37
2048-bit key RSA management support for the PCICC fea-
tures on z800 and z900 is transparent to the hardware and
is supported by z/OS, z/OS.e, z/VM, and Linux on zSeries.
z/VM and Linux on zSeries offer support for clear key oper-
ations only. Refer to the Software requirements section for
further information. This is an integrated capability on the
Crypto Express2 and PCIXCC features on z890 and z990.
There is no unique feature.
TKE 4.2 and Smart Card Reader Support
The Trusted Key Entry (TKE) capability is an optional
feature of zSeries that provides a basic security key man-
agement system. The key management system provides
authorized persons a method of security key identifi cation,
exchange, separation, update, and management. TKE 4.2
with optional smart card reader allows access to and use
of confi dential data on the smart card protected by a user
defi ned personal identifi cation number (PIN) code provid-
ing storage, access, transport and entry of master and
operational key parts into the TKE workstation in a secu-
rity-rich environment.
Support for an optional Smart Card Reader attached to
the TKE 4.2 workstation allows access to and use of confi -
dential data on the smart card protected by a user defi ned
personal identifi cation number (PIN) code providing
secure storage, access, transport and entry of master and
operational key parts into the TKE workstation.
TKE 4.2 with Smart Card Reader and smart card has four
major functions:
• Storing ICSF key parts, specifi cally, master and opera-
tional key parts
• Storing 4758 PCI Cryptographic Coprocessor master
key parts
• Generating, storing, and using a TKE authority signature
key pair
• Generating, storing, and using a 4758 logon key pair
For example, the smart card is able to store one or more
4758 PCI Cryptographic Coprocessor master key parts.
The parts are stored in the “clear” on the smart card. The
master key parts are generated by the 4758 PCI Crypto-
graphic Coprocessor card within the TKE workstation and
are transferred to the smart card for storage and later read
back to the 4758 PCI Cryptographic Coprocessor card
for processing. The master key parts are encrypted, for
added security, during transport between the smart card
and the 4758 PCI Cryptographic Coprocessor card.
The TKE 4.2 Smart Card Reader supports all of the mech-
anisms available in the current TKE LIC. That is, with the
smart card support, it is still possible to store key parts on
diskettes, paper, or to use a TKE authority key stored on a
diskette, and to logon to the 4758 using a pass phrase.
The optional features associated with the TKE 4.2 Smart
Card Reader support are:
• TKE 4.2 code
• TKE 4.2 Smart Card Reader
• TKE 4.2 additional Smart Cards
The optional Smart Card Reader, which can be attached to
a TKE workstation is available on the S/390 G6 servers as
well as zSeries z800, z900, z890 and z990.
TKE 4.2 code
The TKE 4.2 code is designed to provide a security-rich
local and remote method to enter operational and master
keys. The TKE 4.2 code also includes support for the
Smart Card Reader and provides support for crypto-
graphic hardware features available with S/390 G6 and
the zSeries 800, z900, z890 and z990 servers. Currently
installed TKE workstations can be upgraded to the TKE
4.2 code.