6947ch05.fm Draft Document for Review April 7, 2004 6:15 pm
124 IBM eServer zSeries 990 Technical Guide
IBM Processor Resource/System Manager (PR/SM) fully supports the PCIX Cryptographic
Coprocessor features to establish a logically partitioned environment in which multiple logical
partitions can use the cryptographic functions. A 128-bit data-protection master key, and one
192-bit Public Key Algorithm (PKA) master keys are provided for each of 16 cryptographic
domains.
Via the dynamic add/delete of a logical partition name, a logical partition can be renamed: its
name can be changed from ’NAME1’ to ‘ * ’ and then changed again from ‘ * ’ to ‘NAME2’. In
this case, the logical partition number and MIF ID are retained across the logical partition
name change. However, the master keys in PCIXCC that were associate d with the ol d logical
partition ‘NAME1’ are retained. There is no explicit action taken against a cryptographic
component for this dynamic change.
5.2.3 PCI Cryptographic Accelerator (PCICA) feature
The Peripheral Component Interconnect Cryptographic Accelerator (PCICA) is an orderable
feature on z990. This optional feature is a reduced-function, performance-enhanced addition
to the CPACF and the PCIX Cryptographic Coprocessor with reduced functional
characteristics. It does not have FIPS 140-2 level 4 certification and is non-programmable.
The z990 also supports the optional PCICA. The PCICA feature is used for the acceleration
of modular arithmetic operations, in particular the complex RSA cryptographic operations
used with the SSL protocol.
This is a unique cryptographic feature for SSL encryption. It has a very fast cryptographic
processor designed to provide leading-edge performance of the complex
Rivest-Shamir-Adelman (RSA) cryptographic operations used in the SSL protocol. In essence
it is for SSL acceleration rather than for specialized financial applications for secure,
long-term storage of keys or secrets. SSL is an essential and widely used protocol in secure
e-business applications.
Since the PCI Cryptographic Accelerator is only involved in clear key operations, it does not
need the tamper-proof design of the PCIXCC feature.
The PCICA feature provides functions designed for maximum acceleration of the complex
RSA cryptographic operations used with the SSL protocol, including:
򐂰High-speed RSA cryptographic accelerator
򐂰1024- and 2048-bit RSA operations for the Modulus Exponent (ME) and Chinese
Remainder Theorem (CRT) formats.
The maximum number of SSL transactions per second that can be supported on a z990 by
any combination of CPACF, and PCICA features is limited by the amount of cycles available to
perform the software portion of the SSL transactions. An IBM 2084 model B16 with 16 CPs
active and six PCICA features is designed to provide increased secure Web transaction
performance by supporting greater than 11,000 SSL handshakes per second.
Note: Cryptographic cards are not tied to partition numbers or MIF IDs. They are set up
with AP numbers and domain indices. These are assigned to a partition profile of a given
name. The customer can assign them to the partitions and clear them if needed.