IBM Z10 BC manual Support for ISO, Support for RSA keys up to 4096 bits, Secure Key AES

Page 38

Improved key exchange – Added Improved key exchange with non-CCA cryptographic systems. New fea- tures added to IBM Common Cryptographic Architecture (CCA) are designed to enhance the ability to exchange keys between CCA systems, and systems that do not use control vectors by allowing the CCA system owner to defi ne permitted types of key import and export while preventing uncontrolled key exchange that can open the system to an increased threat of attack.

These are supported by z/OS and by z/VM for guest exploitation.

Support for ISO 16609

Support for ISO 16609 CBC Mode T-DES Message Authentication (MAC) requirements ISO 16609 CBC Mode T-DES MAC is accessible through ICSF function calls made in the PCI-X Cryptographic Adapter segment 3 Common Cryptographic Architecture (CCA) code.

This is supported by z/OS and by z/VM for guest exploita- tion.

Support for RSA keys up to 4096 bits

The RSA services in the CCA API are extended to sup- port RSA keys with modulus lengths up to 4096 bits. The services affected include key generation, RSA-based key management, digital signatures, and other functions related to these.

Refer to the ICSF Application Programmers Guide, SA22- 7522, for additional details.

Cryptographic enhancements to Crypto Express2 and

Crypto Express2-1P

Dynamically add crypto to a logical partition.

Today, users can preplan the addition of Crypto Express2 features to a logical partition (LP) by using the Crypto page in the image profi le to defi ne the Cryptographic Candidate List, Cryptographic Online List, and Usage and Control Domain Indexes in advance of crypto hardware installation.

With the change to dynamically add crypto to a logical partition, changes to image profi les, to support Crypto Express2 features, are available without outage to the logical partition. Users can also dynamically delete or move Crypto Express2 features. Preplanning is no longer required.

This enhancement is supported by z/OS, z/VM for guest exploitation, z/VSE, and Linux on System z.

Secure Key AES

The Advanced Encryption Standard (AES) is a National Institute of Standards and Technology specifi cation for the encryption of electronic data. It is expected to become the accepted means of encrypting digital information, includ- ing fi nancial, telecommunications, and government data.

AES is the symmetric algorithm of choice, instead of Data Encryption Standard (DES) or Triple-DES, for the encryp- tion and decryption of data. The AES encryption algorithm will be supported with secure (encrypted) keys of 128, 192, and 256 bits. The secure key approach, similar to what is supported today for DES and TDES, provides the ability to keep the encryption keys protected at all times, including the ability to import and export AES keys, using RSA public key technology.

38

Page 37 Page 39
Image 38
Page 37 Page 39
Contents IBM System z10 Business Class z10 BC Reference Guide Table of Contents IBM System z10 Business Class z10 BC Overview Think Big, Virtually LimitlessMore Solutions, More Affordable Special workloads, Specialty engines, affordable technologyNew Face Of System z Architecture operating system support ArchitectureZ10 BC Architecture Page Commitment to system integrity VSE TPFLinux on System z Operating System ESA/390Z10 BC Page Page Z10 BC Design and Technology Memory Dimm sizes 2 GB and 4 GB Z10 BC ModelZ10 BC capacity identifiers Z10 BC model upgrades Z10 BC Model Capacity IDsCPU Measurement Facility Z10 BC PerformanceLarge System Performance Reference Z10 BC I/O Subsystem System I/O Configuration AnalyzerZ10 BC Channels and I/O Connectivity Modes of Operation Concurrent UpdateSupport of Spanned Channels and Logical Partitions Ficon Support for Cascaded Directors FCP ChannelsFCP Full fabric connectivity FCP increased performance for small block sizesScsi IPL now a base function High Performance Ficon improvement in performancePreplanning and setup of SAN for a System z10 environment Platform and name server registration in Ficon channelNPort ID Virtualization DistanceFicon Express enhancements for Storage Area Networks Program Directed re-IPLFicon Link Incident Reporting Serviceability EnhancementsFeature Infrastructure Ports per OSA-Express3 the newest family of LAN adaptersOSA-Express3 Ethernet features Summary of benefits OSA-Express2 availabilityType FeaturesPurpose/Traffic OSA-Express3 10 Gigabit Ethernet LROSA-Express3 1000BASE-T Ethernet OSA-Express3-2P Gigabit Ethernet SXFour-port exploitation on OSA-Express3 GbE SX and LX OSA-Express3-2P 1000BASE-T EthernetNetwork Traffic Analyzer Link aggregation for z/VM in Layer 2 mode Dynamic LAN idle for z/OSLayer 2 transport mode When would it be used? OSA Layer 3 Virtual MAC for z/OSIBM Communication Controller for Linux CCL Direct Memory Access DMAHardware data router OSA-Express3 and OSA-Express2 OSN OSA for NCPOSA/SF Virtual MAC and Vlan id Display Capability OSA Integrated Console ControllerRemove L2/L3 LPAR-to-LPAR Restriction HiperSockets HiperSockets Enhancement for zIIP Exploitation CP Assist for Cryptographic Function Cpacf Security CryptographyCan Do IT securely Crypto Express2-1P Enhancements to CP Assist for Cryptographic Func Tion CpacfConfigurable Crypto Express2 Dynamically add crypto to a logical partition Support for ISOSupport for RSA keys up to 4096 bits Secure Key AESEnhancement with TKE 5.3 LIC Support for 13- thru 19-digit Personal Account NumbersTKE 5.3 workstation Smart Card ReaderRemote Loading of Initial ATM Keys TKE additional smart cards new featureSystem z10 BC cryptographic migration Remote Key Loading BenefitsOn Demand Capabilities Capacity on Demand Temporary CapacityAmendment for CBU Tests Capacity Provisioning OS Capacity provisioning allows you to set up rules System z9 System z10Reliability, Availability, and Serviceability RAS RAS Design FocusHardware System Area HSA Enhanced Driver MaintenanceAvailability Functions Redundant I/O InterconnectService Enhancements Dynamic Oscillator SwitchoverConcurrent Memory Upgrade Transparent SparingEnvironmental Enhancements Power MonitoringPower Estimation Tool IBM Systems Director Active Energy ManagerCoupling Facility Control Code Cfcc Level Improved service time with Coupling Facility DuplexParallel Sysplex Cluster Technology Coupling Facility Configuration Alternatives System-Managed CF Structure DuplexingParallel Sysplex Coupling Connectivity Introducing long reach InfiniBand coupling linksCoupling Connectivity for Parallel Sysplex Server Time Protocol STP Z10 Coupling Link OptionsTime synchronization and time accuracy on z10 BC Server Time Protocol enhancementsPreview Improved STP System Management with Enhanced STP recovery when Internal Battery Feature Continuous Availability of NTP servers used as ExterInternal Battery Feature Recommendation Application Programming Interface API to automateInternet Protocol, Version 6 IPv6 HMC System SupportFamily Machine Type HMC/SE Console MessengerEnhanced installation support for z/VM using the HMC HMC z/VM Tower System Management EnhancementsImplementation Services for Parallel Sysplex Fiber Quick Connect for Ficon LX Environments GdpsZ10 BC Highlights and Physical Dimensions Z9 BC Z10 BC Physical CharacteristicsZ10 BC System Power Physical PlanningZ10 BC Configuration Detail Z10 BC Concurrent PU ConversionsIBF Z10 BC Model StructureZ10 BC Minimum Maximum Z10 BC IBF hold uptime Drawer DrawersCoupling Facility CF Level of Support Z890Statement of Direction Available in the Library section of Resource Link PublicationsFollowing Redbook publications are available now Resource LinkZSO03021-USEN-02
Top Page Image Contents