initial ATM KeysRemote Key Loading Benefits Capacity on Demand Temporary Capacity On Demand CapabilitiesAmendment for CBU Tests Capacity Provisioning System z9 System z10 OS Capacity provisioning allows you to set up rulesRAS Design Focus Reliability, Availability, and Serviceability RASEnhanced Book Availability Availability FunctionsHardware System Area HSA Enhanced Driver Maintenance Concurrent Physical Memory UpgradeConcurrent Physical Memory Replacement Concurrent Defective Book ReplacementPlan Ahead Memory Transparent SparingEnvironmental Enhancements Service EnhancementsPower Monitoring Power Estimation ToolIBM Systems Director Active Energy Manager Parallel Sysplex Cluster TechnologyCoupling Facility Control Code Cfcc Level Improved service time with Coupling Facility DuplexParallel Sysplex Coupling Connectivity Coupling Facility Configuration AlternativesSystem-Managed CF Structure Duplexing Coupling Connectivity for Parallel Sysplex Introducing long reach InfiniBand coupling linksZ10 EC Max Z10 Coupling Link OptionsPreview Improved STP System Management with Time synchronization and time accuracy on z10 ECServer Time Protocol STP Continuous availability of NTP servers used as Exter Enhanced Network Time Protocol NTP client supportApplication Programming Interface API to automate Enhanced STP recovery when Internal Battery FeatureNTP server on Hardware Management Console HMC Internal Battery Feature Recommendation HMC/SE Console Messenger HMC System SupportFamily Machine Type Internet Protocol, Version 6 IPv6HMC z/VM Tower systems management enhancements Gdps Implementation Services for Parallel SysplexFiber Quick Connect for Ficon LX Environments Model O Cage Z10 EC Physical Characteristics Z10 EC Configuration DetailZ10 EC Dimensions Z9 EC Number of Frames 2 Frame Z10 EC Environmentals Model O CageICFs Processor Unit Features ModelOSA-Express3 and OSA-Express2 Features Min Max CPs IFLsGeneral Information Z9 BC Coupling Facility CF Level of SupportStatement of Direction Resource Link PublicationsFollowing Redbook publications are available now ZSO03018-USEN-02
Top Page Image Contents