IBM eServer zSeries 990 (z990) Cryptography Implementation

IBM eServer zSeries 990 (z990) Cryptography Implementation

by Chris Rayns, Marilyn Frazier Allmond, Laurent Boudon, Pekka Hanninen, Patrick Kappeler, Robert Malaval, Vicente Ranieri Jr., Paul Sheils
Released August 2004
Publisher(s): IBM Redbooks
ISBN: None

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

The IBM z990 includes both standard cryptographic hardware and optional cryptographic features, to give flexibility and growth capability. IBM has a long history of providing hardware cryptographic solutions, from the development of Data Encryption Standard (DES) in the 1970s to delivering the only integrated cryptographic hardware in a server to achieve the US Government's highest FIPS 140-2 Level 4 rating for secure cryptographic hardware.
This IBM Redbooks publication is designed to help you understand and implement the z/OS Cryptographic PCIXCC and PCICA cards. Although this book focuses on the enablement of the z/OS PCIXCC and PCICA products, cryptography and the available services on z/OS are also discussed and explained, with special attention given to the new Trusted Key Entry (TKE V4) workstation.
This book also reviews the tools that are available on z/OS for monitoring of the z990 cryptographic hardware utilization plus the analysis of performance.

Table of contents

  1. Notices
    1. Trademarks
  2. Preface
    1. The team that wrote this redbook
    2. Become a published author
    3. Comments welcome
  3. Chapter 1: Introduction
    1. Cryptographic function support
      1. Cryptographic Synchronous functions
      2. Cryptographic Asynchronous functions
    2. z990 Cryptographic processors
      1. CP Assist for Cryptographic Function (CPACF)
      2. PCI Extended Cryptographic Coprocessor (PCIXCC)
      3. PCI Cryptographic Accelerator (PCICA) feature
    3. Cryptographic hardware features
      1. PCIX Cryptographic Coprocessor feature
      2. The PCICA feature
      3. Configuration rules
      4. z990 cryptographic feature codes
    4. Integrated Cryptographic Services Facility
      1. CKDS and PKDS
      2. TKE workstation feature
    5. Cryptographic features comparison
    6. Software requirements
  4. Chapter 2: CPACF, PCICA, and PCIXCC product overview
    1. Description of hardware
      1. Definitions
      2. Hardware implementation
      3. Introduction to the z990 PCIXCC, PCICA and CPACF (1/2)
      4. Introduction to the z990 PCIXCC, PCICA and CPACF (2/2)
      5. PCXICC card: physical security, handling, and shipping
    2. Adjunct Processor (AP) management
      1. Introduction to Adjunct Processor architecture
      2. AP management and PCIXCC initialization
    3. PCIXCC microcode load
      1. The IBM 4758 CCA application
      2. The software hierarchy in the coprocessor
      3. Software requirements: cryptographic functions and hardware
      4. The TKE V4 workstation
  5. Chapter 3: Planning and hardware installation
    1. Hardware requirements
      1. Hardware required for z990
    2. Feature codes
    3. Concurrent PCIXCC/PCICA installation tasks
      1. Concurrent Install on z990
      2. Removing one PCIXCC
    4. Planning list items
  6. Chapter 4: PCIXCC using TKE V4
    1. Introduction to the TKE V4 Workstation
      1. Major changes
      2. Before using the new TKE
      3. The TKE V4 software
      4. TKE workstation installation - general information
      5. TKE definitions
    2. TKE workstation TCP/IP setup
      1. TKE workstation 4758 setup
      2. TKE access control administration (1/2)
      3. TKE access control administration (2/2)
      4. Starting the TKE application
    3. TKE application: managing host Crypto coprocessors
      1. Managing modules
      2. PCIXCC setup on the TKE workstation (1/2)
      3. PCIXCC setup on the TKE workstation (2/2)
      4. Manage and update the Crypto module notebook on TKE (1/2)
      5. Manage and update the Crypto module notebook on TKE (2/2)
      6. PCIXCC module notebook (1/8)
      7. PCIXCC module notebook (2/8)
      8. PCIXCC module notebook (3/8)
      9. PCIXCC module notebook (4/8)
      10. PCIXCC module notebook (5/8)
      11. PCIXCC module notebook (6/8)
      12. PCIXCC module notebook (7/8)
      13. PCIXCC module notebook (8/8)
      14. Backing up the TKE files
    4. 4753 Key Token Migration facility
  7. Chapter 5: ICSF support for CPACF, PCIXCC, and PCICA
    1. CP Assist for Cryptographic Functions (CPACF) feature
    2. LPAR setup
      1. Planning considerations
      2. The image profile processor page
      3. The PCI Crypto page
      4. Viewing LPAR Cryptographic Controls
    3. PCIXCC and PCICA feature installation
      1. PCIXCC and PCICA enablement
      2. Configuring and monitoring the status of PCIXCC and PCICA
      3. Security issues with the PCI Cryptographic cards
    4. Integrated Cryptographic Services Facility (ICSF) setup
      1. Changes from previous release
      2. Started task and the first time start
      3. Master Keys
      4. Initial Master Key entry with the pass phrase initialization utility
      5. Installation of a new PCIXCC or PCICA card
      6. PKDS initialization
  8. Chapter 6: Performance and monitoring
    1. z990 Crypto hardware performance considerations
    2. Monitoring and reporting
      1. RMF reporting
      2. ICSF SMF records
      3. Example using RMF and SMF data
  9. Appendix A: Exploiters
    1. The APIs
    2. Overview of the IBM exploiters
      1. z/OS Open Cryptographic Services Facility (OCSF)
      2. IBM HTTP Server for z/OS
      3. z/OS LDAP server and client
      4. CICS Transaction Server and CICS Transaction Gateway
      5. z/OS TN3270 server
      6. z/OS Firewall Technologies
      7. GSKKYMAN
      8. z/OS DCE
      9. z/OS Network Authentication Service (Kerberos)
      10. Payment processing products
      11. VTAM Session Level Encryption
      12. RACF
      13. z/OS Public Key Infrastructure (PKI) services
      14. Crypto Based Transactions (CBT) banking solution
      15. Java cryptography
  10. Related publications
    1. IBM Redbooks
    2. Other publications
    3. Online resources
    4. How to get IBM Redbooks
    5. Help from IBM
  11. Index (1/2)
  12. Index (2/2)
  13. Back cover

Product information

  • Title: IBM eServer zSeries 990 (z990) Cryptography Implementation
  • Author(s): Chris Rayns, Marilyn Frazier Allmond, Laurent Boudon, Pekka Hanninen, Patrick Kappeler, Robert Malaval, Vicente Ranieri Jr., Paul Sheils
  • Release date: August 2004
  • Publisher(s): IBM Redbooks
  • ISBN: None