This topic describes the cryptographic hardware features available. Information on adding and removing cryptographic coprocessors can be found in z/OS Cryptographic Services ICSF Administrator’s Guide.

Crypto Express3 Feature (CEX3C or CEX3A)

The Crypto Express3 Feature is an asynchronous cryptographic coprocessor or accelerator. The feature contains two cryptographic engines that can be independently configured as a coprocessor (CEX3C) or as an accelerator (CEX3A). It is available on the IBM System z10 Enterprise Class, IBM System z10 Business Class, and the IBM zEnterprise 196.

Crypto Express2 Feature (CEX2C or CEX2A)

The Crypto Express2 Feature is an asynchronous cryptographic coprocessor or accelerator. The feature contains two cryptographic engines that can be independently configured as a coprocessor (CEX2C) or as an accelerator (CEX2A). It is available on the IBM System z9 Enterprise Class, IBM System z9 Business Class, IBM System z10 Enterprise Class, and IBM System z10 Business Class.

PCI X Cryptographic Coprocessor (PCIXCC)

The PCI X Cryptographic Coprocessor is an asynchronous cryptographic coprocessor. It is a replacement for the Cryptographic Coprocessor Feature and PCI Cryptographic Coprocessor. It is only available on a IBM zSeries 990 or IBM zSeries 890.

The PCIXCC/CEX2C DES master key is used in place of the CCF DES master key. The asymmetric-keys master key is used in place of the CCF signature and key management master keys. The PCIXCC/CEX2C supports up to 2048-bit RSA keys in all PKA services except SET services (Set Block Compose and Set Block Decompose).

This feature is in the process of being certified for Federal Information Processing Standard (FIPS) 140-2. This includes algorithmic certification under FIPS 46-2 (DES) and FIPS 180-1 (Secure Hash Standard).

CP Assist for Cryptographic Functions (CPACF)

CPACF is a set of cryptographic instructions available on all CPs of z990, z890, z9 EC, z9 BC, z10 EC and z10 BC. Use of the CPACF instructions provides improved performance. The SHA-1 algorithm is always available. Additionally, SHA-224 and SHA-256 algorithms are available on the z9 EC and z9 BC. and IBM System z10 Business Class.

CP Assist for Cryptographic Functions (CPACF) DES/TDES Enablement, feature 3863, provides for clear key DES and TDES instructions. On the z9 EC and z9 BC, this feature includes clear key AES for 128-bit keys.

If you want to include a PCIXCC, CEX2C, PCICA (z990, z890), Crypto Express2 feature (z9 EC, z9 BC, z10 EC and z10 BC), or Crypto Express3 Coprocessor (z10 EC, z10 BC, and z196), then feature 3863 is required.

PCI Cryptographic Accelerator (PCICA)

On all systems, the PCI Cryptographic Accelerator provides support for clear keys in the CSNDPKD callable services for better performance than when executed in a cryptographic coprocessor. On z990 or z890, it also supports CSNDDSV and CSNDPKE.

PCICAs enable maximum SSL performance.

Cryptographic Coprocessor Feature (CCF)

The Cryptographic Coprocessor Feature (CCF) can have up to two cryptographic coprocessors as high-speed extensions of the central processor. Each CCF contains both DES and PKA cryptographic processing units. You can configure the processor complex to run in either single-image mode or logical partition mode.

If the Cryptographic Coprocessor Feature is in single-image mode, the same master keys must be installed on both CCFs. If you bring a second coprocessor online, ICSF verifies that the master keys are the same. If the DES master keys are different, ICSF will not use the second coprocessor. The PKA master keys must be the same on both Coprocessors in order to enable the PKA services.

This feature is currently certified for Federal Information Processing Standard (FIPS) 140-1 level 4. This includes algorithmic certification under FIPS 46-2 (DES), FIPS 180-1 (Secure Hash Standard), and FIPS 186 (Digital Signature Standard).

The possible configurations include:

• DES with PKA

  These servers are configured for full 64-bit DES keys (effective length 56 bits), 1024-bit PKA keys for DES key distribution, and 1024-bit PKA signature keys.

• Triple DES with PKA

  These servers are configured for 192-bit DES keys (effective length 169 bits), 1024-bit PKA keys for DES key distribution, and 1024-bit PKA signature keys. This configuration is available on S/390 G5 Enterprise Servers and higher.

PCI Cryptographic Coprocessor (PCICC)

The PCI Cryptographic Coprocessor, which works in conjunction with the Cryptographic Coprocessor Feature, provides the capability of generating and retaining RSA keys in secure hardware. This capability meets a requirement to become a SET Certificate Authority. A PCI Cryptographic Coprocessor is required on a CCF system for:

• UDX capability
• Generating RSA public and private keys
• The retained key list and retain key delete callable service.

The PCICC cards are in addition to the Cryptographic Coprocessor Feature. In order for the PCI Cryptographic Coprocessor to operate, the verification pattern for the SYM-MK master key must match the verification pattern of the DES master key on the server's Cryptographic Coprocessor Feature. Before you can use the PKA services of the PCI Cryptographic Coprocessor, you must install both the KMMK and the SMK on the Cryptographic Coprocessor Feature and the RSA-MK master key on the PCI Cryptographic Coprocessor. The hash pattern of the RSA-MK master key must match the hash pattern of the SMK in order to use the PCI Cryptographic Coprocessor.