IBM z/OS Server User Manual


 
28
In the on demand era security will be a strong requirement.
The zSeries products will continue to address security with
announcements and deliveries of products and features.
The main focus in cryptography will continue to be very
high and scalable performance for SSL algorithms, and
secondly, to provide security-rich, symmetric performance
for fi nancial and banking applications using PIN/POS type
encryption. As in the past zSeries will be designed to
deliver seamless integration of the cryptography facilities
through use of ICSF. Use of ICSF will that enable applica-
tions to work without change regardless of how and where
the cryptographic functions are implemented, and also
enable the cryptography work to be load balanced across
the hardware resources. Finally we will be focused on
required certifi cations and open standards.
The existing PCI Cryptographic Accelerator (PCICA) con-
tinues to be available on the z990 – for SSL acceleration/
clear key operations. To support the increased number of
LPARs available on z990 the confi guration options for the
PCICA – introduced with the z900 – will be extended to
allow sharing of a PCICA over the whole range of LPARs
with a max of 16 LPARs sharing one PCICA adapter.
In addition to the PCICA, the PCIX Cryptographic Copro-
cessor (PCIXCC) was introduced as a functional replace-
ment for the CMOS Cryptographic Coprocessor and the
PCI Cryptographic Coprocessor. The PCIXCC design
introduces a breakthrough concept which supports high
security demanding applications requiring a FIPS 140-
2 level 4 certifi ed crypto module, also as an execution
environment for customer written programs and a high
performance path for Public Key / SSL operations. The
PCIXCC design supports almost all of the past Crypto-
graphic functions which were provided on the zSeries 900
via the CMOS Cryptographic Coprocessor (CCF) and the
PCI Cryptographic Coprocessor (PCICC). At the system
Software level the SSL related operations will be directed
to the PCICA adapter and the Secure Crypto operations to
the PCIXCC adapter.
The zSeries cryptography is further advanced with the
introduction of the CP Assist for Cryptographic Function
(CPACF) which is designed to deliver cryptographic sup-
port on every Central Processor (CP). With enhanced
scalability and data rates the z990 processor is designed
to provide a set of symmetric cryptographic functions,
synchronously executed, which enormously enhance the
performance of the en/decrypt function of SSL, VPN and
data storing applications which do not require FIPS 140-
2 level 4 security. The on-processor crypto functions run
at z990 processor speed, an order of magnitude faster
than the CMOS Crypto Coprocessor in the zSeries 900.
As these crypto functions are implemented in each and
every CP the affi nity problem of pre-z990 systems (which
had only two CMOS Crypto Coprocessors) is virtually
eliminated. The Crypto Assist Architecture includes DES
and T-DES data en/decryption, MAC message authentica-
tion and SHA-1 secure hashing; all of these functions are
directly available to application programs (zSeries Archi-
tecture instructions) and so will help reduce programming
overhead. To conform with US Export and Import Regula-
tions of other countries a SE panel is provided for proper
enable/disable of ‘strong’ cryptographic functions.
The Trusted Key Entry (TKE) 4.1 code level workstation
is an optional feature that can provide a basic key man-
agement system and Operational Key Entry support. The
key management system allows an authorized person
Cryptography