IBM Z10 BC manual TKE additional smart cards new feature, System z10 BC cryptographic migration

Page 40

TKE additional smart cards – new feature

You have the capability to order Java-based blank smart cards which offers a highly effi cient cryptographic and data management application built-in to read-only memory for storage of keys, certifi cates, passwords, applications, and data. The TKE blank smart cards are compliant with FIPS 140-2 Level 2. When you place an order for a quantity of one, you are shipped 10 smart cards.

System z10 BC cryptographic migration

Clients using a User Defi ned Extension (UDX) of the Common Cryptographic Architecture should contact their UDX provider for an application upgrade before order- ing a new System z10 BC machine; or before planning to migrate or activate a UDX application to fi rmware driver level 73 and higher.

The Crypto Express2 feature is supported on the z9 BC and can be carried forward on an upgrade to the System z10 BC

You may continue to use TKE workstations with 5.3 licensed internal code to control the System z10 BC

TKE 5.0 and 5.1 workstations (#0839 and #0859) may be used to control z9 EC, z9 BC, z890, and IBM eServer zSeries 990 (z990) servers

Remote Loading of Initial ATM Keys

Typically, a new ATM has none of the fi nancial institution’s keys installed. Remote Key Loading refers to the pro- cess of loading Data Encryption Standard (DES) keys to Automated Teller Machines (ATMs) from a central admin- istrative site without the need for personnel to visit each machine to manually load DES keys. This has been done by manually loading each of the two clear text key parts individually and separately into ATMs. Manual entry of keys is one of the most error-prone and labor-intensive activities that occur during an installation, making it expen- sive for the banks and fi nancial institutions.

Remote Key Loading Benefits

Provides a mechanism to load initial ATM keys without the need to send technical staff to ATMs

Reduces downtime due to key entry errors

Reduces service call and key management costs

Improves the ability to manage ATM conversions and upgrades

Integrated Cryptographic Service Facility (ICSF), together with Crypto Express2, support the basic mechanisms in Remote Key Loading. The implementation offers a secure bridge between the highly secure Common Cryptographic Architecture (CCA) environment and the various formats and encryption schemes offered by the ATM vendors. The following ICSF services are offered for Remote Key loading:

Trusted Block Create (CSNDTBC): This callable service is used to create a trusted block containing a public key and some processing rules

Remote Key Export (CSNDRKX): This callable service uses the trusted block to generate or export DES keys for local use and for distribution to an ATM or other remote device

Refer to Application Programmers Guide, SA22-7522, for additional details.

Improved Key Exchange With Non-CCA Cryptographic Systems

IBM Common Cryptographic Architecture (CCA) employs Control Vectors to control usage of cryptographic keys. Non-CCA systems use other mechanisms, or may use keys that have no associated control information. This enhancement provides the ability to exchange keys between CCA systems, and systems that do not use Con- trol Vectors. Additionally, it allows the CCA system owner to defi ne permitted types of key import and export which can help to prevent uncontrolled key exchange that can open the system to an increased threat of attack.

These enhancements are exclusive to System z10, and System z9 and are supported by z/OS and z/VM for z/OS guest exploitation.

40

Page 39 Page 41
Image 40
Page 39 Page 41
Contents IBM System z10 Business Class z10 BC Reference Guide Table of Contents IBM System z10 Business Class z10 BC Overview Think Big, Virtually LimitlessMore Solutions, More Affordable Special workloads, Specialty engines, affordable technologyNew Face Of System z Z10 BC Architecture ArchitectureArchitecture operating system support Page Commitment to system integrity VSE TPFLinux on System z Operating System ESA/390Z10 BC Page Page Z10 BC Design and Technology Z10 BC capacity identifiers Z10 BC ModelMemory Dimm sizes 2 GB and 4 GB Z10 BC model upgrades Z10 BC Model Capacity IDsLarge System Performance Reference Z10 BC PerformanceCPU Measurement Facility Z10 BC I/O Subsystem System I/O Configuration AnalyzerZ10 BC Channels and I/O Connectivity Support of Spanned Channels and Logical Partitions Concurrent UpdateModes of Operation Ficon Support for Cascaded Directors FCP ChannelsFCP increased performance for small block sizes Scsi IPL now a base functionFCP Full fabric connectivity High Performance Ficon improvement in performancePreplanning and setup of SAN for a System z10 environment Platform and name server registration in Ficon channelDistance Ficon Express enhancements for Storage Area NetworksNPort ID Virtualization Program Directed re-IPLServiceability Enhancements Feature Infrastructure Ports perFicon Link Incident Reporting OSA-Express3 the newest family of LAN adaptersOSA-Express3 Ethernet features Summary of benefits OSA-Express2 availabilityFeatures Purpose/TrafficType OSA-Express3 10 Gigabit Ethernet LROSA-Express3-2P Gigabit Ethernet SX Four-port exploitation on OSA-Express3 GbE SX and LXOSA-Express3 1000BASE-T Ethernet OSA-Express3-2P 1000BASE-T EthernetNetwork Traffic Analyzer Link aggregation for z/VM in Layer 2 mode Dynamic LAN idle for z/OSLayer 2 transport mode When would it be used? OSA Layer 3 Virtual MAC for z/OSDirect Memory Access DMA Hardware data routerIBM Communication Controller for Linux CCL OSA-Express3 and OSA-Express2 OSN OSA for NCPRemove L2/L3 LPAR-to-LPAR Restriction OSA Integrated Console ControllerOSA/SF Virtual MAC and Vlan id Display Capability HiperSockets HiperSockets Enhancement for zIIP Exploitation Can Do IT securely Security CryptographyCP Assist for Cryptographic Function Cpacf Configurable Crypto Express2 Enhancements to CP Assist for Cryptographic Func Tion CpacfCrypto Express2-1P Support for ISO Support for RSA keys up to 4096 bitsDynamically add crypto to a logical partition Secure Key AESSupport for 13- thru 19-digit Personal Account Numbers TKE 5.3 workstationEnhancement with TKE 5.3 LIC Smart Card ReaderTKE additional smart cards new feature System z10 BC cryptographic migrationRemote Loading of Initial ATM Keys Remote Key Loading BenefitsOn Demand Capabilities Capacity on Demand Temporary CapacityAmendment for CBU Tests Capacity Provisioning OS Capacity provisioning allows you to set up rules System z9 System z10Reliability, Availability, and Serviceability RAS RAS Design FocusEnhanced Driver Maintenance Availability FunctionsHardware System Area HSA Redundant I/O InterconnectDynamic Oscillator Switchover Concurrent Memory UpgradeService Enhancements Transparent SparingPower Monitoring Power Estimation ToolEnvironmental Enhancements IBM Systems Director Active Energy ManagerParallel Sysplex Cluster Technology Improved service time with Coupling Facility DuplexCoupling Facility Control Code Cfcc Level Coupling Facility Configuration Alternatives System-Managed CF Structure DuplexingParallel Sysplex Coupling Connectivity Introducing long reach InfiniBand coupling linksCoupling Connectivity for Parallel Sysplex Z10 Coupling Link Options Time synchronization and time accuracy on z10 BCServer Time Protocol STP Server Time Protocol enhancementsPreview Improved STP System Management with Enhanced STP recovery when Internal Battery Feature Continuous Availability of NTP servers used as ExterInternal Battery Feature Recommendation Application Programming Interface API to automateHMC System Support Family Machine TypeInternet Protocol, Version 6 IPv6 HMC/SE Console MessengerEnhanced installation support for z/VM using the HMC HMC z/VM Tower System Management EnhancementsImplementation Services for Parallel Sysplex Fiber Quick Connect for Ficon LX Environments GdpsZ10 BC Physical Characteristics Z10 BC System PowerZ10 BC Highlights and Physical Dimensions Z9 BC Physical PlanningZ10 BC Configuration Detail Z10 BC Concurrent PU ConversionsZ10 BC Model Structure Z10 BC Minimum MaximumIBF Z10 BC IBF hold uptime Drawer DrawersCoupling Facility CF Level of Support Z890Statement of Direction Publications Following Redbook publications are available nowAvailable in the Library section of Resource Link Resource LinkZSO03021-USEN-02
Top Page Image Contents