2048-bit key RSA management support for the PCICC fea- tures on z800 and z900 is transparent to the hardware and is supported by z/OS, z/OS.e, z/VM, and Linux on zSeries. z/VM and Linux on zSeries offer support for clear key oper- ations only. Refer to the Software requirements section for further information. This is an integrated capability on the Crypto Express2 and PCIXCC features on z890 and z990. There is no unique feature.

TKE 4.2 and Smart Card Reader Support

The Trusted Key Entry (TKE) capability is an optional feature of zSeries that provides a basic security key man- agement system. The key management system provides authorized persons a method of security key identifi cation, exchange, separation, update, and management. TKE 4.2 with optional smart card reader allows access to and use of confi dential data on the smart card protected by a user defi ned personal identifi cation number (PIN) code provid- ing storage, access, transport and entry of master and operational key parts into the TKE workstation in a secu- rity-rich environment.

Support for an optional Smart Card Reader attached to the TKE 4.2 workstation allows access to and use of confi - dential data on the smart card protected by a user defi ned personal identifi cation number (PIN) code providing secure storage, access, transport and entry of master and operational key parts into the TKE workstation.

TKE 4.2 with Smart Card Reader and smart card has four major functions:

Storing ICSF key parts, specifi cally, master and opera- tional key parts

Storing 4758 PCI Cryptographic Coprocessor master key parts

Generating, storing, and using a TKE authority signature key pair

Generating, storing, and using a 4758 logon key pair

For example, the smart card is able to store one or more 4758 PCI Cryptographic Coprocessor master key parts. The parts are stored in the “clear” on the smart card. The master key parts are generated by the 4758 PCI Crypto- graphic Coprocessor card within the TKE workstation and are transferred to the smart card for storage and later read back to the 4758 PCI Cryptographic Coprocessor card for processing. The master key parts are encrypted, for added security, during transport between the smart card and the 4758 PCI Cryptographic Coprocessor card.

The TKE 4.2 Smart Card Reader supports all of the mech- anisms available in the current TKE LIC. That is, with the smart card support, it is still possible to store key parts on diskettes, paper, or to use a TKE authority key stored on a diskette, and to logon to the 4758 using a pass phrase.

The optional features associated with the TKE 4.2 Smart Card Reader support are:

TKE 4.2 code

TKE 4.2 Smart Card Reader

TKE 4.2 additional Smart Cards

The optional Smart Card Reader, which can be attached to a TKE workstation is available on the S/390 G6 servers as well as zSeries z800, z900, z890 and z990.

TKE 4.2 code

The TKE 4.2 code is designed to provide a security-rich local and remote method to enter operational and master keys. The TKE 4.2 code also includes support for the Smart Card Reader and provides support for crypto- graphic hardware features available with S/390 G6 and the zSeries 800, z900, z890 and z990 servers. Currently installed TKE workstations can be upgraded to the TKE 4.2 code.

37

Page 36 Page 38
Page 37
Image 37
IBM 890 manual TKE 4.2 and Smart Card Reader Support, TKE 4.2 code
Page 36 Page 38
Top Page Image Contents