IBM 890 manual Enabling use of less than 512-bit keys for clear key RSA operations

Page 36

A mixture of both secure and clear key applications can run on the same Crypto Express2 feature

Based on the increased throughput, the ability to con- solidate both secure key and clear key crypto work- loads and I/O slots on the same feature

*The SSL rate was achieved with a z990 with 16 proces- sors and 6 PCICA features (12 accelerator cards). These measurements are examples of the maximum transactions/ second achieved in a lab environment with no other pro- cessing occurring and do not represent actual fi eld mea- surements. Details available upon request.

All logical partitions (LPARs) in all Logical Channel Sub- Systems (LCSSs) have access to the Crypto Express2 feature, up to 30 LPARs per feature.11

The Crypto Express2 feature is exclusive to z890 and z990, requires the October 2004 level of Licensed Internal Code, and is supported by z/OS, z/OS.e, z/VM, VSE/ESA, and Linux on zSeries. z/VM, VSE/ESA and Linux on zSeries offer support for clear key SSL transactions only.

Enabling use of less than 512-bit keys for clear key RSA

operations

The Crypto Express2 and PCIXCC features will now sup- port applications that require clear key RSA operations using keys less than 512-bits, including ICSF Callable services and their corresponding verbs: Digital Signature Verify (CSNDDSV), Public Key Encrypt (CSNDPKE), and Public Key Decrypt (CSNDPKD). All other ICSF Callable services that require a Crypto Express2 or PCIXCC feature continue to require keys of more than 511-bits.

Enabling the lower limit for clear key RSA operations may allow the migration of some additional cryptographic appli- cations to z890 and z990 servers without requiring the applications to be rewritten.

Support of applications that require clear key RSA operations using keys less than 512-bits applies to the Crypto Express2 and PCIXCC features, is exclusive to z890 and z990, and is supported by z/OS, z/OS.e, and z/VM. Refer to the Hardware and Software requirements sections for more information.

Cryptographic support for 19-digit PANs

Crypto Express2 and PCIXCC now offer CVV generation and verifi cation services for 19-digit PANs. Industry prac- tices for use of Card Validation Value (CVV) are moving to base CVV computations on a 19-digit PAN instead of the 13-digit and 16-digit PANs currently in use and supported by ICSF and the PCIXCC feature. ICSF, Crypto Express2, and PCIXCC now support use of the 19-digit PAN in the CVV generation and verifi cation services (CSNBCSG and CSNBCSV, respectively).

Support of CVV generation and verifi cation services for

19-digit PANs, an anti-fraud security feature, is supported by the Crypto Express2 and PCIXCC features on the z890 and z990 and by z/OS and z/OS.e.

2048-bit key RSA management for PCICC on z800, z900

2048-bit key (clear and secure) RSA management capabil- ity for z800 and z900 servers, in support of new Automated Teller Machine (ATM) standards, will be available via the 2048-bit key RSA management for PCICC (#0867) feature. 1024-bit key RSA management is available today via a Functional Control Vector (FCV) on the PCI Cryptographic Coprocessor (PCICC) Enablement diskette (#0865). This capability is unique to PCICC and does not apply to the CMOS Cryptographic Coprocessor Facility (CCF).

The 2048-bit functional control vector (FCV) will support four ICSF services: Public Key Decrypt (PKD), Symmetric Key Import (SYI), Symmetric Key Export (SYX) and Sym- metric Key Generate (SYG). Applications that require 2048- bit key RSA management will be able to migrate with ease.

36

Page 35 Page 37
Image 36
Page 35 Page 37
Contents IBM zSeries 890 and z/OS Reference Guide JanuaryTable of Contents zSeries Overview What does an on demand company look like?The New zSeries from IBM Tools for Managing e-businessz/Architecture z/Architecture Operating System SupportIBM zSeries Operating Systemz/Arch 31-bitBase Number of CPsEstimated Ratio z890 Design and Technology The z890 supports LPAR mode only basic mode is no longer supported z890 Family Models z890 Performance ComparisonIBM On/Off Capacity on Demand for z890 Page z800 to z890 and z890 Model Upgrades On/Off CoD Testz800 z890 z890 Performance Comparisons z890 I/O Subsystem z890s Positioning in the zSeries Familyz890 Cage Layout CEC I/O CageGreater than 15 Logical Partitions LPARs Up to 30 Logical PartitionsPhysical Channel IDs PCHIDs SubSystem Logical Channel SubSystem LCSS Spanningz890 Channels and I/O Connectivity Channel SpanningUp to 420 ESCON Channels Up to 40 FICON Express ChannelsUp to 80 FICON Express2 Channels InterSystem Channel-3 ISC-3Integrated Cluster Bus-3 ICB-3 Integrated Cluster Bus-4 ICB-4Fibre Channel Connectivity Native FICON ChannelsFICON CTC function FICON Connectivity FICON Support for Cascaded DirectorsFCP Channels Preview - FCP LUN Access Control FCP Full fabric connectivityFICON Express enhancements for Storage Area Networks FICON purge path extended A New Generation for SANs - FICON Express2 FICON Express2 Doubles the Channel CapacityFICON Express2 LX FICON Express2 SXConcurrent Update Continued Support of Spanned Channels and LPARsModes of Operation CascadingOSA-Express2 Gigabit Ethernet OSA-Express2 10 Gigabit Ethernet LRConcurrent LIC update Layer Queued Direct Input/Output QDIO One port per featureNew functions in OSA-Express2 Improved virtualization - now 640 TCP/IP stacksLarge send for TCP/IP traffic OSA-Express2 large send for the z/OS environment previewOSA-Express2 concurrent LIC update - an availability enhancement Layer 2 support - ideal for server consolidationOpen Systems Adapter-Express Features OSA-Express TCP/IP stack utilization improvement for OSA-Expressz890 OSA-Express 1000BASE-T Ethernet OSA-Integrated Console Controller Queued Direct Input/Output QDIOz890 OSA-Express Gigabit Ethernet NON-QDIO operational mode z890 OSA-Express Token-RingNote Statement of Direction Server to User connections LPAR Support of OSA-ExpressIPv6 Support Performance enhancements for virtual serversHiperSockets z/VM LCSS0LCSS1 HiperSockets CHPIDCryptography HiperSockets Network ConcentratorzSeries Security Certification Cryptography z890/z990 PCIXCC Designed for FIPS 140-2 level 4 certifi cationLogical Partitions Operating Systems Common Criteria Certifi cation SUSE LINUX on zSeriesThe Crypto Express2 feature supports the following Enabling use of less than 512-bit keys for clear key RSA operations Cryptographic support for 19-digit PANs2048-bit key RSA management for PCICC on z800, z900 TKE 4.2 and Smart Card Reader Support TKE 4.2 codez890 Capacity Upgrade on Demand CUoD z890 Server Capacity BackUp CBUAvailability Plan Ahead and Concurrent ConditioningAutomatic Enablement of CBU for GDPS z890 Customer Initiated Upgrade CIUOn/Off CoD Testing Order Staging for CIU-Express and On/Off CoDConcurrent Maintenance Concurrent Capacity BackUp Downgrade CBU UndoAdvanced Availability Functions Transparent SparingParallel Sysplex Cluster Technology Coupling Facility Configuration Alternatives System-Managed CF Structure Duplexing Parallel Sysplex Coupling Connectivity GDPS/PPRC Cross Site Parallel Sysplex distance Extended to 100 kmRoute A Route Bz890 and z990 Theoretical Maximum Coupling Link Speed ConnectivityOptions Intelligent Resource Director zSeries IRD ScopeLPAR CPU Management Dynamic Channel Path ManagementParallel Sysplex Professional Services Channel Subsystem Priority QueuingGDPS GPDS/PPRC HyperSwap GDPS/PPRC and GDPS/XRC FlashCopy Support GDPS/PPRC Multiplatform Resiliency for zSeriesRe-IPL in place of failing operating system images Site takeover/failover of a complete production siteAutomatic Enablement of CBU for GDPS configurationsGDPS/Global Mirror - preview Performance enhancements for GDPS/PPRC and GDPS/XRCContinuous Availability Recommended Configuration for Parallel FacilitiesSysplex Components and assumptionsz890 Support for Linux Key attributes can includeLinux on zSeries IBM Middleware Linux Distribution Partners z/VM Version 4 and VersionIntegrated Facility for Linux IFL OSA-Express Ethernet for LinuxOSA-Express Enhancements for Linux HiperSocketsFibre Channel Protocol FCP channel Support for Linux Cryptographic Support for LinuxLinux Support zSeries 890 Family Configuration Detail Processor Unit AssignmentsProcessor Memory ChannelsCryptographic Features OSA-Express Featuresz890 Frame and I/O Configuration Content Planning for I/O General InformationPhysical Characteristics z890 Power/Heating/Cooling System Power Consumption 50/60 Hz, KVAz890 Dimensions Coupling Facility - CF Level of SupportFiber-Optic Cabling and System Connectivity Integrated system services z/OSz/OS.e Support for 64-bit real memory and 64-bit virtual storagezSeries Application Assist Processor z/OS Scalability64-bit Support LPAR CPU Management Dynamic Channel Path ManagementSystem Services Automation Supportz/OS Version 1 Release 6 optional priced features z/OS Version 1 Release 6 base elementsSense and Respond with Workload Manager WLM Improvements for WebSphereData Management with DFSMS CICS/VSAM enabled for 24x7 availability Parallel SysplexJES2 and JES3 System Management Services Console EnhancementsEnhancements Security Services SMP/EAdvanced System Automation RACFRACF enhancements Multilevel SecurityLDAP ICSFa restriction where the private key had to reside in the RACF database PKI Services Network Authentication ServiceFirewall Application Enablement Services Language EnvironmentC/C++ Communication Services JavaUnicode REXX FunctionsIntrusion Detection Services IDS Dynamic Virtual IP Address TakeoverSysplex Distributor IPv6HiperSockets z/OS UNIXUNIX System Services benefits can include Distributed Computing ServicesHighlights zSeries File System zFSDistributed File Services DFS Server Message Block SMB Internet ServicesPrint Services Infoprint CentralIntegrated Testing Library CenterSoftcopy Publications Support PublicationsInstallation Considerations z/OS 1.6 is supported on the following IBM serversMigration/Coexistence Migration, installation and customization enhancements zSeries Bimodal Support for z/OSWizards z/VM Order z/OS through the Internetz/VM Version 3 z/VM Version 4Exploiting New Technology Systems Management New technological enhancements in z/VM V4.4 provideApplication Enablement Networking with z/VMManagement and control of VLAN topology by the z/VM virtual switch C/C++ for z/VM Compiler 5654-A22z/VM Version 5 Engine-based Value Unit Pricing Enhancements in z/VM V5.1 includeVirtualization Technology and Linux Enablement Value Unit Pricing helps you toNetwork Virtualization and Security Technology Exploitation Systems Management ImprovementsFor further information see the z/VM Reference Guide, GM13-0137 VSE/ESA VSE/ESAz/VSE To learn more Endnotes
Related manuals
Manual 28 pages 54.75 Kb
Top Page Image Contents