164 IBM eServer zSeries 900 Technical Guide
4.1 Cryptographic function support
The z900 server includes both standard cryptographic hardware and optional cryptographic
features to give flexibility and growth capability. IBM has a long history in hardware
cryptographic solutions, from the development of Data Encryption Standard (DES) in the
1970s, to delivering the only integrated cryptographic hardware in a server to achieve the US
Government's highest FIPS 140-1 Level 4 rating for secure cryptographic hardware.
The z900 server cryptographic functions include the full range of cryptographic operations
needed for e-business, e-commerce, and financial institution applications. In addition, custom
cryptographic functions can be added to the set of functions that the z900 server's integrated
Cryptographic Coprocessor and PCI Cryptographic features offer.
e-business applications are increasingly reliant on cryptographic techniques to provide the
confidentiality and authentication required in this environment. Secure Sockets Layer (SSL)
technology is a key technology for conducting secure e-commerce using Web servers, and it
is in use by a rapidly increasing number of Web servers, demanding new levels of
performance.
Balanced utilization of all hardware cryptographic engines is key to performance. z/OS
transparently routes requests for cryptographic services to an appropriate, available central
processor (CP) and, in the case of SSL transactions, cryptographic requests are
load-balanced across all available CPs, taking maximum advantage of z900 scalability.
Three types of cryptographic hardware features are available on z900 servers. The
cryptographic features are usable only when explicitly enabled through IBM:
1. Cryptographic Coprocessor
The z900 server’s standard cryptographic hardware, the Cryptographic Coprocessor, is an
enhanced "next" generation of the S/390 Cryptographic Coprocessor.
The Cryptographic Coprocessor’s design is a single-chip module (element) with faster
technology and is now mounted on the processor board. The chip modules can be
serviced individually, obviating any need to replace a larger module; service instances are
rare, and potential downtime has been drastically reduced.
The new logic technology increases the cycle speed of the coprocessors, providing an
improved performance base for z900 cryptographic hardware. All z900 servers include up
to two Cryptographic Coprocessors as standard.
2. PCI Cryptographic Coprocessor (PCICC), feature code 0861
z900 servers support the optional PCICC to supplement the standard Cryptographic
Coprocessors, with added functions and performance. Each PCICC feature includes a
pair of PCI Cryptographic Coprocessors, or the equivalent of two S/390 G5/G6 PCICC
features. z900 servers allow for up to eight PCICC features
1
to be installed, for a total of
16 PCI Cryptographic Coprocessors. The feature has a FIPS 140-1 Level 4 compliance
rating for secure cryptographic hardware.
3. PCI Cryptographic Accelerator (PCICA), feature code 0862
z900 servers also support the optional PCICA. This is a unique cryptographic card
designed to implement SSL encryption. It is a very fast cryptographic processor designed
to provide leading-edge performance of the complex Rivest-Shamir-Adelman (RSA)
cryptographic operations used in the SSL protocol. SSL is an essential and widely used
protocol in secure e-business applications.
1
The combined number of PCICC and PCICA features on a z900 server cannot exceed eight, and the total number
of FICON, FICON Express, PCICC, PCICA and OSA-E cards cannot exceed 16 per I/O cage.
Get IBM eServer zSeries 900 Technical Guide now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
