IBM System z10 Enterprise Class cryptography for highly secure transactions

Customers must have confidence in the transmission of sensitive financial and personal information to web merchants. Businesses must be certain in the knowledge that payment information collected over web storefronts is indeed valid. Transactions sent across networks must be protected from eavesdropping and alteration. Data files on Internet-connected servers must be protected from malicious hackers. Secure Sockets Layer (SSL) traffic must be encrypted at high speeds.

The best way to secure information is to encrypt it. Encryption is a vital part of today's business processes and information systems. IBM mainframe systems have long been designed with the need for encryption in mind. IBM has offered hardware-based cryptographic processors for its mainframe computers for nearly three decades.

Today's IBM System z10 Enterprise Class (System z10 EC) server offers a number of standard and optional hardware-based encryption features to satisfy nearly all customer application encryption requirements. In addition, System z hardware and software provide higher performance, greater physical security, and the features necessary to easily manage the cryptographic configuration in a manner that is integrated with the other System z management facilities.

The cryptographic hardware features available on System z10 EC consist of the following:

CP Assist for Cryptographic Function (CPACF)

Encryption accelerator functionality is provided on a quad-core chip, which is designed to provide high-speed cryptography. CP Assist for Cryptographic Function (CPACF) on the System z10 EC offers more protection and security options with Advanced Encryption Standard (AES) 192 and 256 and stronger hash algorithm with Secure Hash Algorithms SHA-512 and SHA-384.

CPACF supports clear-key encryption. Clear keys are not encrypted under the System Master key. All CPACF functions can be invoked by problem state instructions defined by an extension of System z architecture. Each CPACF is shared between two Processor Units (PU) which can be designated as various specialty engine types (CPs, IFLs, zIIPs, zAAPs). The function is activated using a no-charge enablement feature (#3863) and offers the following on every CPACF:

SHA-1, SHA-256, and SHA-512 are shipped enabled and do not require the enablement feature.

Support for CPACF can be invoked using the Integrated Cryptographic Service Facility (ICSF); see "Cryptographic Support for z/OS V1.7, V1.8, V1.9 and z/OS.e 1 V1.7 and V1.8." ICSF is a component of z/OS, and is designed to transparently use the available cryptographic functions, whether CPACF or Crypto Express2, to balance the workload and help address the bandwidth requirements of your applications.

CPACF is supported by z/OS, z/TPF, z/VM, z/VSE, and Linux on System z.

Configurable Crypto Express2 feature (CEX2)

The Crypto Express2 feature introduced on System z9 has two PCI-X adapters. Each of the PCI-X adapters can be configured as either a coprocessor or an accelerator.

When configured as a coprocessor (default), the Crypto Express2 feature for secure-key encrypted transactions is designed to support security-rich cryptographic functions, use of secure-encrypted-key values, and User Defined Extensions (UDX) to the IBM Common Cryptographic Architecture. It is also designed for Federal Information Processing Standard (FIPS) 140-2 Level 4 certification

The Crypto Express2 coprocessor enables the user to do the following:

The Crypto Express2 Accelerator configuration mode is designed for the offloading of compute-intensive RSA public-key and private-key cryptographic operations employed in the SSL protocol. Functions that remain available when it is configured as an accelerator are used for the acceleration of modular arithmetic operations, that is the RSA cryptographic operations used with the SSL/TLS protocol, as follows:

This mode supports RSA functions up to 2048-bits, in key length, in Chinese Remainder Theorem (CRT) format.

The maximum number of SSL transactions-per-second that can be supported on a System z10 EC by any combination of CPACF and Crypto Express2 accelerators is limited by the number of cycles available to perform the software portion of the SSL/TLS transactions. When both PCI-X cryptographic adapters are configured as accelerators on a System z10 EC, the Crypto Express2 feature is designed to perform up to 6000 SSL handshakes per second

The configurable Crypto Express2 feature is supported by z/OS, z/VM, z/VSE, z/TPF and Linux on System z. z/VSE and z/TPF offer support for clear-key SSL transactions only. Current versions of z/OS, z/VM, and Linux on System z offer support for both clear-key and secure-key operations.

Crypto Express2 features can be carried forward from System z9 EC and z9 BC to the new System z10 EC, so users may continue to take advantage of the SSL performance and the configuration capability.

System z10 EC Cryptographic enhancements

IBM continuously adds support for new customer requirements, and this generation of System z has been enhanced to include support of the following:

Key management for remote loading of ATM and Point of Sale (POS) keys: The elimination of manual key entry is designed to reduce downtime due to key entry errors, service calls, and key management costs.

Improved key exchange with non-Common Cryptographic Architecture (CCA) cryptographic systems: New features added to IBM Common Cryptographic Architecture are designed to enhance the ability to exchange keys between CCA systems and systems that do not use control vectors. This is accomplished by allowing the CCA system owner to define permitted types of key import and export while preventing uncontrolled key exchange that can open the system to an increased threat of attack.

Support for ISO 16609 CBC Mode T-DES Message Authentication (MAC): ISO 16609 CBC Mode T-DES MAC is accessible through ICSF function calls made to Crypto Express2 Cryptographic coprocessor Common Cryptographic Architecture (CCA) code. The enhancements above are supported by z/OS and by z/VM for guest exploitation.

Introducing support for RSA keys up to 4096 bits: The RSA services in the CCA API are extended to support RSA keys with modulus lengths up to 4096 bits. The services affected include key generation, RSA-based key management, digital signatures, and other functions related to these. Refer to the ICSF Application Programmers Guide, SA22-7522 for additional details.

Dynamically add crypto to a logical partition: Today, users can preplan the addition of Crypto Express2 features to a logical partition (LP) by using the Crypto page in the image profile to define the Cryptographic Candidate List, Cryptographic Online List, and Usage and Control Domain Indexes in advance of crypto hardware installation. This enhancement is supported by z/OS, z/VM for guest exploitation, and Linux on System z.

Continued support for TKE workstation and smart card reader:

The TKE workstation offers security-rich local and remote key management for the crypto Express2 feature in the System z10 EC. It also provides authorized persons a method of operational and master key entry, identification, exchange, separation, and update. The Trusted Key Entry (TKE) workstation (#0839) and the TKE 5.2 level of Licensed Internal Code (#0857) are optional features on the System z10 EC. The TKE workstation supports connectivity to an Ethernet Local Area Network (LAN) operating at 10 or 100 Mbps. Up to three TKE workstations can be ordered.

Smart card reader: Support for an optional smart card reader attached to the TKE 5.2 workstation allows for the use of smart cards that contain an embedded microprocessor and associated memory for data storage. Access to and the use of confidential data on the smart cards is protected by a user-defined personal identification number (PIN).

TKE 5.2 Licensed Internal Code (LIC) has added the capability to store key parts on DVD-RAMs and continues to support the ability to store key parts on paper, or optionally on a smart card. TKE 5.2 LIC has limited the use of floppy diskettes to read-only. The TKE 5.2 LIC can remotely control host cryptographic coprocessors using a password-protected authority signature key pair either in a binary file or on a smart card.

The optional TKE features are the following:

The smart card reader, which can be attached to a TKE workstation with the 5.2 level of LIC, is available on the System z10 EC.

Contact IBM

Browse z Systems


Infrastructure matters. Businesses turn to the IBM mainframe for unmatched security, operational efficiency, speed, seamless scale, and lower cost per transaction. The IBM z System, the world’s premier data and transaction engine, is enabled for mobile, integrates transactions and analytics, and delivers efficient and trusted clouds.

Operating Systems

IBM z Systems supports multiple operation systems:


IBM z Systems combine leading-edge innovation and unparalleled capabilities to power cloud, business analytics, mobile applications, and the most important workloads.

Learn more