Hello Alan, Up to z900/z800, we only had the ICSF as the driver to access the cryptographic coprocessors. Those products and programs that would like to access the crypto hw should code ICSF callable services.
At z990 timeframe the System z cryptographic architecture changed. Instead of CCF, PCICC and PCICA, we had CPAC and CEX2C (PCIXCC in the beginning). Along with CPACF, IBM deployed 5 new zArchitecture Assembler Instructions. These instructions permit that our programs and products access the crypto hw (CPACF) directly. ICSF is not needed. The instructions are: Cipher Message (KM) Cipher Message with Chaining (KMC) Compute Intermediate Message Digest (KIMD) Compute Last Message Digest (KLMD) Compute Message Authentication Code (KMAC) Of course, the products and programs should be changed to call the new Assembler instructions instead of ICSF callable services. System SSL enhanced its code to exploit CPACF through new Assembler instructions on z/OS V1R6 (it was retrofitted up to OS/390 V2R10 through PTFs).. It is important to remember that PKA Encrypt / PKA Decrypt is one of the most CPU intensive steps in SSL handshake. PKA algorithms are not supported in CPACF. In order to take full advantage of crypto HW in a z890/z990 (as it used to be in CCF machines), CEX2C or CEX2A with ICSF active is required. Monitoring the crypto coprocessor usage used to be a problem. Since z/OS V1R2 we have an RMF Crypto Activity report that show its usage. There is a redpaper called Monitoring System z Cryptographic Services (REDP-4358-00) that helps you understand how to use the given information. It is available at URL http://www.redbooks.ibm.com/abstracts/redp4358.html?Open I would check in your production LPAR if crypto coprocessor is being used through the report above. Best Regards, Vicente Ranieri Junior Technical Sales Support – Latin America GMT ---------------------------------------------------------------------- ----------------------------------------- Thanks Vincente, Can you tell me, since we do not run ICSF in our production LPAR, is the CPACF feature of the z890 allowing us to do crypto at home? --------------------------------------------------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
