The Cryptographic Module Manager administers the Cryptographic Service Providers (CSPs) modules that may be installed on the local system, and defines a common application programming interface (API) for accessing CSP modules. All cryptography functions are implemented by the CSPs. This localizes all cryptography into exchangeable modules. OCSF administers a queryable registry of local CSPs. The registry lists the locally accessible CSPs and their cryptographic services (and algorithms).

The nature of the cryptographic functions contained in any particular CSP depends on the task the CSP was designed to perform. For example, a VISA smart card would be able to digitally sign credit card transactions on behalf of the card's owner. A digital employee badge would be able to authenticate a user for physical or electronic access.

The Cryptographic Module Manager does not assume any particular form for a CSP. CSPs can be implemented in hardware, software, or both; operationally, the distinction must be transparent. The two visible distinctions between hardware and software implementations are the degree of trust the application receives by using a given CSP, and the cost of developing that CSP. A hardware implementation should be more tamper-resistant than a software implementation. Hence a higher level of trust is achieved by the application. All CSPs that can be loaded by the OCSF must contain a verification check¹.

Multiple CSPs may be loaded and active within the OCSF at any time, and a single application may use multiple CSPs concurrently. Interpreting the resulting level of trust and security is the responsibility of the application or the TP module used by the application. The Cryptographic Module Manager defines a high-level, certificate-based API for cryptographic services to support application development. This API is in Cryptographic Services API. A CSP may or may not support multithreaded applications. For information on interface support by cryptographic service providers, refer to the z/OS Open Cryptographic Services Facility Service Provider Module Developer’s Guide and Reference. For specifics on the cryptographic service proviers available with OCSF, refer to Service Provider Modules.