IBM Z10 BC Security Cryptography, Can Do IT securely, CP Assist for Cryptographic Function Cpacf

Page 36

Security

Cryptography

Today’s world mandates that your systems are secure and available 24/7. The z10 BC employs some of the most advanced security technologies in the industry—helping you to meet rigid regulatory requirements that include encryption solutions, access control management, and extensive auditing features. It also provides disaster recov- ery confi gurations and is designed to deliver 99.999% application availability to help avoid the downside of planned downtime, equipment failure, or the complete loss of a data center.

When you need to be more secure, more resilient —

z Can Do IT. The z10 processor chip has on board cryp- tographic functions. Standard clear key integrated crypto- graphic coprocessors provide high speed cryptography for protecting data in storage. CP Assist for Cryptographic Function (CPACF) supports DES, TDES, Secure Hash Algo- rithms (SHA) for up to 512 bits, Advanced Encryption Stan- dard (AES) for up to 256 bits and Pseudo Random Number Generation (PRNG). Audit logging has been added to the new TKE workstation to enable better problem tracking.

System z is investing in accelerators that provide improved performance for specialized functions. The Crypto Express2 feature for cryptography is an example. The Crypto Express2 feature can be confi gured as a secure key coprocessor or for Secure Sockets Layer (SSL) accel- eration. The feature includes support for 13, 14, 15, 16, 17, 18 and 19 digit Personal Account Numbers for stronger protection of data. And the tamper-resistant cryptographic coprocessor is certifi ed at FIPS 140-2 Level 4. To help cus- tomers scale their Crypto Express2 investments for their business needs, Crypto Express2 is also available on z10 BC as a single PCI-X adapter which may be defi ned as either a coprocessor or an accelerator.

System z security is one of the many reasons why the world’s top banks and retailers rely on the IBM mainframe to help secure sensitive business transactions.

z Can Do IT securely.

The z10 BC includes both standard cryptographic hard- ware and optional cryptographic features for fl exibility and growth capability. IBM has a long history of providing hard- ware cryptographic solutions, from the development of Data Encryption Standard (DES) in the 1970s to delivering integrated cryptographic hardware in a server to achieve the US Government’s highest FIPS 140-2 Level 4 rating for secure cryptographic hardware.

The IBM System z10 BC cryptographic functions include the full range of cryptographic operations needed for e- business, e-commerce, and fi nancial institution applica- tions. In addition, custom cryptographic functions can be added to the set of functions that the z10 BC offers.

New integrated clear key encryption security features on z10 BC include support for a higher advanced encryption standard and more secure hashing algorithms. Performing these functions in hardware is designed to contribute to improved performance.

Enhancements to eliminate preplanning in the cryptogra- phy area include the System z10 function to dynamically add Crypto to a logical partition. Changes to image pro-

les, to support Crypto Express2 features, are available without an outage to the logical partition. Crypto Express2 features can also be dynamically deleted or moved.

CP Assist for Cryptographic Function (CPACF)

CPACF supports clear-key encryption. All CPACF func- tions can be invoked by problem state instructions defi ned by an extension of System z architecture. The function is activated using a no-charge enablement feature and offers the following on every CPACF that is shared between two Processor Units (PUs) and designated as CPs and/or Inte- grated Facility for Linux (IFL):

DES, TDES, AES-128, AES-192, AES-256

SHA-1, SHA-224, SHA-256, SHA-384, SHA-512

Pseudo Random Number Generation (PRNG)

36

Page 35 Page 37
Image 36
Page 35 Page 37
Contents IBM System z10 Business Class z10 BC Reference Guide Table of Contents IBM System z10 Business Class z10 BC Overview Think Big, Virtually LimitlessMore Solutions, More Affordable Special workloads, Specialty engines, affordable technologyNew Face Of System z Architecture Z10 BC ArchitectureArchitecture operating system support Page Commitment to system integrity VSE TPFLinux on System z Operating System ESA/390Z10 BC Page Page Z10 BC Design and Technology Z10 BC Model Z10 BC capacity identifiersMemory Dimm sizes 2 GB and 4 GB Z10 BC model upgrades Z10 BC Model Capacity IDsZ10 BC Performance Large System Performance ReferenceCPU Measurement Facility Z10 BC I/O Subsystem System I/O Configuration AnalyzerZ10 BC Channels and I/O Connectivity Concurrent Update Support of Spanned Channels and Logical PartitionsModes of Operation Ficon Support for Cascaded Directors FCP ChannelsFCP increased performance for small block sizes Scsi IPL now a base functionFCP Full fabric connectivity High Performance Ficon improvement in performancePreplanning and setup of SAN for a System z10 environment Platform and name server registration in Ficon channelDistance Ficon Express enhancements for Storage Area NetworksNPort ID Virtualization Program Directed re-IPLServiceability Enhancements Feature Infrastructure Ports perFicon Link Incident Reporting OSA-Express3 the newest family of LAN adaptersOSA-Express3 Ethernet features Summary of benefits OSA-Express2 availabilityFeatures Purpose/TrafficType OSA-Express3 10 Gigabit Ethernet LROSA-Express3-2P Gigabit Ethernet SX Four-port exploitation on OSA-Express3 GbE SX and LXOSA-Express3 1000BASE-T Ethernet OSA-Express3-2P 1000BASE-T EthernetNetwork Traffic Analyzer Link aggregation for z/VM in Layer 2 mode Dynamic LAN idle for z/OSLayer 2 transport mode When would it be used? OSA Layer 3 Virtual MAC for z/OSDirect Memory Access DMA Hardware data routerIBM Communication Controller for Linux CCL OSA-Express3 and OSA-Express2 OSN OSA for NCPOSA Integrated Console Controller Remove L2/L3 LPAR-to-LPAR RestrictionOSA/SF Virtual MAC and Vlan id Display Capability HiperSockets HiperSockets Enhancement for zIIP Exploitation Security Cryptography Can Do IT securelyCP Assist for Cryptographic Function Cpacf Enhancements to CP Assist for Cryptographic Func Tion Cpacf Configurable Crypto Express2Crypto Express2-1P Support for ISO Support for RSA keys up to 4096 bitsDynamically add crypto to a logical partition Secure Key AESSupport for 13- thru 19-digit Personal Account Numbers TKE 5.3 workstationEnhancement with TKE 5.3 LIC Smart Card ReaderTKE additional smart cards new feature System z10 BC cryptographic migrationRemote Loading of Initial ATM Keys Remote Key Loading BenefitsOn Demand Capabilities Capacity on Demand Temporary CapacityAmendment for CBU Tests Capacity Provisioning OS Capacity provisioning allows you to set up rules System z9 System z10Reliability, Availability, and Serviceability RAS RAS Design FocusEnhanced Driver Maintenance Availability FunctionsHardware System Area HSA Redundant I/O InterconnectDynamic Oscillator Switchover Concurrent Memory UpgradeService Enhancements Transparent SparingPower Monitoring Power Estimation ToolEnvironmental Enhancements IBM Systems Director Active Energy ManagerImproved service time with Coupling Facility Duplex Parallel Sysplex Cluster TechnologyCoupling Facility Control Code Cfcc Level Coupling Facility Configuration Alternatives System-Managed CF Structure DuplexingParallel Sysplex Coupling Connectivity Introducing long reach InfiniBand coupling linksCoupling Connectivity for Parallel Sysplex Z10 Coupling Link Options Time synchronization and time accuracy on z10 BCServer Time Protocol STP Server Time Protocol enhancementsPreview Improved STP System Management with Enhanced STP recovery when Internal Battery Feature Continuous Availability of NTP servers used as ExterInternal Battery Feature Recommendation Application Programming Interface API to automateHMC System Support Family Machine TypeInternet Protocol, Version 6 IPv6 HMC/SE Console MessengerEnhanced installation support for z/VM using the HMC HMC z/VM Tower System Management EnhancementsImplementation Services for Parallel Sysplex Fiber Quick Connect for Ficon LX Environments GdpsZ10 BC Physical Characteristics Z10 BC System PowerZ10 BC Highlights and Physical Dimensions Z9 BC Physical PlanningZ10 BC Configuration Detail Z10 BC Concurrent PU ConversionsZ10 BC Model Structure Z10 BC Minimum MaximumIBF Z10 BC IBF hold uptime Drawer DrawersCoupling Facility CF Level of Support Z890Statement of Direction Publications Following Redbook publications are available nowAvailable in the Library section of Resource Link Resource LinkZSO03021-USEN-02
Top Page Image Contents