IBM 2 Computer Hardware User Manual


 
CCA Release 2.54
The Coprocessor supports multiple logons by different users from different host
processes. The Coprocessor also supports requests from multiple threads within a
single host process.
A user is logged on and off by the Logon_Control verb. During logon, the
Logon_Control verb establishes a logon session key. This key is held in
user-process memory space and in the cryptographic engine. All verbs append
and verify a MAC based on this key on verb control information exchanged with the
cryptographic engine. Logoff causes the cryptographic engine to destroy its copy of
the session key and to mark the user profile as not active.
“CCA Access-Control” on page 2-2 provides a further explanation of the
access-control system, and 2-52 provides details about the logon verb.
How Application Programs Obtain Service
Application programs and utility programs (requestors) obtain services from the
security product by issuing service requests (verb calls) to the runtime subsystem
of software and hardware. These requests are in the form of procedure calls that
must be programmed according to the rules of the language in which the
application is coded. The services that are available are collectively described as
the security API. All of the software and hardware accessed through the security
API should be considered an integrated subsystem.
When the cryptographic-services access layer receives requests concurrently from
multiple application programs, it serializes the requests and returns a response for
each request. There are other multiprocessing implications arising from the
existence of a common master-key and a common key-storage facility -- these
topics are covered later in this book.
The way in which application programs and utilities are linked to the API services
depends on the computing environment. In the AIX, and Windows 2000 and
Windows/NT environments, the operating systems dynamically link application
security API requests to the subsystem DLL code (AIX: shared library; OS/400:
service program). Your choice of import library controls the use of 16-bit or 32-bit
entry-point services. In the OS/400 environment, the CCA API is implemented in a
set of 64-bit entry-point service programs, one for each security API verb. Details
for linking to the API are covered in the guide book for the individual software
products. For the AIX, and Windows NT/2000, see the IBM 4758 CCA Support
Program Installation Manual. Details for linking to the API on the OS/400 platform
can be found by following the OS/400 link from the CCA support page of the
product Web site, http://www.ibm.com/security/cryptocards.
Together, the security API DLL and the environment-dependent request routing
mechanism act as an agent on behalf of the application and present a request to
the server. Requests can be issued by one or more programs. Each request is
processed by the server as a self-contained unit of work. The programming
interface can be called concurrently by applications running as different processes.
The API can be used by multiple threads in a process. The API is thread safe.
In each server environment, a device driver provided by IBM supplies low-level
control of the hardware and passes the request to the hardware device. Requests
can require one or more I/O commands from the security server to the device driver
and hardware.
1-6 IBM 4758 CCA Basic Services, Release 2.54, February 2005