IBM®
Skip to main content
    Country/region [select]      Terms of use
 
 
   
     Home      Products      Services & industry solutions      Support & downloads      My IBM     
Security
Cryptocards
Product summary
Library
Order
Support
Education
CCA sample code
FAQ
Software updates

Related links
Warranty info
Send us your comments & questions

Cryptocards
  Frequently asked questions: z990 Server

On this FAQ page you may find answers to some of the questions you have concerning the Cryptographic Support for z990 servers.

Q & A for Cryptographic Support for z990 servers - June 16, 2003

  1. What cryptographic hardware is supported on the z990 servers?
  2. What cryptographic hardware is not supported on the z990 servers?
  3. Will the cryptographic hardware be offered as standard features on z990 servers?
  4. What are the software requirements for Cryptographic function and hardware?
  5. Will the PCI Cryptographic Accelerator, feature code 0862, support Linux Secure Sockets Layer (SSL) and Transport Layer Security (TLS) cryptographic operations on z990 servers?
  6. What are the functional differences between the PCI Cryptographic Accelerator (PCICA) and CP Assist for Cryptographic Function (CPACF) features?
  7. What Integrated Cryptographic Service Facility (ICSF) services are available with CP Assist for Cryptographic Function (CPACF)?
  8. What other means are available for customers to utilize CP Assist for Cryptographic Function (CPACF)?
  9. What Integrated Cryptographic Service Facility (ICSF) services are available with PCI Cryptographic Accelerator (PCICA)?
  10. Are Batch programs supported?
  11. What are the prerequisites for the installation of Cryptographic features on z990 servers?
  12. What cryptographic functions are enabled when the z990 server is shipped?
  13. How many LPARs are supported by one PCI Cryptographic Accelerator Feature?
  14. What are the maximum number of PCI Cryptographic Accelerator features allowed on the z990 server?
  15. Is a Trusted Key Entry (TKE) workstation required for the use of the CPACF or PCICA?
  16. Will there be an update to the ATS TechDocs Web site to provide additional technical information about zServer cryptographic hardware features?

Q & A for Cryptographic Support for z990 servers - September 2003

  1. What are the recent changes to Cryptographic hardware feature availability on the z990 server?
  2. What cryptographic hardware features are supported on the z990 server?
  3. What cryptographic functions are supported by the cryptographic hardware?
  4. What are the z/OS and OS/390 software requirements for cryptographic function and hardware on the z990 server?
  5. What are the functions and attributes of the CP Assist For Cryptographic Function (CPACF), PCIX Cryptographic Coprocessor (PCIXCC) and PCI Cryptographic Accelerator Features?
  6. What Integrated Cryptographic Service Facility (ICSF) services are available with the PCIXCC feature?
  7. What cryptographic functions will be no longer be supported by ICSF?
  8. What releases of operating systems are required to support the three Cryptographic hardware features on z990 servers?
  9. Will UDX's written for zSeries Servers function on z990 servers?
  10. Will new UDX's be supported on z990 servers?
  11. Will the use of cryptographic functions on the PCIX Cryptographic Coprocessor (FC 0868) feature require enablement?
  12. Does the PCIX Cryptographic Coprocessor (FC 0868) feature require a FCV diskette?
  13. How can a customer help ensure that both the clear key and secure key cryptography functions are configured for high availability on the z990?
  14. Does the use of RSA Retained private keys limit availability?
  15. Will there be an update to the Trusted Key Entry (TKE) workstation?
  16. Will customers with TKE 3.x workstations be able to cryptographically control the z990 server?
  17. What are the migration requirements for customers with TKE 3.x workstations?
  18. What are the maximum number of PCIX Cryptographic Coprocessor and PCI Cryptographic Accelerator features allowed on the z990 server?
  19. Can I upgrade my present z990 with the PCIXCC feature without an outage?

     

Q & A for Cryptographic Support for z990 servers - June 16, 2003

  1. What cryptographic hardware is supported on the z990 servers?
    2.
    Cryptographic hardware that will be supported on z990 servers are CP Assist for Cryptographic Function (CPACF) on each and every PU, PCIX Cryptographic Coprocessor (PCIXCC) and PCI Cryptographic Accelerators (PCICAs).

  2. What cryptographic hardware is not supported on the z990 servers?
    3.
    Cryptographic Coprocessor Facility (CCF) and PCI Cryptographic Coprocessors (PCICC) are not supported on z990 servers.

  3. Will the cryptographic hardware be offered as standard features on z990 servers?
    4.
    The CP Assist for Cryptographic Function (CPACF) are standard on every PU, however, FC 3863 must be ordered for enablement. The PCI Cryptographic Accelerator (PCICA) and PCIX Cryptographic Coprocessor (PCIXCC) are optional features. Additional information on PCIXCC is below in the September, 2003, part of this section.

  4. What are the software requirements for Cryptographic function and hardware?
    5.

    z990 Cryptographic CP Assist Support for z/OS V1.3:
    This Web deliverable will include Integrated Cryptographic Service Facility (ICSF) support for the CP Assist for Cryptographic Function and the PCI Cryptographic Accelerator (FC 0862) feature.

    z/OS V1.4 z990 Compatibility Support:
    This orderable, unpriced, and optional feature will include Integrated Cryptographic Service Facility (ICSF) support and System Secure Sockets Layer (SSL) support on z/OS V1.4 for the CP Assist for Cryptographic Function and the PCI Cryptographic Accelerator (FC 0862) feature.

  5. Will the PCI Cryptographic Accelerator, feature code 0862, support Linux Secure Sockets Layer (SSL) and Transport Layer Security (TLS) cryptographic operations on z990 servers?
    6.
    Yes, it supports Public Key operations with Red Hat 7.2 via IBM developerWorks® and SuSE Linux 2.4.7 SLES 7 and 2.4.19 SLES 8 distributions.

  6. What are the functional differences between the PCI Cryptographic Accelerator (PCICA) and CP Assist for Cryptographic Function (CPACF) features?
    7.
    The PCI Cryptographic Accelerator (PCICA) is a very fast cryptographic accelerator designed to accelerate the performance of the complex RSA cryptographic operations used with the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols supporting e-business.

    CP Assist for Cryptographic Function (CPACF) will provide support for a set of symmetric cryptographic functions such as DES, TDES and SHA1, with a 'key in the clear' interface. These cryptographic functions are aimed at encryption, decryption and hashing of data transferred over open networks and data sent to storage.

  7. What Integrated Cryptographic Service Facility (ICSF) services are available with CP Assist for Cryptographic Function (CPACF)?
    8.
    • The Symmetric Key Encipher (CSNBSYE) and Symmetric Key Decipher (CSNBSYD) services will add support for DES and TDES algorithms with keys in the clear. Also, ALET version of these services (CSNBSYE1 and CSNBSYD1 will be provided.
    • One Way Hash (CSNBOWH) service. This service will use crypto assist SHA 1 instruction.
    • The Modification Detection Code (CSNBMDG) and (CSNBMDG1) service. This service will use DES.
    • The Encode (CSNBECO) and Decode (CSNBDCO) service. These services will also use DES.
    • When CPACF is enabled for DES and Triple DES, the AES algorithm is also supported in software.
    Note: Some services that do not require cryptographic hardware are: Code Conversion EBCDIC to ASCII and reverse CSNBXEA and CSNBXAE. Character/Nibble Conversion and reverse, CSNBXBC and CSNBXCB. X9.9 Data Editing (CSNB9ED) Control Vector Generate (CSNBCVG) and PKA Key Token Build (CSNDPKB).

  8. What other means are available for customers to utilize CP Assist for Cryptographic Function (CPACF)?
    9.
    For IBM and customer written programs, CPACF function for DES, TDES and SHA1 functions can be invoked by five (5) new instructions as described in the z/Architecture Principles of Operation, SA22-7832-02. As a group, these instructions are known as the Message Security Assist (MSA). These are all problem state instructions and are all in RRE format.

  9. What Integrated Cryptographic Service Facility (ICSF) services are available with PCI Cryptographic Accelerator (PCICA)?
    10.
    Public Key Encrypt (CSNDPKE) and Public Key Decrypt (CSNDPKD) are Integrated Cryptographic Service Facility (ICSF) services for the PCICA feature.

  10. Are Batch programs supported?
    11.
    Yes

  11. What are the prerequisites for the installation of Cryptographic features on z990 servers?
    12.
    DES and TDES functions require enablement of the CP Assist for Cryptographic Function, feature code 3863. This is also a prerequisite for the PCI cryptographic Accelerator (PCICA) feature.

  12. What cryptographic functions are enabled when the z990 server is shipped?
    13.
    The z990 is shipped with hash function SHA one resident in each CP hardware and always enabled.

  13. How many LPARs are supported by one PCI Cryptographic Accelerator Feature?
    14.
    The installation of one (1) PCI Cryptographic Accelerator feature on the z900 server can support thirty (30) logical partitions (LPARs).

  14. What are the maximum number of PCI Cryptographic Accelerator features allowed on the z990 server?
    15.
    The maximum number of PCICA (FC 0862) features supported on z990 servers are six (6) per system.

  15. Is a Trusted Key Entry (TKE) workstation required for the use of the CPACF or PCICA?
    16.
    No, the CP Assist for Cryptographic Function (CPACF) supports clear key functions and the PCI Cryptographic Accelerator (PCICA) does not require entering of master keys. Thus, there is no need for an update to the TKE 3.1 or 3.1 workstations.

  16. Will there be an update to the ATS TechDocs Web site to provide additional technical information about zServer cryptographic hardware features?
    17.
    Yes, ATS TechDocs Web site and several zServer cryptographic technical papers will be updated by October 31, 2003. The ATS TechDocs Web site url is ibm.com/support/techdocs/atsmastr.nsf.

Q & A for Cryptographic Support for z990 servers - September 2003

  1. What are the recent changes to Cryptographic hardware feature availability on the z990 server?
    2.
    The PCIX Cryptographic Coprocessor (PCIXCC) feature became available on September 19, 2003 to support MES upgrades from z900 to z990, new orders for z990 servers, and MES upgrades for existing z990 servers.

    The Trusted Key Entry (TKE) workstation 4.0 code level, feature code 0851, became available on September 30, 2003.

  2. What cryptographic hardware features are supported on the z990 server?
    3.
    CP Assist for Cryptographic Function (CPACF), PCI Cryptographic Accelerator (PCICA) and PCIX Cryptographic Coprocessor (PCIXCC).

  3. What cryptographic functions are supported by the cryptographic hardware?
    4.
    All critical Cryptographic Coprocessor Facility (CCF) and all PCI Cryptographic Coprocessor (PCICC) functions will be provided on the PCIX Cryptographic Coprocessor (PCIXCC).

    The PCI Cryptographic Accelerator (PCICA) is a very fast cryptographic accelerator designed to accelerate the performance of the complex RSA cryptographic operations used with the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols supporting e-business.

    CP Assist for Cryptographic Functions (CPACF) will provide support for a set of symmetric cryptographic functions such as DES, Triple DES and SHA1, with a 'key in the clear' interface. These cryptographic functions are aimed at encryption, decryption and hashing of data transferred over open networks.

    PCIX Cryptographic Coprocessor (PCIXCC), feature code 0868, works with the Integrated Cryptographic Service Facility (ICSF) and the IBM Resource Access Control Facility (RACF) [or equivalent software products] in a z/OS or OS/390 operating environment to help provide data privacy, data integrity, cryptographic key installation and generation, electronic cryptographic key distribution, and personal identification number (PIN) processing as well as programmable functions via User-Defined Extensions (UDX). The PCIXCC is a replacement for the PCI Cryptographic Coprocessor (PCICC) and the CMOS Cryptographic Coprocessor Facility (CCF) that were offered on z900. All of the equivalent PCICC functions that are implemented offer higher performance. In addition, the functions on the CMOS Cryptographic Coprocessor Facility as used by known applications have also been implemented in the PCIXCC feature.

  4. What are the z/OS and OS/390 software requirements for cryptographic function and hardware on the z990 server?
    5.
    z990 Cryptographic Support:

    The Web deliverable will include Integrated Cryptographic Service Facility (ICSF) support for the CP Assist for Cryptographic Function, PCI Cryptographic Accelerator (FC 0862), and the new PCIX Cryptographic Coprocessor (FC 0868) feature. This will be an unpriced and optional Web deliverable. z990 Cryptographic Support is planned to be available as follows:
    • September 19, 2003 - z/OS V1.4
    • September 19 , 2003 - z/OS V1.2
    • October 17, 2003 - z/OS V1.3
    • November 21, 2003 - O/S390 V2.10

  5. What are the functions and attributes of the CP Assist For Cryptographic Function (CPACF), PCIX Cryptographic Coprocessor (PCIXCC) and PCI Cryptographic Accelerator Features?
    6.
    The following table summarizes the functions and attributes of the three cryptographic hardware:

    Functions or attributes CPACF PCIXCC PCICA
    Supports z/OS applications using ICSF x x x
    Supports OS/390 applications using ICSF x x x
    Provides highest SSL handshake performance

    		x
    Provides highest symmetric encryption performance x

    Provides highest asymmetric (clear key) encryption performance

    		x
    Provides highest asymmetric (encrypted key) encryption performance
    		x
    Uses CHPID numbers n/a n/a n/a
    Physically imbedded on each Central Processor (CP) x

    Requires CP Assist for Cryptographic Function enablement x x x*
    Requires ICSF to be active, for z/OS users
    		x x
    Requires system master keys to be loaded
    		x
    Offers user programming function support (UDX)
    		x
    Usable for data privacy - encryption & decryption processing x x
    Usable for data integrity - hashing & message authentication x x
    Usable for financial processes & key management operations
    		x
    Crypto performance RMF™ monitoring
    		x x
    System (master) key storage
    		x
    Retained key storage
    		x
    Designed for Tamper-resistant hardware packaging
    		x
    Designed for FIPS 140-2 level 4 certification
    		x
    Supports SSL functions x x x
    Supports Linux applications performing SSL handshakes

    		x
    RSA functions
    		x x
    High Performance SHA-1 Hash function x

    Clear key DES/T-DES x

    Clear key RSA
    		x x
    * Not required for Linux

  6. What Integrated Cryptographic Service Facility (ICSF) services are available with the PCIXCC feature?
    7.
    All critical Integrated Cryptographic Service Facility (ICSF) services that currently execute on z900 Cryptographic Coprocessor Facility (CCF) and PCI Cryptographic Coprocessor (PCICC) features are planned to be supported by the PCIX Cryptographic Coprocessor (PCIXCC).

  7. What cryptographic functions will be no longer be supported by ICSF?
    8.
    The following functions will no longer be supported by Integrated Cryptographic Service Facility (ICSF) in conjunction with the PCIX Cryptographic Coprocessor (PCIXCC):
    • Digital Signature Algorithm (DSA) signature and key generation.
    • American National Standard Institute (ANSI) x9.17 services (offset and notarization), and associated key types.
    • Ciphertext_translate (CSNBCTT)
    • German Bank Pool-Pin offset.
    • User Derived Keys (CSFUDK). This is being replaced by CSNBDKG.
    • Commercial Data Masking Facility algorithm (CDMF), commonly known as 40 bit DES.


  8. What releases of operating systems are required to support the three Cryptographic hardware features on z990 servers?
    9.
    The software support requirements for PCIX Cryptographic Coprocessor (PCIXCC), CP Assist for Cryptographic Function (CPACF) and the PCI Cryptographic Accelerator (PCICA) features are as follows:

    PCICA: z/OS Version 1.3 and later
    • z/OS V1.2 September 19, 2003
    • OS/390 V2.10 November 21, 2003)
    • z/VM V4.2 and later (for Linux Guests only)
    • SuSe Linux 2.4.7 SLES 7 and later distributions for zSeries
    • VSE/ESA V2.7 and IBM TCP/IP for VSE/ESA V1.5
    CPACF: z/OS Version 1.3 and later
    • z/OS V1.2 September 19, 2003
    • OS/390 V2.10 November 21, 2003)
    • z/VM V3.1, V4.2 and later (for guests only)
    PCIXCC: z/OS V1.4 and later
    • z/OS V1.2 September 19, 2003
    • z/OS V1.3 October 17, 2003
    • OS/390 V2.10 November 21, 2003
    • IBM Statement of Direction (SOD) for z/VM guests in the future


  9. Will UDX's written for zSeries Servers function on z990 servers?
    10.
    UDX's that are supported on current systems will not function on z990 servers without modification. Customers need to contact IBM to port existing UDX's to the new PCIX Cryptographic Coprocessor environment on z990 servers. For further information, see the answer to the next question.

  10. Will new UDX's be supported on z990 servers?
    11.
    Yes, however, the UDX Toolkit will not be available for z990 servers. So, customers will need a UDX Service contract with IBM Global Services for UDX Development and support. Requests for the service contract began July 31, 2003 via the following IBM 'Cryptocards' Web site url: ibm.com/security/cryptocards/ by selecting the "custom Programming' option. The Web site will direct the customer to an IBM Global Services (IGS) location, based on the customer's geographic location.

  11. Will the use of cryptographic functions on the PCIX Cryptographic Coprocessor (FC 0868) feature require enablement?
    12.
    No, however, CP Assist for Cryptographic Function, feature code 3863, is a prerequisite.

  12. Does the PCIX Cryptographic Coprocessor (FC 0868) feature require a FCV diskette?
    13.
    No.

  13. How can a customer help ensure that both the clear key and secure key cryptography functions are configured for high availability on the z990?
    14.
    For availability, more than one feature of any given type, PCICA or PCIXCC, should be installed to avoid a single point of failure. Further, assignment of multiple PCI coprocessors to one logical partition should be spread across multiple PCI features.

  14. Does the use of RSA Retained private keys limit availability?
    15.
    Yes. The use of retained private keys creates an application single point of failure. Since RSA Retained private keys cannot be copied, backed up or scaled from a performance perspective, these keys should only be used if mandated by the customers' security policy. For those customers that require a private key that is intended to be shared across logical partitions, they should use RSA keys encrypted under a host master key instead of a retained key. The use of the RSA keys encrypted under a host master key will prevent the loss of the key associated with the RSA Retained private key specific to the PCIXCC coprocessor.

  15. Will there be an update to the Trusted Key Entry (TKE) workstation?
    16.
    Yes, with the introduction of the PCIX Cryptographic Coprocessor (PCIXCC) feature, there will be a new release of the TKE workstation code, version 4.0, feature code 0851. FC 0851 became available beginning September 30, 2003.

  16. Will customers with TKE 3.x workstations be able to cryptographically control the z990 server?
    17.
    Customers with TKE 3.X installed workstations may carry forward TKEs with LAN connectivity feature codes 0866, 0869, 0876, 0879, 0886 and 0889 to control legacy systems only. For customers with 9672 G5 or G6 S/390 servers or z800 or z900 zSeries servers, an update from TKE 3.0 or 3.1 level to TKE 4.0 level code is required to control these servers and the z990 server.

  17. What are the migration requirements for customers with TKE 3.x workstations?
    18.
    To use the TKE function, the PCIX Cryptographic Coprocessor (PCIXCC) feature, the TKE 4.0 code (FC 0851) must be installed and the CP Assist for Cryptographic Function (CPACF) must be enabled.

  18. What are the maximum number of PCIX Cryptographic Coprocessor and PCI Cryptographic Accelerator features allowed on the z990 server?
    19.
    The maximum number of PCIXCC (FC 0868) and PCICA (FC 0862) features supported on z990 are four (4 ) and six (6) respectively. However, the total number of PCICAs and PCIXCCs cannot exceed eight (8) features per system.

  19. Can I upgrade my present z990 with the PCIXCC feature without an outage?
    20.
    The design of the PCIXCC cards allows for nondisruptive upgrades. Unfortunately, there are some environments where a disruptive upgrade will occur:
    • A z990 with insufficient I/O slots
    • A z990 with the designated PCIXCC slots filled
    If the designated slots are available, the PCIXCC cards can install without a disruption.

    Additionally, if the configuration output when ordering a Cryptographic upgrade (PCIXCC) includes an additional I/O cage, this upgrade although disruptive will not require customer modifications to their IOCDS (channel definition). The customer must always check the FINAL CCN number shipped with the machine to ensure they develop their IOCDS consistent to the shipped hardware definition.

IBM PCI Cryptographic Coprocesser FAQs

    About IBM      Privacy      Contact