Chapter 4. Cryptography 169
The Cryptographic Coprocessor modules on the z900 server are designed as Single-Chip
Modules (SCMs) mounted on the processor board and individually serviceable. This
eliminates the need to change the Multi-Chip Module (MCM, where they previously resided)
in the event of a Cryptographic Coprocessor module failure.
4.2.3 PCI Cryptographic Coprocessor (PCICC) feature
The Peripheral Component Interconnect Cryptographic Coprocessor (PCICC), feature code
0861, is an orderable feature that adds additional cryptographic function and cryptographic
performance to the z900 server general purpose models.
The PCICC feature coexists with and augments the integrated Cryptographic Coprocessor
that is standard on the z900 server general purpose models. The PCICC feature can only be
utilized when the Cryptographic Coprocessors are enabled.
The PCICC feature is programmable to deploy new standard cryptographic functions, to
enable migration from the IBM 4753 Network Security Processor external cryptographic
processing device, and to meet unique customer requirements.
Each PCICC feature is built around two cryptographic PCI daughter cards embedded in an
adapter package for installing in the I/O slots of the z900 server new I/O cage. These slots
also support PCI Cryptographic Accelerator, ESCON 16-port, OSA-Express, ISC-3 mother
cards, FICON, and FICON Express features. The total quantity of PCICC, PCICA, FICON
and OSA-Express features together cannot exceed 16 per I/O cage and 48 per system (16
each in three new I/O cages).
The PCICC feature is supported by OS/390 V2R9 and above, which includes new Integrated
Cryptographic Service Facility (ICSF) functions. ICSF transparently routes application
requests for cryptographic services to one of the Cryptographic Coprocessors. Either a
Cryptographic Coprocessor or a PCI Cryptographic Coprocessor is invoked (depending on
performance or cryptographic function) to perform the cryptographic operation. For example,
the Cryptographic Coprocessor performs synchronous functions (such as used in the Triple
DES standard) but does not execute certain asynchronous functions, such as RSA Key
Generation, that are performed on the PCI Cryptographic Coprocessor.
Two PCICC numbers (one for each coprocessor) are assigned to each PCICC feature and
these are related to the feature hardware serial number. The feature can be moved within the
z900 server (possibly by MES) without changing the PCICC number to feature serial number
relationship.
However, if the PCICC feature is removed from the z900 server (by MES or repair), the PCI
Cryptographic Coprocessor Management window (accessed from the z900 server Support
Element) must be used to break (release) the relationship between the assigned PCICC
number and the serial number of the old PCICC feature before a new PCICC feature can be
assigned the (released) PCICC number.
Each PCICC feature uses two CHPID numbers of the same pseudo CHPID type. However,
the CHPID numbers are not defined in HCD or in IOCP. The feature does not have ports and
does not use fiber optic cables.
In the z900 server, there can be a maximum of eight PCI Cryptographic Coprocessor
(PCICC) features, along with a maximum of six PCI Cryptographic Accelerator (PCICA)
features. The combined number of PCICC and PCICA features in a z900 server cannot
exceed eight. Within these parameters, the PCICC and PCICA features can coexist in any
combination. This scalability provides increasing cryptographic processing capacity as
customers expand their use of e-business applications requiring cryptographic processing.
Get IBM eServer zSeries 900 Technical Guide now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
