I'm not sure I understand your last question ... but let me try to clarify a couple of things.
It's important to realize that you have two separate pieces of crypto hardware available on System z: the CPACF for symmetric clear key and hashing operations and the Crypto Express card for symmetric secure key, MAC, public/private key operations, Financial/PIN operations, etc. There is really no overlap in functionality between the two devices. Both can do symmetric DES/TDES or AES encryption, but the CPACF does the work with a clear key, while the CEX card uses a secure key. So that means the hardware you need depends entirely on which API you specify in your code. In the ICSF Application Programmer's Guide (SA22-7522), each API is documented and includes a 'Required Hardware' table at the end of each section. That table will tell you which piece of hardware is required for that API (even down to certain parms require certain levels of CCA code in the card). If you code CSNBKEX, the Usage Table for that API says that you must have a CEX3 or CEX4 Coprocessor on your zEC12 to use that API. One note about Protected Key. To use Protected Key, you use a clear key API, but pass a secure key to the API. Prior to the implementation of protected key, this would fail as the clear key APIs can't use a secure key. However, with the protected key support, ICSF will recognize this combination and allow the operation to proceed. In this case, ICSF uses both the Crypto Express card to decrypt the operational key from under the master key and the CPACF to rewrap the key and then perform the encrypt or decrypt of your data (as Todd described). The 'Required Hardware' table refers to protected keys as 'Encrypted Keys'. So if you want to simply do clear key encryption, you only require the CPACF hardware. But if you want to use protected key, then you must also have a Crypto Express card (configured as a coprocessor). So, in your example, if you use the CSNBKEX API, that implies you have a CEX card because that's where the work will be routed. And if you use the CSNBSYE API, you want to use the CPACF hardware. You might want to review the 'A Synopsis of Systme z Crypto Hardware' Techdoc, available at http://www.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/WP100810 . I hope that helps clarify things. Greg Boyd IBM Advanced Technical Support Supporting Crypto on System z ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
