Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Overview of hardware cryptographic features and System SSL z/OS Cryptographic Services System SSL Programming SC14-7495-00 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
System SSL might use ICSF or the CPACF for cryptographic hardware support, if they are available. Cryptographic hardware support provides performance benefits over software processing and might be used for particular cryptographic algorithms instead of the System SSL software algorithms. System SSL also uses ICSF for cryptographic algorithms that are not supported within the software of System SSL (for example, Elliptic Curve Cryptography). For algorithms for which System SSL has software versions, System SSL checks for hardware support during its runtime initialization and uses the support if available, unless the application specifies otherwise. See Environment variables for information about the GSK_HW_CRYPTO environment variable (which specifies whether the hardware cryptographic support is used). When using a secure key (a key stored either in the ICSF PKDS or a PKCS #11 token) or an algorithm that is not supported within System SSL's software, System SSL always uses ICSF for the cryptographic operation. If ICSF is not available, the operation fails. If the appropriate hardware is available, System SSL uses the CPACF directly for symmetric encryption algorithms DES, 3DES, and AES-CBC, and SHA based digest algorithms. It calls ICSF for RSA signature and encryption operations. If these functions are not available in hardware, System SSL uses internal software implementations of the algorithms. If a severe ICSF error occurs during a clear key RSA operation, System SSL stops using the hardware support and reverts to using the software algorithms, when applicable. In this event, hardware failure notification is available through the SSL Started Task or SSL trace output, if either facility is enabled. The SSL Started Task outputs an error message to the console on the first occurrence of the hardware failure and to the system log on any subsequent events. A message showing the failing encryption algorithm appears in the system log only. Any future cryptographic operations for the current SSL application that attempt to use this algorithm is performed in software. When the severe problem with ICSF is resolved, the System SSL application must be restarted to begin using ICSF again. When using a secure key (a key stored either in the ICSF PKDS or a PKCS #11 token) or an algorithm that is not supported within System SSL's software (ECC and AES-GCM), System SSL always uses ICSF for the cryptographic operation. If ICSF is not available when these algorithms are called upon, the operation fails. Clear key ECC and AES-GCM operations use ICSF PKCS #11 support. For more information about ECC cryptographic support, see Elliptic Curve Cryptography support. Note: System SSL can use secure key support for RSA and ECC through
ICSF. System SSL does not use secure symmetric keys except for
the symmetric key that is used to encrypt the private key being encrypted
by the gsk_make_enveloped_private_key_msg() API.
Table 1 describes the hardware cryptographic functions that are used by System SSL under different hardware configurations. To use 4096-bit RSA keys in the hardware, you need one of the following:
|
Copyright IBM Corporation 1990, 2014
|