Peter wrote:
>After implementing ATTLS there is some delay in our CICS transaction but I
>was suspecting if sn absence of crypto processor can overload the general
>processor to cause this delay ?
Define "some delay". Adding AT-TLS means that a TLS handshake is being added to
the communication. That isn't instantaneous, and means some additional network
back-and-forth. I'd strongly suspect that it's more just network latency added
by that than the cost of the encryption itself.
As for CPACF, this tiny Rexx program will tell you if it's enabled. It does
require that CSF (ICSF) be running/have run since IPL. It tests a bit CSF sets
after *it* verifies the existence of CPACF by trying the instructions.
/* REXX */
if bitand(storage(d2x(x2d(c2x(storage(d2x(x2d(c2x(,
storage(d2x(x2d(c2x(storage(10,4)))+x2d(C8)),4)))+,
x2d(B8)), 4)))+x2d(11A)), 1), '08'x) <> '00'x then
say 'CPACF is enabled'
else say 'CPACF is not enabled'
/*
tests CCVT_KMC_AES256 (x'08', "KMC AES 256 key enabled")
on flag CCVT_KMC_EXPORT3 (offset 11A)
in CSFCCVT, pointed to by CVTABEND (offset x'B8')
into CVT (X'10' in page 0)
*/
If by some chance CPACF is NOT enabled, it's a free feature on all current IBM
hardware, so get it turned on!
Do make sure that anything you enable AT-TLS for both can handle TLS at the
other end AND is not already doing TLS. We've had several incidents where
people turned on AT-TLS "because it's good" and our product was already doing
TLS. The double encryption does not work out well--specifically, it results in
strange connection failures because "inner" level of negotiation works, but
then instead of seeing a request, it sees another TLS negotiation start, which
it doesn't understand since it's not looking for one. It doesn't sound like
this is your issue--if it were, you'd be having failures, not delays!--but it's
important to understand and I'll keep repeating it because it seems to be a
common error.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
