System SSL handshake processing uses the RSA and digital signature functions that are expensive functions when performed in software. For installations that have high volumes of SSL handshake processing, using the capabilities of the hardware provides maximum performance and throughput. For example, on z9, z10, z196, or zEC12, having a Crypto Express Coprocessor and/or Accelerator results in the maximum clear key RSA and digital signature processing being done in hardware.

For installations that are more concerned with the transfer of encrypted data than with SSL handshakes, moving the encrypt/decrypt processing to hardware (CPACF) provides maximum performance. The encryption algorithm is determined by the SSL cipher value. To use hardware, the ciphers symmetric algorithm must be available in hardware. For example, on z9, z10, z196, or zEC12, an application encrypting/decrypting data using the symmetric algorithm 3DES would benefit from the processing being done in the hardware.

For maximum performance and throughput, it is recommended that hardware is used for both the SSL handshake and data encrypt/decrypt.

For information about the types of hardware cryptographic features supported by ICSF, see z/OS Cryptographic Services ICSF Overview. For information about configuring and using ICSF, see z/OS Cryptographic Services ICSF Administrator's Guide and z/OS Cryptographic Services ICSF System Programmer's Guide.

Several products use System SSL. See the specific product publications to see if there is information about System SSL and ICSF considerations.

Note that access to ICSF cryptographic services can be controlled by the z/OS® Security Server (RACF®). For further information, see the topic about controlling who can use cryptographic keys and services in z/OS Cryptographic Services ICSF Administrator's Guide.