System z Crypto and TKE Update

An IBM Redbooks publication

Published 31 May 2011, updated 20 June 2011

Authors: Karan Singh, Lennie Dymoke-Bradshaw, Pekka Hanninen, Patrick Kappeler


This IBM® Redbooks® publication provides detailed information about the implementation of hardware cryptography in the System z10® server. We begin by summarizing the history of hardware cryptography on IBM Mainframe servers, introducing the cryptographic support available on the IBM System z10, introducing the Crypto Express3 feature, briefly comparing the functions provided by the hardware and software, and providing a high-level overview of the application programming interfaces available for invoking cryptographic support.

This book then provides detailed information about the Crypto Express3 feature, discussing at length its physical design, its function and usage details, the services that it provides, and the API exposed to the programmer. This book also provides significant coverage of the CP Assist for Cryptographic Functions (CPACF). Details on the history and purpose of the CPACF are provided, along with an overview of cryptographic keys and CPACF usage details. A chapter on the configuration of the hardware cryptographic features is provided, which covers topics such as zeroizing domains and security settings. We examine the software support for the cryptographic functions available on the System z10 server. We look at the recent changes in the Integrated Cryptographic Service Facility (ICSF) introduced with level HCR7770 for the z/OS® operating system. A discussion of PKCS#11 support presents an overview of the standard and provides details on configuration and exploitation of PKCS#11 services available on the z/OS operating system.

The Trusted Key Entry (TKE) Version 6.0 workstation updates are examined in detail and examples are presented on the configuration, usage, and exploitation of the new features. We discuss the cryptographic support available for Linux® on System z®, with a focus on the services available through the IBM Common Cryptographic Architecture (CCA) API. We also provide an overview on Elliptical Curve Cryptography (ECC), along with examples of exploiting ECC using ICSF PKCS#11 services. Sample Rexx and Assembler code is provided that demonstrate the capabilities of CPACF protected keys.

Table of contents

Chapter 1. Introduction
Chapter 2. More on the 4765 Cryptographic Coprocessor and the Crypto Express3 feature
Chapter 3. CP Assist for Cryptographic Functions (CPACF)
Chapter 4. z10 Cryptographic configuration
Chapter 5. Integrated Cryptographic Service Facility (ICSF): Recent changes
Chapter 6. z/OS support for the PKCS#11 API
Chapter 7. Trusted Key Entry
Chapter 8. A brief overview of integrated hardware cryptography implementation in Linux for System z
Chapter 9. Using Elliptic Curve Cryptography (ECC) on z/OS
Appendix A. Sample programs in assembler and REXX

Follow IBM Redbooks

Follow IBM Redbooks