As I mentioned in the last post, TechDoc Flash10716 does talk about cipher block chaining support on the CEX3 and I'm pretty sure that support is available when the CEX3 is installed on z10. But I'm not so sure that the chaining support that is avaliable on the CPACF hardware on the z196/z114 was retrofitted to the z10. So in fact it may not be available on your machine. Additional research is required. Does the vendor product claim to support CFB mode on a z10? Do they call out a specific microcode level?
As Rob Schramm points out, you can start ICSF even if you don't have crypto cards, but if the product does not use the APIs that wouldn't provide any benefit. It is possible the vendor product could query the configuration and provide software routines that use the most efficient resources available. That is, the logic could query the config and if the CFB support is not available in the hardware, it could invoke the ICSF APIs that would perform CFB. And in your case, since the APIs aren't available it might fall back on it's own software routines that do provide CFB support. If this is true, then starting ICSF might help. And you would not need an exit to provide the CFB support. (I would not advocate using an ICSF exit to support CFB.) I'm also wondering if they are using System SSL APIs? Does the vendor product specifically say that they are using the native instructions that are available on the CPACF hardware? System SSL is very efficient and will query the environment to determine how best to service the request and as described above will often provide software routines if the appropriate hardware support or if ICSF is not available. It would be helpful to know which vendor product you are working with. If you'd like to take this up offline, we can summarize the results for the list later. Feel free to send me a note. Greg Boyd Mainframe Crypto www.mainframecrypto.com ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
