34
and microcode design will support almost all of the past
Cryptographic functions that were provided on the zSeries
800 and 900 via the CMOS Cryptographic Coprocessor
(CCF) and the PCI Cryptographic Coprocessor (PCICC).
At the system software level the SSL-related operations will
be directed to the PCICA adapter and the Secure Crypto
operations to the PCIXCC adapter.
The zSeries cryptography is further advanced with the
introduction of the Cryptographic Assist Architecture
implemented on every z890 and z990 processor (CPU).
With enhanced scalability and data rates the z890 and
z990 processor is designed to provide a set of symmetric
cryptographic functions, synchronously executed, which
enormously enhance the performance of the en/decrypt
function of SSL, VPN (Virtual-Private-Network) and data
storing applications which do not require FIPS 140-2 level
4 security. The on-processor crypto functions run at z890
or z990 processor speed, an order of magnitude faster
than the CMOS Crypto Coprocessor in the zSeries 800 or
900. As these crypto functions are implemented in each
and every CPU the affi nity problem of pre-z990/z890 sys-
tems (which had only two CMOS Crypto Coprocessors) is
virtually eliminated. The Crypto Assist Architecture includes
DES and T-DES data en/decryption, MAC message authen-
tication and SHA-1 secure hashing; all of these functions
are directly available to application programs (zSeries
Architecture instructions) and so will help reduce program-
ming overhead. To confi rm with US Export and Import
Regulations of other countries, an SE panel is provided for
proper enable/disable of ‘strong’ cryptographic functions.
The Trusted Key Entry (TKE) 4.1 code level workstation
is an optional feature that can provide a basic key man-
agement system and Operational Key Entry support. The
key management system allows an authorized person
a method for key identifi cation, exchange, separation,
update, backup, and management. The TKE workstation
and 4.0 code level are designed to provide a security-rich,
remote, and fl exible method of providing Master Key Entry
and to remotely manage PCIX Cryptographic Coprocessors.
zSeries Security Certifi cation
Cryptography
• z890/z990 PCIXCC:
– Designed for FIPS 140-2 level 4 certifi cation
• Logical Partitions
– z900 and z800 servers are the fi rst and only to
receive Common Criteria certifi cation at EAL5
• Operating Systems Common Criteria Certifi cation
– SUSE LINUX on zSeries
– SUSE SLES 8 has been certifi ed at Controlled
Access Protection Profi le (CAPP) EAL3+
• z/OS 1.6
– z/OS 1.6 is under evaluation for Controlled Access
Protection Profi le (CAPP) EAL3+ and Labeled
Security Protection Profi le (LSPP) EAL3+
• z/VM
– IBM has applied for Common Criteria Controlled
(ISO/IEC 15408) certifi cation of z/VM V5.1 with the
RACF
®
for z/VM optional feature against the Con-
trolled Access Protection Profi le (CAPP) and the
Labeled Security Protection Profi le (LSPP), both at
the EAL3+ assurance level