IBM 890 manual zSeries Security Certification Cryptography, Logical Partitions, z/OS, z/VM

and microcode design will support almost all of the past Cryptographic functions that were provided on the zSeries 800 and 900 via the CMOS Cryptographic Coprocessor (CCF) and the PCI Cryptographic Coprocessor (PCICC). At the system software level the SSL-related operations will be directed to the PCICA adapter and the Secure Crypto operations to the PCIXCC adapter.

The zSeries cryptography is further advanced with the introduction of the Cryptographic Assist Architecture implemented on every z890 and z990 processor (CPU). With enhanced scalability and data rates the z890 and z990 processor is designed to provide a set of symmetric cryptographic functions, synchronously executed, which enormously enhance the performance of the en/decrypt function of SSL, VPN (Virtual-Private-Network) and data storing applications which do not require FIPS 140-2 level 4 security. The on-processor crypto functions run at z890 or z990 processor speed, an order of magnitude faster than the CMOS Crypto Coprocessor in the zSeries 800 or

900.As these crypto functions are implemented in each and every CPU the affi nity problem of pre-z990/z890 sys- tems (which had only two CMOS Crypto Coprocessors) is virtually eliminated. The Crypto Assist Architecture includes DES and T-DES data en/decryption, MAC message authen- tication and SHA-1 secure hashing; all of these functions are directly available to application programs (zSeries Architecture instructions) and so will help reduce program- ming overhead. To confi rm with US Export and Import Regulations of other countries, an SE panel is provided for proper enable/disable of ‘strong’ cryptographic functions.

The Trusted Key Entry (TKE) 4.1 code level workstation is an optional feature that can provide a basic key man- agement system and Operational Key Entry support. The key management system allows an authorized person

a method for key identifi cation, exchange, separation, update, backup, and management. The TKE workstation and 4.0 code level are designed to provide a security-rich, remote, and fl exible method of providing Master Key Entry and to remotely manage PCIX Cryptographic Coprocessors.

zSeries Security Certification

Cryptography

•z890/z990 PCIXCC:

–Designed for FIPS 140-2 level 4 certifi cation

•Logical Partitions

–z900 and z800 servers are the fi rst and only to receive Common Criteria certifi cation at EAL5

•Operating Systems Common Criteria Certifi cation

–SUSE LINUX on zSeries

–SUSE SLES 8 has been certifi ed at Controlled Access Protection Profi le (CAPP) EAL3+

•z/OS 1.6

–z/OS 1.6 is under evaluation for Controlled Access Protection Profi le (CAPP) EAL3+ and Labeled Security Protection Profi le (LSPP) EAL3+

•z/VM

–IBM has applied for Common Criteria Controlled (ISO/IEC 15408) certifi cation of z/VM V5.1 with the RACF® for z/VM optional feature against the Con- trolled Access Protection Profi le (CAPP) and the Labeled Security Protection Profi le (LSPP), both at the EAL3+ assurance level