IBM Z10 EC Server User Manual


 
TKE 5.3 workstation and continued support for Smart Card
Reader
The Trusted Key Entry (TKE) workstation and the TKE
5.3 level of Licensed Internal Code are optional features
on the System z10 EC. The TKE 5.3 Licensed Internal
Code (LIC) is loaded on the TKE workstation prior to ship-
ment. The TKE workstation offers security-rich local and
remote key management, providing authorized persons a
method of operational and master key entry, identifi cation,
exchange, separation, and update. The TKE workstation
supports connectivity to an Ethernet Local Area Network
(LAN) operating at 10 or 100 Mbps. Up to ten TKE work-
stations can be ordered.
Enhancement with TKE 5.3 LIC
The TKE 5.3 level of LIC includes support for the AES
encryption algorithm, adds 256-bit master keys, and
includes the master key management functions required to
load or generate AES master keys to cryptographic copro-
cessors in the host.
Also included is an imbedded screen capture utility to
permit users to create and to transfer TKE master key entry
instructions to diskette or DVD. Under ‘Service Manage-
ment’ a “Manage Print Screen Files” utility will be available
to all users.
The TKE workstation and TKE 5.3 LIC are available on the
z10 EC, z10 BC, z9 EC, and z9 BC.
Smart Card Reader
Support for an optional Smart Card Reader attached to
the TKE 5.3 workstation allows for the use of smart cards
that contain an embedded microprocessor and associated
memory for data storage. Access to and the use of con-
fi dential data on the smart cards is protected by a user-
defi ned Personal Identifi cation Number (PIN).
TKE 5.3 LIC has added the capability to store key parts
on DVD-RAMs and continues to support the ability to store
key parts on paper, or optionally on a smart card. TKE 5.3
LIC has limited the use of fl oppy diskettes to read-only.
The TKE 5.3 LIC can remotely control host cryptographic
coprocessors using a password-protected authority signa-
ture key pair either in a binary fi le or on a smart card.
The Smart Card Reader, attached to a TKE workstation
with the 5.3 level of LIC will support System z10 BC, z10
EC, z9 EC, and z9 BC. However, TKE workstations with 5.0,
5.1 and 5.2 LIC must be upgraded to TKE 5.3 LIC.
TKE additional smart cards
You have the capability to order Java-based blank smart
cards which offers a highly effi cient cryptographic and
data management application built-in to read-only memory
for storage of keys, certifi cates, passwords, applications,
and data. The TKE blank smart cards are compliant with
FIPS 140-2 Level 2. When you place an order for a quantity
of one, you are shipped 10 smart cards.
System z10 EC cryptographic migration:
Clients using a User Defi ned Extension (UDX) of the
Common Cryptographic Architecture should contact their
UDX provider for an application upgrade before order-
ing a new System z10 EC machine; or before planning to
migrate or activate a UDX application to fi rmware driver
level 73 and higher.
The Crypto Express2 feature is supported on the System
z9 and can be carried forward on an upgrade to the
System z10 EC
You may continue to use TKE workstations with 5.3
licensed internal code to control the System z10 EC
TKE 5.0 and 5.1 workstations may be used to control z9
EC, z9 BC, z890, and z990 servers
37