IBM z/OS manual Cryptography

In the on demand era security will be a strong requirement. The zSeries products will continue to address security with announcements and deliveries of products and features.

The main focus in cryptography will continue to be very high and scalable performance for SSL algorithms, and secondly, to provide security-rich, symmetric performance for fi nancial and banking applications using PIN/POS type encryption. As in the past zSeries will be designed to deliver seamless integration of the cryptography facilities through use of ICSF. Use of ICSF will that enable applica- tions to work without change regardless of how and where the cryptographic functions are implemented, and also enable the cryptography work to be load balanced across the hardware resources. Finally we will be focused on required certifi cations and open standards.

The existing PCI Cryptographic Accelerator (PCICA) con- tinues to be available on the z990 – for SSL acceleration/ clear key operations. To support the increased number of LPARs available on z990 the confi guration options for the PCICA – introduced with the z900 – will be extended to allow sharing of a PCICA over the whole range of LPARs with a max of 16 LPARs sharing one PCICA adapter.

In addition to the PCICA, the PCIX Cryptographic Copro- cessor (PCIXCC) was introduced as a functional replace- ment for the CMOS Cryptographic Coprocessor and the PCI Cryptographic Coprocessor. The PCIXCC design introduces a breakthrough concept which supports high security demanding applications requiring a FIPS 140- 2 level 4 certifi ed crypto module, also as an execution environment for customer written programs and a high performance path for Public Key / SSL operations. The PCIXCC design supports almost all of the past Crypto-

graphic functions which were provided on the zSeries 900 via the CMOS Cryptographic Coprocessor (CCF) and the PCI Cryptographic Coprocessor (PCICC). At the system Software level the SSL related operations will be directed to the PCICA adapter and the Secure Crypto operations to the PCIXCC adapter.

The zSeries cryptography is further advanced with the introduction of the CP Assist for Cryptographic Function (CPACF) which is designed to deliver cryptographic sup- port on every Central Processor (CP). With enhanced scalability and data rates the z990 processor is designed to provide a set of symmetric cryptographic functions, synchronously executed, which enormously enhance the performance of the en/decrypt function of SSL, VPN and data storing applications which do not require FIPS 140- 2 level 4 security. The on-processor crypto functions run at z990 processor speed, an order of magnitude faster than the CMOS Crypto Coprocessor in the zSeries 900. As these crypto functions are implemented in each and every CP the affi nity problem of pre-z990 systems (which had only two CMOS Crypto Coprocessors) is virtually eliminated. The Crypto Assist Architecture includes DES and T-DES data en/decryption, MAC message authentica- tion and SHA-1 secure hashing; all of these functions are directly available to application programs (zSeries Archi- tecture instructions) and so will help reduce programming overhead. To conform with US Export and Import Regula- tions of other countries a SE panel is provided for proper enable/disable of ‘strong’ cryptographic functions.

The Trusted Key Entry (TKE) 4.1 code level workstation is an optional feature that can provide a basic key man- agement system and Operational Key Entry support. The key management system allows an authorized person