IBM Z10 EC manual Remote Loading of Initial ATM Keys, Remote Key Loading Benefits

Page 38

Remote Loading of Initial ATM Keys

Typically, a new ATM has none of the fi nancial institution’s keys installed. Remote Key Loading refers to the pro- cess of loading Data Encryption Standard (DES) keys to Automated Teller Machines (ATMs) from a central admin- istrative site without the need for personnel to visit each machine to manually load DES keys. This has been done by manually loading each of the two clear text key parts individually and separately into ATMs. Manual entry of keys is one of the most error-prone and labor-intensive activities that occur during an installation, making it expen- sive for the banks and fi nancial institutions.

Remote Key Loading Benefits

Provides a mechanism to load initial ATM keys without the need to send technical staff to ATMs

Reduces downtime due to key entry errors

Reduces service call and key management costs

Improves the ability to manage ATM conversions and upgrades

Integrated Cryptographic Service Facility (ICSF), together with Crypto Express2, support the basic mechanisms in Remote Key Loading. The implementation offers a secure bridge between the highly secure Common Cryptographic Architecture (CCA) environment and the various formats and encryption schemes offered by the ATM vendors. The following ICSF services are offered for Remote Key loading:

Trusted Block Create (CSNDTBC) This callable service is used to create a trusted block containing a public key and some processing rules.

Remote Key Export (CSNDRKX) This callable service uses the trusted block to generate or export DES keys for local use and for distribution to an ATM or other remote device.

Refer to Application Programmers Guide, SA22-7522, for additional details.

Improved Key Exchange With Non-CCA Cryptographic

Systems

IBM Common Cryptographic Architecture (CCA) employs Control Vectors to control usage of cryptographic keys. Non-CCA systems use other mechanisms, or may use keys that have no associated control information. This enhancement provides the ability to exchange keys between CCA systems, and systems that do not use Con- trol Vectors. Additionally, it allows the CCA system owner to defi ne permitted types of key import and export which can help to prevent uncontrolled key exchange that can open the system to an increased threat of attack.

These enhancements are exclusive to System z10, and System z9 and are supported by z/OS and z/VM for z/OS guest exploitation.

38

Page 37 Page 39
Image 38
Page 37 Page 39
Contents IBM System z10 Enterprise Class z10 EC Reference Guide Table of Contents IBM System z10 Enterprise Class z10 EC Overview Just-in-time deployment of IT resources Specialty engines offer an attractive alternativeOrder of introduction Numerical computing on the chipEvolving for your business ArchitectureLiberating your assets with System z Z10 EC ArchitecturePage Commitment to system integrity Page Linux on System z VSETPF Z10 EC Operating System ESA/390Page Page Z10 EC Design and Technology Z10 EC Model Z10 EC model upgrades Z10 EC Base and Sub-capacity OfferingsCPU Measurement Facility Z10 EC PerformanceLarge System Performance Reference Z10 EC I/O Subsystem System I/O Configuration AnalyzerZ10 EC Channels and I/O Connectivity Support of Spanned Channels and Logical Partitions Concurrent UpdateFicon Express4 and Ficon Express2 Performance Modes of OperationFCP increased performance for small block sizes Ficon Support for Cascaded DirectorsFCP Channels Ficon and FCP for connectivity to disk, tape, and printers Scsi IPL now a base functionFCP Full fabric connectivity Platform and name server registration in Ficon channelIt will register NPort ID Virtualization Program Directed re-IPLPort density or granularity Feature Infrastructure Ports perOSA-Express3 Ethernet features Summary of benefits Purpose/Traffic FeaturesOSA-Express2 availability TypeOSA-Express3 Gigabit Ethernet SX OSA-Express3 10 Gigabit Ethernet SROSA-Express3 Gigabit Ethernet LX Four-port exploitation on OSA-Express3 GbE SX and LXNetwork Traffic Analyzer Dynamic LAN idle for z/OSLink aggregation for z/VM in Layer 2 mode Layer 2 transport mode When would it be used?Hardware data router Direct Memory Access DMAOSA Layer 3 Virtual MAC for z/OS IBM Communication Controller for Linux CCLOSA/SF Virtual MAC and Vlan id Display Capability OSA Integrated Console ControllerRemove L2/L3 LPAR-to-LPAR Restriction HiperSockets HiperSockets Enhancement for zIIP Exploitation CP Assist for Cryptographic Function Cpacf Security CryptographyCan Do IT securely Configurable Crypto Express2 Dynamically add crypto to a logical partition Secure Key AESTKE additional smart cards TKE 5.3 workstation and support for Smart Card ReaderEnhancement with TKE 5.3 LIC System z10 EC cryptographic migrationImproved Key Exchange With Non-CCA Cryptographic Systems Remote Loading of Initial ATM KeysRemote Key Loading Benefits On Demand Capabilities Capacity on Demand Temporary CapacityAmendment for CBU Tests Capacity Provisioning OS Capacity provisioning allows you to set up rules System z9 System z10Reliability, Availability, and Serviceability RAS RAS Design FocusEnhanced Book Availability Availability FunctionsHardware System Area HSA Concurrent Defective Book Replacement Concurrent Physical Memory UpgradeConcurrent Physical Memory Replacement Enhanced Driver MaintenanceTransparent Sparing Plan Ahead MemoryPower Estimation Tool Service EnhancementsPower Monitoring Environmental EnhancementsParallel Sysplex Cluster Technology IBM Systems Director Active Energy ManagerImproved service time with Coupling Facility Duplex Coupling Facility Control Code Cfcc LevelParallel Sysplex Coupling Connectivity Coupling Facility Configuration AlternativesSystem-Managed CF Structure Duplexing Introducing long reach InfiniBand coupling links Coupling Connectivity for Parallel SysplexZ10 Coupling Link Options Z10 EC MaxPreview Improved STP System Management with Time synchronization and time accuracy on z10 ECServer Time Protocol STP Enhanced Network Time Protocol NTP client support Continuous availability of NTP servers used as ExterApplication Programming Interface API to automate Enhanced STP recovery when Internal Battery FeatureNTP server on Hardware Management Console HMC Internal Battery Feature Recommendation Internet Protocol, Version 6 IPv6 HMC System SupportFamily Machine Type HMC/SE Console MessengerHMC z/VM Tower systems management enhancements Implementation Services for Parallel Sysplex GdpsFiber Quick Connect for Ficon LX Environments Z10 EC Environmentals Model O Cage Z10 EC Physical Characteristics Z10 EC Configuration DetailZ10 EC Dimensions Z9 EC Number of Frames 2 Frame Model O CageCPs IFLs Processor Unit Features ModelOSA-Express3 and OSA-Express2 Features Min Max ICFsGeneral Information Coupling Facility CF Level of Support Z9 BCStatement of Direction Resource Link PublicationsFollowing Redbook publications are available now ZSO03018-USEN-02
Top Page Image Contents