| New
in 2001, the PCICA is a new cryptographic coprocessor
available only on zSeries servers and requiring z/OS V1R2.
This new addition to the mainframe cryptographic hardware
is only available on IBM zSeries processors. The feature
code for the PCICA is 0862. There can be no more than
6 crypto features per server. PCICA is another adjunct
crypto coprocessor designed specifically for exploitation
by SSL. This crypto coprocessor was designed to extend
the scalability of SSL transactions. Note that the total
number of adjunct coprocessors possible on a server cannot
exceed 8 of any combination of PCICC and PCICA features.
Each
zSeries PCI Cryptographic Accelerator Feature contains
two crypto cards and can support up to 2100 SSL handshakes/sec.
However, the maximum number of SSL handshakes/sec that
can be supported on a z900 server by any combination
of CMOS crypto, PCICC crypto, and PCICA crypto is limited
by the amount of CPU cycles available to perform the
software portion of the SSL handshake. Current performance
measurements with z/OS Version 1 Release 4 suggests
that on a Model 216 z900, the maximum rate attainable
is over 7000 SSL handshakes per second.
This card should be used where maintaining high numbers
of SSL handshakes per second is required for service
agreements associated with web applications. Having
one or more of the PCICA features in addition to the
CCF(s) and perhaps the PCICC(s) will ensure throughput
for those SSL-based functions can be maintained while
other non-SSL crypto workloads is also processed. Applications
that call ICSF directly for "clear key" RSA
operations, will also transparently use the zSeries
PCI Cryptographic Accelerator Feature. The PCICA feature
supports all public key sizes up to 2048 bits.
The
cryptographic hardware is designed to perform a very
limited set of functions to support SSL cryptographic
functions. No data privacy, financial, or key management
operations are included in the PCICA design. Therefore,
no tamper requirements or battery backup exist for the
PCICA cards.
The
PCICA is not physically attached to a CP, central processor.
This feature is a Self Timed Interface card. It has
an I/O Bus and requires CHPID association but does not
require IOCP definition.
The
PCICA feature is only applicable to z900 servers.
Reference Table for Features Differences, Capabilities
and Requirements
|
Functions or Attributes
|
CCF
|
PCICC
|
PCICA
|
| Operating Environments |
|
|
|
Available for use in Linux (requires
special device driver and code) |
-
|
x
|
x
|
| Available for use with OS/390 |
x
|
x
|
|
| Available for use with z/OS |
x
|
x
|
x
|
| Available on CMOS G5, G6 and zSeries
servers |
x
|
x
|
|
| Available on zSeries servers only |
-
|
-
|
x
|
Available on all Multiprise 3000,
G4, G5, G6,
and zSeries servers |
x
|
-
|
-
|
| |
|
|
|
| Installation |
CCF
|
PCICC
|
PCICA
|
| Disruptive process to enable |
x
|
-
|
-
|
| Uses a CHPID |
-
|
x
|
x
|
| Requires IOCDS definition |
-
|
-
|
-
|
| Possible impact to IOCDS due to CHPID
order requirements |
-
|
x
|
-
|
| Physically attached to CP |
x
|
-
|
-
|
| Requires microcode load before usage |
x
|
x
|
-
|
| Requires CCF active |
-
|
x
|
-
|
| Requires system master keys loaded |
x
|
x
|
-
|
| Requires ICSF to be active |
x
|
x
|
x
|
| Requires specific Driver level or
MCL |
-
|
x
|
x
|
| |
|
|
|
| Functionality |
CCF
|
PCICC
|
PCICA
|
| Offers user programming function support |
-
|
x
|
-
|
| New algorithm expansion |
-
|
x
|
-
|
| New API function expansion |
-
|
x
|
-
|
| Usable only for SSL crypto function
(decryption of pre-master secret from under server’s
public key) |
-
|
-
|
x
|
| Usable for data privacy - encryption
and decryption processing |
x
|
-
|
-
|
| Usable for financial processes and
key management operations |
x
|
x
|
-
|
| Tamper-resistant hardware packaging |
x
|
x
|
-
|
| FIPS 140-1 certified |
x
|
x
|
-
|
| System (master) Key storage |
x
|
x
|
-
|
| Retained Key storage |
-
|
x
|
-
|
|
