IBM z/OS manual Cryptography

Page 28

Cryptography

In the on demand era security will be a strong requirement. The zSeries products will continue to address security with announcements and deliveries of products and features.

The main focus in cryptography will continue to be very high and scalable performance for SSL algorithms, and secondly, to provide security-rich, symmetric performance for fi nancial and banking applications using PIN/POS type encryption. As in the past zSeries will be designed to deliver seamless integration of the cryptography facilities through use of ICSF. Use of ICSF will that enable applica- tions to work without change regardless of how and where the cryptographic functions are implemented, and also enable the cryptography work to be load balanced across the hardware resources. Finally we will be focused on required certifi cations and open standards.

The existing PCI Cryptographic Accelerator (PCICA) con- tinues to be available on the z990 – for SSL acceleration/ clear key operations. To support the increased number of LPARs available on z990 the confi guration options for the PCICA – introduced with the z900 – will be extended to allow sharing of a PCICA over the whole range of LPARs with a max of 16 LPARs sharing one PCICA adapter.

In addition to the PCICA, the PCIX Cryptographic Copro- cessor (PCIXCC) was introduced as a functional replace- ment for the CMOS Cryptographic Coprocessor and the PCI Cryptographic Coprocessor. The PCIXCC design introduces a breakthrough concept which supports high security demanding applications requiring a FIPS 140- 2 level 4 certifi ed crypto module, also as an execution environment for customer written programs and a high performance path for Public Key / SSL operations. The PCIXCC design supports almost all of the past Crypto-

graphic functions which were provided on the zSeries 900 via the CMOS Cryptographic Coprocessor (CCF) and the PCI Cryptographic Coprocessor (PCICC). At the system Software level the SSL related operations will be directed to the PCICA adapter and the Secure Crypto operations to the PCIXCC adapter.

The zSeries cryptography is further advanced with the introduction of the CP Assist for Cryptographic Function (CPACF) which is designed to deliver cryptographic sup- port on every Central Processor (CP). With enhanced scalability and data rates the z990 processor is designed to provide a set of symmetric cryptographic functions, synchronously executed, which enormously enhance the performance of the en/decrypt function of SSL, VPN and data storing applications which do not require FIPS 140- 2 level 4 security. The on-processor crypto functions run at z990 processor speed, an order of magnitude faster than the CMOS Crypto Coprocessor in the zSeries 900. As these crypto functions are implemented in each and every CP the affi nity problem of pre-z990 systems (which had only two CMOS Crypto Coprocessors) is virtually eliminated. The Crypto Assist Architecture includes DES and T-DES data en/decryption, MAC message authentica- tion and SHA-1 secure hashing; all of these functions are directly available to application programs (zSeries Archi- tecture instructions) and so will help reduce programming overhead. To conform with US Export and Import Regula- tions of other countries a SE panel is provided for proper enable/disable of ‘strong’ cryptographic functions.

The Trusted Key Entry (TKE) 4.1 code level workstation is an optional feature that can provide a basic key man- agement system and Operational Key Entry support. The key management system allows an authorized person

28

Page 27 Page 29
Image 28
Page 27 Page 29
Contents IBM zSeries 990 and z/OS Reference Guide Table of Contents ZSeries Overview What does an on demand company look like?To huge increases in user activity Tools for Managing e-businessArchitecture Architecture Operating System SupportIBM zSeries TionBase Ratio Z990 Design and Technology MultiChip Module is the technology cornerstone for Z990 Models Z990 Family ModelsZ990 and IBM On/Off Capacity on Demand Model Upgrades Z990 and z900 Performance Comparison Z990 I/O SubSystem Z990 Cage LayoutGreater than 15 Logical Partitions LP Physical Channel IDs PCHIDs SubSystemZ990 Channels and I/O Connectivity Logical Channel SubSystem Lcss SpanningIC Channel Spanning Up to 1024 Escon ChannelsInterSystem Channel-3 ISC-3 Integrated Cluster Bus-2 ICB-2Integrated Cluster Bus-3 ICB-3 Integrated Cluster Bus-4 ICB-4Ficon Express Channel Card Features Fibre Channel ConnectivityPerformance Flexibility Three channel types supportedShared infrastructure Native Ficon ChannelsFicon CTC function Ficon ConnectivityFicon Support for Cascaded Directors Ficon Bridge Channel FCP ChannelsOpen Systems Adapter-Express Features OSA-Express FCP Full fabric connectivityZ990 OSA-Express 1000BASE-T Ethernet OSA-Express Integrated Console ControllerQueued Direct Input/Output Qdio Z990 OSA-Express Gigabit EthernetZ990 OSA-Express Token-Ring NON-QDIO operational modeServer to User connections IPv6 Support Lpar Support of OSA-ExpressPerformance enhancements for virtual servers HiperSockets LCSS0 LCSS1HiperSockets Network Concentrator Cryptography Z990 Capacity Upgrade on Demand CUoD AvailabilityZSeries Security Certification Cryptography Plan Ahead and Concurrent ConditioningZ990 Server Capacity BackUp CBU Z990 Server Customer Initiated Upgrade CIU Concurrent MaintenanceAdvanced Availability Functions Transparent SparingConcurrent Memory Upgrade Concurrent Capacity Backup Downgrade CBU UndoParallel Sysplex Cluster Technology Coupling Facility Configuration Alternatives System-Managed CF Structure Duplexing Parallel Sysplex Coupling Connectivity Z990 Theoretical Maximum Coupling Link Speed OptionsIntelligent Resource Director IRD ScopeDynamic Channel Path Management Lpar CPU ManagementChannel Subsystem Priority Queuing Page Geographically Dispersed Parallel Sysplex HyperSwap Geographically Dispersed Parallel Sysplex Gdps Enhancements Page Page Parallel Sysplex FacilitiesNo single point of failure Components and assumptionsLinux on zSeries Z990 Support for LinuxIBM Middleware Tivoli Access Manager for Operating Systems Version Linux Distribution Partners VM Version 4 and VersionIntegrated Facility for Linux IFL OSA-Express Ethernet for LinuxHiperSockets Fibre Channel Protocol FCP channel Support for LinuxCryptographic Support for Linux ZSeries 990 Family Configuration DetailLinux Support Cryptographic Features OSA-Express FeaturesProcessor Unit Assignments Processor MemoryZ990 Frame and I/O Configuration Content Planning for I/O General InformationPhysical Characteristics Z990 Power/Heating/Cooling System Power Consumption kWZ990 Dimensions System Cooling Air Flow Rate CFMCoupling Facility CF Level of Support Fiber-Optic Cabling and System ConnectivityFiber-optic jumper cabling package Integrated system services OS.e ZSeries Application Assist ProcessorBit Support OS ScalabilityAutomation Support System Services Sense and Respond with Workload ManagerWLM Improvements for WebSphere Data Management with DfsmsSystem Management Services CICS/VSAM enabled for 24x7 availabilityJES2 and JES3 Console Enhancements EnhancementsSecurity Services Advanced System AutomationRacf enhancements Multilevel SecurityLdap PKI Services FirewallApplication Enablement Services Network Authentication ServiceLanguage Environment Java UnicodeCommunication Services Rexx FunctionsDynamic Virtual IP Address Takeover Sysplex DistributorIntrusion Detection Services IDS HiperSocketsOS Unix HighlightsDistributed Computing Services Unix System Services benefits can includeZSeries File System zFS Distributed File Services DFS Server Message Block Internet ServicesPrint Services Infoprint CentralIntegrated Testing Softcopy Publications SupportLibrary Center PublicationsInstallation Considerations OS 1.4 and 1.5 are supported on the following IBM serversOS 1.6 is supported on the following IBM servers Migration/CoexistenceMigration, installation and customization Enhancements ZSeries Bimodal Support for z/OSWizards Order z/OS through the InternetVM Version 3 VM Version 4 Exploiting New Technology Systems Management Application Enablement Networking with z/VMPage Engine-based Value Unit Pricing VM Version 5Enhancements in z/VM V5.1 include Network Virtualization and Security Technology ExploitationSystems Management Improvements To learn more
Top Page Image Contents