170 IBM eServer zSeries 900 Technical Guide
PCICC functions
The PCI Cryptographic Coprocessor (PCICC) feature provides several additional functions to
enhance the security of public/private key encryption processing:
RSA Key generation for public/private key pair generation
2048-bit RSA signature generation
Retained key support (RSA private keys generated and kept stored within the secure
hardware boundary).
User Defined Extensions (UDX) support enhancements, including:
– For the Activate UDX request:
• Establish Owner
• Relinquish Owner
• Emergency Burn of Segment
• Remote Burn of Segment
– Import UDX File function
– Reset UDX to IBM default function
– Query UDX Level function
UDX allows the user to add customized operations to the PCI Cryptographic
Coprocessors installed. It provides the user with the capability to develop a UDX
Segment 3 image file and load a custom Segment 3 image file onto one or more PCI
Cryptographic Coprocessors. The Segment 3 image file is built and loaded onto a diskette
using a Windows NT workstation and imported through the z900 server Support Element.
More information on building a UDX Segment 3 image file can be found in:
– IBM 4758 PCI Cryptographic Coprocessor Custom Software Developer’s Toolkit Guide
– IBM zSeries CCA User Defined Extensions Reference and Guide
These publications are available at:
http://www.ibm.com/security/cryptocards
Integrated 4758 Model 002 PCI Cryptographic CoProcessor
Symmetric Encryption Functions
Provides additional support for 4753 Network Security Processor migration
4.2.4 PCI Cryptographic Accelerator (PCICA) feature
The Peripheral Component Interconnect Cryptographic Accelerator (PCICA), feature code
0862, is an orderable feature on z900 server general purpose models. This optional PCICA
feature is a reduced-function, performance-enhanced alternative to the PCI Cryptographic
Coprocessor (PCICC), feature code 0861, with different functional characteristics. It does not
have FIPS 140-1 certification and is non-programmable. The PCICA feature can only be used
when the Cryptographic Coprocessors are enabled.
The PCICA feature is used for the acceleration of modular arithmetic operations, in particular
the complex RSA cryptographic operations used with the SSL protocol. It is designed for
maximum speed SSL acceleration rather than for specialized financial application for secure,
long-term storage of keys or secrets.
Chapter 4. Cryptography 171
The PCICA feature can support up to 2100 SSL handshakes per second. However, the
maximum number of SSL transactions per second that can be supported on a z900 server by
any combination of Cryptographic Coprocessor, PCICC, and PCICA features is limited by the
amount of CPC cycles available to perform the software portion of the SSL transaction.
Current performance measurements with z/OS V1 R4 suggest that on a z900 server model
216, the maximum rate attainable is up to 7000 SSL handshakes per second.
Each PCICA feature contains two cryptographic accelerator daughter cards embedded in an
adapter package for installing in the I/O slots of the z900 server new I/O cage. These slots
also support PCI Cryptographic Coprocessor, ESCON 16-port, OSA-Express, ISC-3 mother
cards, FICON, and FICON Express features. The total quantity of PCICC, PCICA, FICON
and OSA-Express features together cannot exceed 16 per I/O cage and 48 per server (16 in
each of the three possible I/O cages).
Each PCICA feature uses two CHPID numbers of the same pseudo CHPID type as the
PCICC feature. However, the CHPID numbers are not defined in HCD or in IOCP. The PCICA
feature does not have ports and does not use fiber optic cables.
In the z900 server, there can be a maximum of six PCI Cryptographic Accelerator (PCICA)
features, along with a maximum of eight PCI Cryptographic Coprocessor (PCICC) features.
The combined number of PCICC and PCICA features on a z900 server cannot exceed eight.
Within these parameters, the PCICC and PCICA features can coexist in any combination.
This scalability provides increasing cryptographic processing capacity as customers expand
their use of e-business applications requiring cryptographic processing.
The PCICA feature requires a unique LIC load, different from the PCICC feature. Special
concurrent patch support is provided for activating different code loads for the same CHPID
type, but different hardware types (PCICC and PCICA). Activating some Microcode Level
(MCL) patches requires the user to configure off/on both PCICA CHPIDs per feature from all
defined logical partitions.
PCICA functions
The PCICA feature provides functions designed for maximum acceleration of the complex
RSA cryptographic operations used with the SSL protocol, including:
High-speed RSA cryptographic accelerator
1024- and 2048-bit RSA operations for the Modulus Exponent (ME) and Chinese
Remainder Theorem (CRT) formats.
Get IBM eServer zSeries 900 Technical Guide now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
