IBM Z10 BC manual Support for 13- thru 19-digit Personal Account Numbers, TKE 5.3 workstation

Page 39

Support for AES encryption algorithm includes the master key management functions required to load or generate AES master keys, update those keys, and re-encipher key tokens under a new master key.

Support for 13- thru 19-digit Personal Account Numbers

Credit card companies sometimes perform card security code computations based on Personal Account Number (PAN) data. Currently, ICSF callable services CSNBCSV (VISA CVV Service Verify) and CSNBCSG (VISA CVV Service Generate) are used to verify and to generate a VISA Card Verifi cation Value (CVV) or a MasterCard Card Verifi cation Code (CVC). The ICSF callable services cur- rently support 13-, 16-, and 19-digit PAN data. To provide additional fl exibility, new keywords PAN-14, PAN-15, PAN- 17, and PAN-18 are implemented in the rule array for both CSNBCSG and CSNBCSV to indicate that the PAN data is comprised of 14, 15, 17, or 18 PAN digits, respectively.

Support for 13- through 19-digit PANs is exclusive to System z10 and is offered by z/OS and z/VM for guest exploitation.

TKE 5.3 workstation

The Trusted Key Entry (TKE) workstation and the TKE

5.3level of Licensed Internal Code are optional features on the System z10 BC. The TKE 5.3 Licensed Internal Code (LIC) is loaded on the TKE workstation prior to ship- ment. The TKE workstation offers security-rich local and remote key management, providing authorized persons a method of operational and master key entry, identifi cation, exchange, separation, and update. The TKE workstation supports connectivity to an Ethernet Local Area Network (LAN) operating at 10 or 100 Mbps. Up to ten TKE work- stations can be ordered.

Enhancement with TKE 5.3 LIC

The TKE 5.3 level of LIC includes support for the AES encryption algorithm, adds 256-bit master keys, and includes the master key management functions required to load or generate AES master keys to cryptographic copro- cessors in the host.

Also included is an imbedded screen capture utility to permit users to create and to transfer TKE master key entry instructions to diskette or DVD. Under ‘Service Manage- ment’ a “Manage Print Screen Files” utility will be available to all users.

The TKE workstation and TKE 5.3 LIC are available on the z10 EC, z10 BC, z9 EC, and z9 BC.

Smart Card Reader

Support for an optional Smart Card Reader attached to the TKE 5.3 workstation allows for the use of smart cards that contain an embedded microprocessor and associated memory for data storage. Access to and the use of con-

dential data on the smart cards is protected by a user- defi ned Personal Identifi cation Number (PIN).

TKE 5.3 LIC has added the capability to store key parts on DVD-RAMs and continues to support the ability to store key parts on paper, or optionally on a smart card. TKE 5.3 LIC has limited the use of fl oppy diskettes to read-only. The TKE 5.3 LIC can remotely control host cryptographic coprocessors using a password-protected authority signa- ture key pair either in a binary fi le or on a smart card.

The Smart Card Reader, attached to a TKE workstation with the 5.3 level of LIC will support System z10 BC, z10 EC, z9 EC, and z9 BC. However, TKE workstations with 5.0, 5.1 and 5.2 LIC must be upgraded to TKE 5.3 LIC.

39

Page 38 Page 40
Image 39
Page 38 Page 40
Contents IBM System z10 Business Class z10 BC Reference Guide Table of Contents Think Big, Virtually Limitless IBM System z10 Business Class z10 BC OverviewSpecial workloads, Specialty engines, affordable technology More Solutions, More AffordableNew Face Of System z Architecture Z10 BC ArchitectureArchitecture operating system support Page Commitment to system integrity TPF VSEOperating System ESA/390 Linux on System zZ10 BC Page Page Z10 BC Design and Technology Z10 BC Model Z10 BC capacity identifiersMemory Dimm sizes 2 GB and 4 GB Z10 BC Model Capacity IDs Z10 BC model upgradesZ10 BC Performance Large System Performance ReferenceCPU Measurement Facility System I/O Configuration Analyzer Z10 BC I/O SubsystemZ10 BC Channels and I/O Connectivity Concurrent Update Support of Spanned Channels and Logical PartitionsModes of Operation FCP Channels Ficon Support for Cascaded DirectorsHigh Performance Ficon improvement in performance FCP increased performance for small block sizesScsi IPL now a base function FCP Full fabric connectivityPlatform and name server registration in Ficon channel Preplanning and setup of SAN for a System z10 environmentProgram Directed re-IPL DistanceFicon Express enhancements for Storage Area Networks NPort ID VirtualizationOSA-Express3 the newest family of LAN adapters Serviceability EnhancementsFeature Infrastructure Ports per Ficon Link Incident ReportingOSA-Express2 availability OSA-Express3 Ethernet features Summary of benefitsOSA-Express3 10 Gigabit Ethernet LR FeaturesPurpose/Traffic TypeOSA-Express3-2P 1000BASE-T Ethernet OSA-Express3-2P Gigabit Ethernet SXFour-port exploitation on OSA-Express3 GbE SX and LX OSA-Express3 1000BASE-T EthernetNetwork Traffic Analyzer Dynamic LAN idle for z/OS Link aggregation for z/VM in Layer 2 modeOSA Layer 3 Virtual MAC for z/OS Layer 2 transport mode When would it be used?OSA-Express3 and OSA-Express2 OSN OSA for NCP Direct Memory Access DMAHardware data router IBM Communication Controller for Linux CCLOSA Integrated Console Controller Remove L2/L3 LPAR-to-LPAR RestrictionOSA/SF Virtual MAC and Vlan id Display Capability HiperSockets HiperSockets Enhancement for zIIP Exploitation Security Cryptography Can Do IT securelyCP Assist for Cryptographic Function Cpacf Enhancements to CP Assist for Cryptographic Func Tion Cpacf Configurable Crypto Express2Crypto Express2-1P Secure Key AES Support for ISOSupport for RSA keys up to 4096 bits Dynamically add crypto to a logical partitionSmart Card Reader Support for 13- thru 19-digit Personal Account NumbersTKE 5.3 workstation Enhancement with TKE 5.3 LICRemote Key Loading Benefits TKE additional smart cards new featureSystem z10 BC cryptographic migration Remote Loading of Initial ATM KeysCapacity on Demand Temporary Capacity On Demand CapabilitiesAmendment for CBU Tests Capacity Provisioning System z9 System z10 OS Capacity provisioning allows you to set up rulesRAS Design Focus Reliability, Availability, and Serviceability RASRedundant I/O Interconnect Enhanced Driver MaintenanceAvailability Functions Hardware System Area HSATransparent Sparing Dynamic Oscillator SwitchoverConcurrent Memory Upgrade Service EnhancementsIBM Systems Director Active Energy Manager Power MonitoringPower Estimation Tool Environmental EnhancementsImproved service time with Coupling Facility Duplex Parallel Sysplex Cluster TechnologyCoupling Facility Control Code Cfcc Level System-Managed CF Structure Duplexing Coupling Facility Configuration AlternativesIntroducing long reach InfiniBand coupling links Parallel Sysplex Coupling ConnectivityCoupling Connectivity for Parallel Sysplex Server Time Protocol enhancements Z10 Coupling Link OptionsTime synchronization and time accuracy on z10 BC Server Time Protocol STPPreview Improved STP System Management with Continuous Availability of NTP servers used as Exter Enhanced STP recovery when Internal Battery FeatureApplication Programming Interface API to automate Internal Battery Feature RecommendationHMC/SE Console Messenger HMC System SupportFamily Machine Type Internet Protocol, Version 6 IPv6HMC z/VM Tower System Management Enhancements Enhanced installation support for z/VM using the HMCImplementation Services for Parallel Sysplex Gdps Fiber Quick Connect for Ficon LX EnvironmentsPhysical Planning Z10 BC Physical CharacteristicsZ10 BC System Power Z10 BC Highlights and Physical Dimensions Z9 BCZ10 BC Concurrent PU Conversions Z10 BC Configuration DetailZ10 BC IBF hold uptime Drawer Drawers Z10 BC Model StructureZ10 BC Minimum Maximum IBFZ890 Coupling Facility CF Level of SupportStatement of Direction Resource Link PublicationsFollowing Redbook publications are available now Available in the Library section of Resource LinkZSO03021-USEN-02
Top Page Image Contents