IBM Z10 EC manual Dynamically add crypto to a logical partition, Secure Key AES

Page 36

Support for ISO 16609

Support for ISO 16609 CBC Mode T-DES Message Authentication (MAC) requirements ISO 16609 CBC Mode T-DES MAC is accessible through ICSF function calls made in the PCI-X Cryptographic Adapter segment 3 Common Cryptographic Architecture (CCA) code.

This is supported by z/OS and by z/VM for guest exploitation.

Support for RSA keys up to 4096 bits

The RSA services in the CCA API are extended to sup- port RSA keys with modulus lengths up to 4096 bits. The services affected include key generation, RSA-based key management, digital signatures, and other functions related to these.

Refer to the ICSF Application Programmers Guide, SA22- 7522, for additional details.

Cryptographic enhancements to Crypto Express2

Dynamically add crypto to a logical partition

Today, users can preplan the addition of Crypto Express2 features to a logical partition (LP) by using the Crypto page in the image profi le to defi ne the Cryptographic Candidate List, Cryptographic Online List, and Usage and Control Domain Indexes in advance of crypto hardware installation.

With the change to dynamically add crypto to a logical partition, changes to image profi les, to support Crypto Express2 features, are available without outage to the logical partition. Users can also dynamically delete or move Crypto Express2 features. Preplanning is no longer required.

This enhancement is supported by z/OS, z/VM for guest exploitation, z/VSE, and Linux on System z.

Secure Key AES

The Advanced Encryption Standard (AES) is a National Institute of Standards and Technology specifi cation for the encryption of electronic data. It is expected to become the accepted means of encrypting digital information, includ- ing fi nancial, telecommunications, and government data.

AES is the symmetric algorithm of choice, instead of Data Encryption Standard (DES) or Triple-DES, for the encryp- tion and decryption of data. The AES encryption algorithm will be supported with secure (encrypted) keys of 128, 192, and 256 bits. The secure key approach, similar to what is supported today for DES and TDES, provides the ability to keep the encryption keys protected at all times, including the ability to import and export AES keys, using RSA public key technology.

Support for AES encryption algorithm includes the master key management functions required to load or generate AES master keys, update those keys, and re-encipher key tokens under a new master key.

Support for 13- thru 19-digit Personal Account Numbers

Credit card companies sometimes perform card security code computations based on Personal Account Number (PAN) data. Currently, ICSF callable services CSNBCSV (VISA CVV Service Verify) and CSNBCSG (VISA CVV Service Generate) are used to verify and to generate a VISA Card Verifi cation Value (CVV) or a MasterCard Card Verifi cation Code (CVC). The ICSF callable services cur- rently support 13-, 16-, and 19-digit PAN data. To provide additional fl exibility, new keywords PAN-14, PAN-15, PAN- 17, and PAN-18 are implemented in the rule array for both CSNBCSG and CSNBCSV to indicate that the PAN data is comprised of 14, 15, 17, or 18 PAN digits, respectively.

Support for 13- through 19-digit PANs is exclusive to System z10 and is offered by z/OS and z/VM for guest exploitation.

36

Image 36
Contents IBM System z10 Enterprise Class z10 EC Reference Guide Table of Contents IBM System z10 Enterprise Class z10 EC Overview Just-in-time deployment of IT resources Specialty engines offer an attractive alternativeOrder of introduction Numerical computing on the chipArchitecture Liberating your assets with System zEvolving for your business Z10 EC ArchitecturePage Commitment to system integrity Page VSE TPFLinux on System z Z10 EC Operating System ESA/390Page Page Z10 EC Design and Technology Z10 EC Model Z10 EC model upgrades Z10 EC Base and Sub-capacity OfferingsZ10 EC Performance Large System Performance ReferenceCPU Measurement Facility Z10 EC I/O Subsystem System I/O Configuration AnalyzerZ10 EC Channels and I/O Connectivity Concurrent Update Ficon Express4 and Ficon Express2 PerformanceSupport of Spanned Channels and Logical Partitions Modes of OperationFicon Support for Cascaded Directors FCP ChannelsFCP increased performance for small block sizes Scsi IPL now a base function FCP Full fabric connectivityFicon and FCP for connectivity to disk, tape, and printers Platform and name server registration in Ficon channelIt will register NPort ID Virtualization Program Directed re-IPLFeature Infrastructure Ports per OSA-Express3 Ethernet features Summary of benefitsPort density or granularity Features OSA-Express2 availabilityPurpose/Traffic TypeOSA-Express3 10 Gigabit Ethernet SR OSA-Express3 Gigabit Ethernet LXOSA-Express3 Gigabit Ethernet SX Four-port exploitation on OSA-Express3 GbE SX and LXNetwork Traffic Analyzer Dynamic LAN idle for z/OSLink aggregation for z/VM in Layer 2 mode Layer 2 transport mode When would it be used?Direct Memory Access DMA OSA Layer 3 Virtual MAC for z/OSHardware data router IBM Communication Controller for Linux CCLOSA Integrated Console Controller Remove L2/L3 LPAR-to-LPAR RestrictionOSA/SF Virtual MAC and Vlan id Display Capability HiperSockets HiperSockets Enhancement for zIIP Exploitation Security Cryptography Can Do IT securelyCP Assist for Cryptographic Function Cpacf Configurable Crypto Express2 Dynamically add crypto to a logical partition Secure Key AESTKE 5.3 workstation and support for Smart Card Reader Enhancement with TKE 5.3 LICTKE additional smart cards System z10 EC cryptographic migrationRemote Loading of Initial ATM Keys Remote Key Loading BenefitsImproved Key Exchange With Non-CCA Cryptographic Systems On Demand Capabilities Capacity on Demand Temporary CapacityAmendment for CBU Tests Capacity Provisioning OS Capacity provisioning allows you to set up rules System z9 System z10Reliability, Availability, and Serviceability RAS RAS Design FocusAvailability Functions Hardware System Area HSAEnhanced Book Availability Concurrent Physical Memory Upgrade Concurrent Physical Memory ReplacementConcurrent Defective Book Replacement Enhanced Driver MaintenanceTransparent Sparing Plan Ahead MemoryService Enhancements Power MonitoringPower Estimation Tool Environmental EnhancementsParallel Sysplex Cluster Technology IBM Systems Director Active Energy ManagerImproved service time with Coupling Facility Duplex Coupling Facility Control Code Cfcc LevelCoupling Facility Configuration Alternatives System-Managed CF Structure DuplexingParallel Sysplex Coupling Connectivity Introducing long reach InfiniBand coupling links Coupling Connectivity for Parallel SysplexZ10 Coupling Link Options Z10 EC MaxTime synchronization and time accuracy on z10 EC Server Time Protocol STPPreview Improved STP System Management with Enhanced Network Time Protocol NTP client support Continuous availability of NTP servers used as ExterEnhanced STP recovery when Internal Battery Feature NTP server on Hardware Management Console HMCApplication Programming Interface API to automate Internal Battery Feature Recommendation HMC System Support Family Machine TypeInternet Protocol, Version 6 IPv6 HMC/SE Console MessengerHMC z/VM Tower systems management enhancements Implementation Services for Parallel Sysplex GdpsFiber Quick Connect for Ficon LX Environments Z10 EC Physical Characteristics Z10 EC Configuration Detail Z10 EC Dimensions Z9 EC Number of Frames 2 FrameZ10 EC Environmentals Model O Cage Model O CageProcessor Unit Features Model OSA-Express3 and OSA-Express2 Features Min MaxCPs IFLs ICFsGeneral Information Coupling Facility CF Level of Support Z9 BCStatement of Direction Publications Following Redbook publications are available nowResource Link ZSO03018-USEN-02