Skip to main content

System z Crypto and TKE Update

An IBM Redbooks publication


Published on 01 June 2011, updated 20 June 2011

  1. .EPUB (3.8 MB)
  2. .PDF (4.4 MB)

Apple BooksGoogle Play Books

Share this page:   

ISBN-10: 0738435546
ISBN-13: 9780738435541
IBM Form #: SG24-7848-00

Authors: Karan Singh, Lennie Dymoke-Bradshaw, Pekka Hanninen and Patrick Kappeler

    menu icon


    This IBM® Redbooks® publication provides detailed information about the implementation of hardware cryptography in the System z10® server. We begin by summarizing the history of hardware cryptography on IBM Mainframe servers, introducing the cryptographic support available on the IBM System z10, introducing the Crypto Express3 feature, briefly comparing the functions provided by the hardware and software, and providing a high-level overview of the application programming interfaces available for invoking cryptographic support.

    This book then provides detailed information about the Crypto Express3 feature, discussing at length its physical design, its function and usage details, the services that it provides, and the API exposed to the programmer. This book also provides significant coverage of the CP Assist for Cryptographic Functions (CPACF). Details on the history and purpose of the CPACF are provided, along with an overview of cryptographic keys and CPACF usage details. A chapter on the configuration of the hardware cryptographic features is provided, which covers topics such as zeroizing domains and security settings. We examine the software support for the cryptographic functions available on the System z10 server. We look at the recent changes in the Integrated Cryptographic Service Facility (ICSF) introduced with level HCR7770 for the z/OS® operating system. A discussion of PKCS#11 support presents an overview of the standard and provides details on configuration and exploitation of PKCS#11 services available on the z/OS operating system.

    The Trusted Key Entry (TKE) Version 6.0 workstation updates are examined in detail and examples are presented on the configuration, usage, and exploitation of the new features. We discuss the cryptographic support available for Linux® on System z®, with a focus on the services available through the IBM Common Cryptographic Architecture (CCA) API. We also provide an overview on Elliptical Curve Cryptography (ECC), along with examples of exploiting ECC using ICSF PKCS#11 services. Sample Rexx and Assembler code is provided that demonstrate the capabilities of CPACF protected keys.

    Table of Contents

    Chapter 1. Introduction

    Chapter 2. More on the 4765 Cryptographic Coprocessor and the Crypto Express3 feature

    Chapter 3. CP Assist for Cryptographic Functions (CPACF)

    Chapter 4. z10 Cryptographic configuration

    Chapter 5. Integrated Cryptographic Service Facility (ICSF): Recent changes

    Chapter 6. z/OS support for the PKCS#11 API

    Chapter 7. Trusted Key Entry

    Chapter 8. A brief overview of integrated hardware cryptography implementation in Linux for System z

    Chapter 9. Using Elliptic Curve Cryptography (ECC) on z/OS

    Appendix A. Sample programs in assembler and REXX


    Others who read this also read