We went from a z/800 to a z/9 BC. We purchased CEX2 cards because we thought we needed them. We did a lot of testing of the CEX2 cards versus CPACF using the both the KMC and CSFENC commands. I found two papers that helped a lot. One was 'How To Use the New z990 Cryptographic Operation Codes' by E.H. Nachtigall. It included sample code that help get us started. We also used 'IBM System z9 Business Class Performance of Cryptographic Operations (Cryptographic Hardware: CPACF, CEX2C, CEX2A)'. It showed performance data for the various ways you can configure and use the hardware.
Brad Wissink Information Technology Services Iowa State University 515-294-3088 -----Original Message----- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Patrick O'Keefe Sent: Wednesday, November 28, 2007 1:30 PM To: [email protected] Subject: Re: ICSF First-time Startup On Wed, 28 Nov 2007 09:22:48 -0600, Chase, John <[EMAIL PROTECTED]> wrote: >... >Thanks to all who have replied so far. I'll reiterate that we DO NOT >have any of the optional crypto hardware installed (yet); we have ONLY >the CPACF DES/TDES (feature code 3863) enabled at present. The optional >crypto hardware is on next year's "wish list". >... We are also just beginning to get the crypto stuff up and running. We have z/OS 1.8 on several z9s with CEX2 cards, so not at all the config in question, but we're definitely suffereing through some very unclear doc. The "z9-109 Crypto and TKE V5 Update" ref'ed earlier in this thread has a wealth of info, but seems to be self contradictory. It says CPACF can be enabled independantly of CEX2 (as you've done) and says that gives you support of both encryption and hashing (assuming you've picked the right cipher suites). But somewhere else it implies you get support only for hashing. It is also a bit vague about the software support provided by CPACF instructions vs the hardware support provided by the CPACF hardware. I assume "enabling" gives you both the hardware and software support, but it's not very clear. And then they mention the ICSF interface to CPACF and mention the benefits of using it instead of directly executing CPACF instructions. But I don't know if you can execute ICSF if you don't have the CEX2. (I may have just missed that since we aren't in that boat.) It would be nice if there were cleared doc - "z9 Crypto for Dummies" or something - but there's little hope of that. The topic is far too obtuse for dummies to have a chance. (... which may explain the problems I'm having. :-) ) Pat O'Keefe ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
