IBM Z10 BC manual TKE additional smart cards - new feature, System z10 BC cryptographic migration

TKE additional smart cards – new feature

You have the capability to order Java-based blank smart cards which offers a highly effi cient cryptographic and data management application built-in to read-only memory for storage of keys, certifi cates, passwords, applications, and data. The TKE blank smart cards are compliant with FIPS 140-2 Level 2. When you place an order for a quantity of one, you are shipped 10 smart cards.

System z10 BC cryptographic migration

Clients using a User Defi ned Extension (UDX) of the Common Cryptographic Architecture should contact their UDX provider for an application upgrade before order- ing a new System z10 BC machine; or before planning to migrate or activate a UDX application to fi rmware driver level 73 and higher.

•The Crypto Express2 feature is supported on the z9 BC and can be carried forward on an upgrade to the System z10 BC

•You may continue to use TKE workstations with 5.3 licensed internal code to control the System z10 BC

•TKE 5.0 and 5.1 workstations (#0839 and #0859) may be used to control z9 EC, z9 BC, z890, and IBM eServer zSeries 990 (z990) servers

Remote Loading of Initial ATM Keys

Typically, a new ATM has none of the fi nancial institution’s keys installed. Remote Key Loading refers to the pro- cess of loading Data Encryption Standard (DES) keys to Automated Teller Machines (ATMs) from a central admin- istrative site without the need for personnel to visit each machine to manually load DES keys. This has been done by manually loading each of the two clear text key parts individually and separately into ATMs. Manual entry of keys is one of the most error-prone and labor-intensive activities that occur during an installation, making it expen- sive for the banks and fi nancial institutions.

Remote Key Loading Benefits

•Provides a mechanism to load initial ATM keys without the need to send technical staff to ATMs

•Reduces downtime due to key entry errors

•Reduces service call and key management costs

•Improves the ability to manage ATM conversions and upgrades

Integrated Cryptographic Service Facility (ICSF), together with Crypto Express2, support the basic mechanisms in Remote Key Loading. The implementation offers a secure bridge between the highly secure Common Cryptographic Architecture (CCA) environment and the various formats and encryption schemes offered by the ATM vendors. The following ICSF services are offered for Remote Key loading:

•Trusted Block Create (CSNDTBC): This callable service is used to create a trusted block containing a public key and some processing rules

•Remote Key Export (CSNDRKX): This callable service uses the trusted block to generate or export DES keys for local use and for distribution to an ATM or other remote device

Refer to Application Programmers Guide, SA22-7522, for additional details.

Improved Key Exchange With Non-CCA Cryptographic Systems

IBM Common Cryptographic Architecture (CCA) employs Control Vectors to control usage of cryptographic keys. Non-CCA systems use other mechanisms, or may use keys that have no associated control information. This enhancement provides the ability to exchange keys between CCA systems, and systems that do not use Con- trol Vectors. Additionally, it allows the CCA system owner to defi ne permitted types of key import and export which can help to prevent uncontrolled key exchange that can open the system to an increased threat of attack.

These enhancements are exclusive to System z10, and System z9 and are supported by z/OS and z/VM for z/OS guest exploitation.