IBM®
Skip to main content
    Country/region [select]      Terms of use
 
 
   
     Home      Products      Services & industry solutions      Support & downloads      My IBM     
   
Security Solutions
Services
Products
Evaluated products
Case studies
News
Research
Contacts

Security  > Products

Security
  Products
PCI Cryptographic Accelerator (PCICA)
New in 2001, the PCICA is a new cryptographic coprocessor available only on zSeries servers and requiring z/OS V1R2. This new addition to the mainframe cryptographic hardware is only available on IBM zSeries processors. The feature code for the PCICA is 0862. There can be no more than 6 crypto features per server. PCICA is another adjunct crypto coprocessor designed specifically for exploitation by SSL. This crypto coprocessor was designed to extend the scalability of SSL transactions. Note that the total number of adjunct coprocessors possible on a server cannot exceed 8 of any combination of PCICC and PCICA features.

Each zSeries PCI Cryptographic Accelerator Feature contains two crypto cards and can support up to 2100 SSL handshakes/sec. However, the maximum number of SSL handshakes/sec that can be supported on a z900 server by any combination of CMOS crypto, PCICC crypto, and PCICA crypto is limited by the amount of CPU cycles available to perform the software portion of the SSL handshake. Current performance measurements with z/OS Version 1 Release 4 suggests that on a Model 216 z900, the maximum rate attainable is over 7000 SSL handshakes per second.

This card should be used where maintaining high numbers of SSL handshakes per second is required for service agreements associated with web applications. Having one or more of the PCICA features in addition to the CCF(s) and perhaps the PCICC(s) will ensure throughput for those SSL-based functions can be maintained while other non-SSL crypto workloads is also processed. Applications that call ICSF directly for "clear key" RSA operations, will also transparently use the zSeries PCI Cryptographic Accelerator Feature. The PCICA feature supports all public key sizes up to 2048 bits.

The cryptographic hardware is designed to perform a very limited set of functions to support SSL cryptographic functions. No data privacy, financial, or key management operations are included in the PCICA design. Therefore, no tamper requirements or battery backup exist for the PCICA cards.

The PCICA is not physically attached to a CP, central processor. This feature is a Self Timed Interface card. It has an I/O Bus and requires CHPID association but does not require IOCP definition.

The PCICA feature is only applicable to z900 servers.


Reference Table for Features Differences, Capabilities and Requirements

Functions or Attributes
CCF
PCICC
PCICA
Operating Environments
Available for use in Linux (requires
special device driver and code)
-
x
x
Available for use with OS/390
x
x
Available for use with z/OS
x
x
x
Available on CMOS G5, G6 and zSeries servers
x
x
Available on zSeries servers only
-
-
x
Available on all Multiprise 3000, G4, G5, G6,
and zSeries servers
x
-
-
 
Installation
CCF
PCICC
PCICA
Disruptive process to enable
x
-
-
Uses a CHPID
-
x
x
Requires IOCDS definition
-
-
-
Possible impact to IOCDS due to CHPID order requirements
-
x
-
Physically attached to CP
x
-
-
Requires microcode load before usage
x
x
-
Requires CCF active
-
x
-
Requires system master keys loaded
x
x
-
Requires ICSF to be active
x
x
x
Requires specific Driver level or MCL
-
x
x
 
Functionality
CCF
PCICC
PCICA
Offers user programming function support
-
x
-
New algorithm expansion
-
x
-
New API function expansion
-
x
-
Usable only for SSL crypto function (decryption of pre-master secret from under server’s public key)
-
-
x
Usable for data privacy - encryption and decryption processing
x
-
-
Usable for financial processes and key management operations
x
x
-
Tamper-resistant hardware packaging
x
x
-
FIPS 140-1 certified
x
x
-
System (master) Key storage
x
x
-
Retained Key storage
-
x
-

    About IBM Privacy Contact