Effectively, you need both ICSF and a CEX3 to take advantage of Protected Keys.
As was pointed out in another append, you can use the PCKMO instruction to wrap a key. That is, you would take a clear key and wrap it, creating a protected key. And as was also pointed out in that post, I'm not sure why you would do that. Once you bring the key, in the clear, into storage, it could be viewed by an attacker. So you would have to make sure the system is secured (i.e. no other apps or users accessing the system) while you're using the PCKMO to wrap it. And even then, you would have to be sure to use that wrapped key right away. There is no point in saving a copy of the wrapped key because there is no guarantee that the wrapping key won't have changed before you use it again. If the LPAR is deactivated and activated then the wrapping key will change and your wrapped key is no longer usable. So the value of protected key is to leverage the security of the CEX3 (for storing your application key as a secure key) with the performance of the CPACF. and responding to John Gilmore's comments, I say that the performance numbers are 'ivory tower' because few customers will ever obtain those metrics. For example, the SSL tests are intended to measure the performance of the handshake. I believe the payload in that example was 1 byte of data. That's not a very realistic exercise, but it does effectively demonstrate the value of the CEX card on the SSL handshake. So the data is valuable and useful. In the report you can see the expected throughput given AES vs TDES or the various blocksizes. And you can see the relative impact of secure key vs clear key vs protected key. But you must temper your expectations. Crypto has a cost and it can be significant, but I would also suggest that the application design can have a significant impact on your performance expectations as well. Greg Boyd IBM Advanced Technical Support Supporting Crypto on System z ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
