Greg, you've got the point.
My question was about performance and, depending on what we ask the z12, it will answer. So if I ask for a CSNBKEX API (and now I discovered it was clearly written in the manual) z12 have to use CEX3/4 Coprocessor. Finally I've found the answer to my main question about the performance (in terms of crypto/second) per single server (where server is the single mono-tcb address space calling the API services). Then, as long as I need CEX3/4 API I have to pay the 1ms elapsed time per call because there's the need to raise the "not so close" hardware. I really thank all of you for your valuable support and knowledge. I've learnt lots of new stuffs. Best regards. Massimo 2013/5/21 Greg Boyd <[email protected]> > I'm not sure I understand your last question ... but let me try to clarify > a couple of things. > > It's important to realize that you have two separate pieces of crypto > hardware available on System z: > the CPACF for symmetric clear key and hashing operations and > the Crypto Express card for symmetric secure key, MAC, public/private key > operations, Financial/PIN operations, etc. > > There is really no overlap in functionality between the two devices. Both > can do symmetric DES/TDES or AES encryption, but the CPACF does the work > with a clear key, while the CEX card uses a secure key. > > So that means the hardware you need depends entirely on which API you > specify in your code. In the ICSF Application Programmer's Guide > (SA22-7522), each API is documented and includes a 'Required Hardware' > table at the end of each section. That table will tell you which piece of > hardware is required for that API (even down to certain parms require > certain levels of CCA code in the card). > > If you code CSNBKEX, the Usage Table for that API says that you must have > a CEX3 or CEX4 Coprocessor on your zEC12 to use that API. > > One note about Protected Key. To use Protected Key, you use a clear key > API, but pass a secure key to the API. Prior to the implementation of > protected key, this would fail as the clear key APIs can't use a secure > key. However, with the protected key support, ICSF will recognize this > combination and allow the operation to proceed. In this case, ICSF uses > both the Crypto Express card to decrypt the operational key from under the > master key and the CPACF to rewrap the key and then perform the encrypt or > decrypt of your data (as Todd described). The 'Required Hardware' table > refers to protected keys as 'Encrypted Keys'. So if you want to simply do > clear key encryption, you only require the CPACF hardware. But if you want > to use protected key, then you must also have a Crypto Express card > (configured as a coprocessor). > > So, in your example, if you use the CSNBKEX API, that implies you have a > CEX card because that's where the work will be routed. And if you use the > CSNBSYE API, you want to use the CPACF hardware. > > You might want to review the 'A Synopsis of Systme z Crypto Hardware' > Techdoc, available at > http://www.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/WP100810 . > > I hope that helps clarify things. > Greg Boyd > IBM Advanced Technical Support > Supporting Crypto on System z > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
