With increasing focus on regulatory requirements such as PCI-DSS and PCI PIN Requirements, the need for access to cryptographic hardware in both distributed and mainframe environments has also increased. But cryptographic hardware is expensive, and so is the management of it, especially when the crypto hardware is in both distributed and mainframe environments. So how about centralizing the cryptographic capabilities - Or even better, begin the leveraging the full potential of already existing hardware?
ACSP is a remote crypto services solution that enables applications in distributed environments with access to cryptographic hardware over the network. ACSP enables cost effective use of available cryptographic capacity, easy deployment of cryptographic services, and easier key management because the cryptographic key material is centralized and thereby easier to manage.
The IBM DKMS ACSP solution consists of two components, a server component and client component. The client exposes the standard IBM CCA interface or a PKCS#11 interface mapped to CCA. The client provides the business application with a transparent access to the cryptographic services on a centrally managed server equipped with cryptographic hardware.
The ACSP Client exposes the standard IBM CCA interface, a PKCS#11 interface and a JCE provider to the business applications. The IBM CCA interface is available as a Java and C interface.
On arrival of a new request from a business application, the ACSP server schedules and performs the operation in the hardware, subsequently the response is transferred back to the requesting application via ACSP. All operations coming through the server are monitored so statistics can be made and acted upon. The server runs on all platforms supporting IBM cryptographic hardware:
Application development and test
Application developers can write their applications on windows or linux platforms calling the right CCA crypto functions that exist on system z. When the application is tested it can be deployed on z without changing the crypto. This also means that the keys to be used can be generated by the system z key management system like DKMS the right way from start. Further applications can be tested with the right access controls early in the process. Having the right functions and keys available is crucial –whereas performance doesn't really matter in this context.
ACSP supports TCP and WebSphere MQ. The communication between a client and the ACSP server is secured by SSL/TLS both for TCP and WebSphere MQ.
Performance and Load Balancing
ACSP imposes practically no reduction in crypto capacity compared to direct utilization. However the response time is influenced by network latency, so the actual performance depends on the quality of the network available. To reduce the impact of network latency it is possible to aggregate crypto commands that are logically called in sequence to one single command.
To fully leverage the advantage of having a centralized infrastructure for hardware based cryptography, an efficient key management system is needed to maintain and synchronize the key stores on the ACSP servers. The IBM DKMS Key Management system is such a system. For more information about IBM DKMS, please refer to http://www.ibm.com/security/cccc/products/dkms.shtml