IBM 890 manual TKE 4.2 and Smart Card Reader Support, TKE 4.2 code

Page 37

2048-bit key RSA management support for the PCICC fea- tures on z800 and z900 is transparent to the hardware and is supported by z/OS, z/OS.e, z/VM, and Linux on zSeries. z/VM and Linux on zSeries offer support for clear key oper- ations only. Refer to the Software requirements section for further information. This is an integrated capability on the Crypto Express2 and PCIXCC features on z890 and z990. There is no unique feature.

TKE 4.2 and Smart Card Reader Support

The Trusted Key Entry (TKE) capability is an optional feature of zSeries that provides a basic security key man- agement system. The key management system provides authorized persons a method of security key identifi cation, exchange, separation, update, and management. TKE 4.2 with optional smart card reader allows access to and use of confi dential data on the smart card protected by a user defi ned personal identifi cation number (PIN) code provid- ing storage, access, transport and entry of master and operational key parts into the TKE workstation in a secu- rity-rich environment.

Support for an optional Smart Card Reader attached to the TKE 4.2 workstation allows access to and use of confi - dential data on the smart card protected by a user defi ned personal identifi cation number (PIN) code providing secure storage, access, transport and entry of master and operational key parts into the TKE workstation.

TKE 4.2 with Smart Card Reader and smart card has four major functions:

Storing ICSF key parts, specifi cally, master and opera- tional key parts

Storing 4758 PCI Cryptographic Coprocessor master key parts

Generating, storing, and using a TKE authority signature key pair

Generating, storing, and using a 4758 logon key pair

For example, the smart card is able to store one or more 4758 PCI Cryptographic Coprocessor master key parts. The parts are stored in the “clear” on the smart card. The master key parts are generated by the 4758 PCI Crypto- graphic Coprocessor card within the TKE workstation and are transferred to the smart card for storage and later read back to the 4758 PCI Cryptographic Coprocessor card for processing. The master key parts are encrypted, for added security, during transport between the smart card and the 4758 PCI Cryptographic Coprocessor card.

The TKE 4.2 Smart Card Reader supports all of the mech- anisms available in the current TKE LIC. That is, with the smart card support, it is still possible to store key parts on diskettes, paper, or to use a TKE authority key stored on a diskette, and to logon to the 4758 using a pass phrase.

The optional features associated with the TKE 4.2 Smart Card Reader support are:

TKE 4.2 code

TKE 4.2 Smart Card Reader

TKE 4.2 additional Smart Cards

The optional Smart Card Reader, which can be attached to a TKE workstation is available on the S/390 G6 servers as well as zSeries z800, z900, z890 and z990.

TKE 4.2 code

The TKE 4.2 code is designed to provide a security-rich local and remote method to enter operational and master keys. The TKE 4.2 code also includes support for the Smart Card Reader and provides support for crypto- graphic hardware features available with S/390 G6 and the zSeries 800, z900, z890 and z990 servers. Currently installed TKE workstations can be upgraded to the TKE 4.2 code.

37

Page 36 Page 38
Image 37
Page 36 Page 38
Contents January IBM zSeries 890 and z/OS Reference GuideTable of Contents What does an on demand company look like? zSeries OverviewTools for Managing e-business The New zSeries from IBMz/Architecture Operating System Support z/ArchitectureOperating System IBM zSeriesz/Arch 31-bitNumber of CPs BaseEstimated Ratio z890 Design and Technology The z890 supports LPAR mode only basic mode is no longer supported z890 Performance Comparison z890 Family ModelsIBM On/Off Capacity on Demand for z890 Page On/Off CoD Test z800 to z890 and z890 Model Upgradesz800 z890 z890 Performance Comparisons z890s Positioning in the zSeries Family z890 I/O Subsystemz890 Cage Layout CEC I/O CageUp to 30 Logical Partitions Greater than 15 Logical Partitions LPARsPhysical Channel IDs PCHIDs SubSystem Logical Channel SubSystem LCSS SpanningChannel Spanning z890 Channels and I/O ConnectivityUp to 420 ESCON Channels Up to 40 FICON Express ChannelsInterSystem Channel-3 ISC-3 Up to 80 FICON Express2 ChannelsIntegrated Cluster Bus-3 ICB-3 Integrated Cluster Bus-4 ICB-4Native FICON Channels Fibre Channel ConnectivityFICON CTC function FICON Support for Cascaded Directors FICON ConnectivityFCP Channels FCP Full fabric connectivity Preview - FCP LUN Access ControlFICON Express enhancements for Storage Area Networks FICON purge path extended FICON Express2 Doubles the Channel Capacity A New Generation for SANs - FICON Express2FICON Express2 LX FICON Express2 SXContinued Support of Spanned Channels and LPARs Concurrent UpdateModes of Operation CascadingOSA-Express2 10 Gigabit Ethernet LR OSA-Express2 Gigabit EthernetConcurrent LIC update Layer Queued Direct Input/Output QDIO One port per featureImproved virtualization - now 640 TCP/IP stacks New functions in OSA-Express2Large send for TCP/IP traffic OSA-Express2 large send for the z/OS environment previewLayer 2 support - ideal for server consolidation OSA-Express2 concurrent LIC update - an availability enhancementTCP/IP stack utilization improvement for OSA-Express Open Systems Adapter-Express Features OSA-Expressz890 OSA-Express 1000BASE-T Ethernet Queued Direct Input/Output QDIO OSA-Integrated Console Controllerz890 OSA-Express Gigabit Ethernet z890 OSA-Express Token-Ring NON-QDIO operational modeNote Statement of Direction LPAR Support of OSA-Express Server to User connectionsIPv6 Support Performance enhancements for virtual serversHiperSockets LCSS0 z/VMLCSS1 HiperSockets CHPIDHiperSockets Network Concentrator Cryptographyz890/z990 PCIXCC Designed for FIPS 140-2 level 4 certifi cation zSeries Security Certification CryptographyLogical Partitions Operating Systems Common Criteria Certifi cation SUSE LINUX on zSeriesThe Crypto Express2 feature supports the following Cryptographic support for 19-digit PANs Enabling use of less than 512-bit keys for clear key RSA operations2048-bit key RSA management for PCICC on z800, z900 TKE 4.2 code TKE 4.2 and Smart Card Reader Supportz890 Server Capacity BackUp CBU z890 Capacity Upgrade on Demand CUoDAvailability Plan Ahead and Concurrent Conditioningz890 Customer Initiated Upgrade CIU Automatic Enablement of CBU for GDPSOn/Off CoD Testing Order Staging for CIU-Express and On/Off CoDConcurrent Capacity BackUp Downgrade CBU Undo Concurrent MaintenanceAdvanced Availability Functions Transparent SparingParallel Sysplex Cluster Technology Coupling Facility Configuration Alternatives System-Managed CF Structure Duplexing GDPS/PPRC Cross Site Parallel Sysplex distance Extended to 100 km Parallel Sysplex Coupling ConnectivityRoute A Route BConnectivity z890 and z990 Theoretical Maximum Coupling Link SpeedOptions zSeries IRD Scope Intelligent Resource DirectorLPAR CPU Management Dynamic Channel Path ManagementChannel Subsystem Priority Queuing Parallel Sysplex Professional ServicesGDPS GPDS/PPRC HyperSwap GDPS/PPRC Multiplatform Resiliency for zSeries GDPS/PPRC and GDPS/XRC FlashCopy SupportRe-IPL in place of failing operating system images Site takeover/failover of a complete production siteconfigurations Automatic Enablement of CBU for GDPSGDPS/Global Mirror - preview Performance enhancements for GDPS/PPRC and GDPS/XRCFacilities Continuous Availability Recommended Configuration for ParallelSysplex Components and assumptionsKey attributes can include z890 Support for LinuxLinux on zSeries IBM Middleware z/VM Version 4 and Version Linux Distribution PartnersIntegrated Facility for Linux IFL OSA-Express Ethernet for LinuxHiperSockets OSA-Express Enhancements for LinuxCryptographic Support for Linux Fibre Channel Protocol FCP channel Support for LinuxLinux Support Processor Unit Assignments zSeries 890 Family Configuration DetailProcessor Memory ChannelsOSA-Express Features Cryptographic Featuresz890 Frame and I/O Configuration Content Planning for I/O General Informationz890 Power/Heating/Cooling System Power Consumption 50/60 Hz, KVA Physical Characteristicsz890 Dimensions Coupling Facility - CF Level of SupportFiber-Optic Cabling and System Connectivity z/OS Integrated system servicesSupport for 64-bit real memory and 64-bit virtual storage z/OS.ez/OS Scalability zSeries Application Assist Processor64-bit Support LPAR CPU Management Dynamic Channel Path ManagementAutomation Support System Servicesz/OS Version 1 Release 6 optional priced features z/OS Version 1 Release 6 base elementsWLM Improvements for WebSphere Sense and Respond with Workload ManagerData Management with DFSMS Parallel Sysplex CICS/VSAM enabled for 24x7 availabilityJES2 and JES3 Console Enhancements System Management ServicesEnhancements SMP/E Security ServicesAdvanced System Automation RACFMultilevel Security RACF enhancementsICSF LDAPa restriction where the private key had to reside in the RACF database Network Authentication Service PKI ServicesFirewall Language Environment Application Enablement ServicesC/C++ Java Communication ServicesUnicode REXX FunctionsDynamic Virtual IP Address Takeover Intrusion Detection Services IDSSysplex Distributor IPv6z/OS UNIX HiperSocketsDistributed Computing Services UNIX System Services benefits can includeHighlights zSeries File System zFSInternet Services Distributed File Services DFS Server Message Block SMBInfoprint Central Print ServicesLibrary Center Integrated TestingSoftcopy Publications Support Publicationsz/OS 1.6 is supported on the following IBM servers Installation ConsiderationsMigration/Coexistence zSeries Bimodal Support for z/OS Migration, installation and customization enhancementsWizards Order z/OS through the Internet z/VMz/VM Version 4 z/VM Version 3Exploiting New Technology New technological enhancements in z/VM V4.4 provide Systems ManagementNetworking with z/VM Application EnablementManagement and control of VLAN topology by the z/VM virtual switch C/C++ for z/VM Compiler 5654-A22z/VM Version 5 Enhancements in z/VM V5.1 include Engine-based Value Unit PricingVirtualization Technology and Linux Enablement Value Unit Pricing helps you toNetwork Virtualization and Security Systems Management Improvements Technology ExploitationFor further information see the z/VM Reference Guide, GM13-0137 VSE/ESA VSE/ESAz/VSE To learn more Endnotes
Related manuals
Manual 28 pages 54.75 Kb
Top Page Image Contents