Re: FW: Crypto and IFL
Vic Cross wrote: On Fri, 7 Nov 2003, Wolfe, Gordon W wrote: Thanks, Alan. that settles it, I guess. PCICA cards it is. In another item of documentation (the Linux Device Drivers manual, I think), we read that if both PCICC and PCICA cards are present on an LPAR, that Linux will only use the PCICA. This, combined with the wider range of crypto functions provided by the PCICA, helped us to decide that PCICA was the way to go for our Linux environment. Another poster mentioned that z800 comes with crypto engines -- in the Linux case, this is not strictly true. The crypto engines that are part of the base machine are the CCF (?) base crypto support, not PCICC or PCICA cards. z/OS can use the basic functions provided by the CCF kit, but Linux cannot and requires additional cards (either -CC or -CA depending on your needs). Hoo-roo, Vic Hi, I don't understand exactly what it means. I have a PCICC card in my Z800, can I use it with my Linux??? Is it possible to use the crypto card to ssl connections??? If it is possible, how can I integrate this feature to may http server (apache)??? thanks in advanced, -- Antonio Pires Suporte Tecnico - AGANP
Re: FW: Crypto and IFL
On Fri, 7 Nov 2003, Wolfe, Gordon W wrote: Thanks, Alan. that settles it, I guess. PCICA cards it is. In another item of documentation (the Linux Device Drivers manual, I think), we read that if both PCICC and PCICA cards are present on an LPAR, that Linux will only use the PCICA. This, combined with the wider range of crypto functions provided by the PCICA, helped us to decide that PCICA was the way to go for our Linux environment. Another poster mentioned that z800 comes with crypto engines -- in the Linux case, this is not strictly true. The crypto engines that are part of the base machine are the CCF (?) base crypto support, not PCICC or PCICA cards. z/OS can use the basic functions provided by the CCF kit, but Linux cannot and requires additional cards (either -CC or -CA depending on your needs). Hoo-roo, Vic
Re: Crypto and IFL
-Original Message- From: Alan Altmark [mailto:[EMAIL PROTECTED] Sent: Thursday, November 06, 2003 5:42 PM To: [EMAIL PROTECTED] Subject: Re: Crypto and IFL snip No, you cannot use crypto with IFLs. Alan Altmark Sr. Software Engineer IBM z/VM Development Alan, Do you know why IBM did this? Just curious since it seems so strange to disable a coprocessor function in this manner. -- John McKown Senior Systems Programmer UICI Insurance Center Applications Solutions Team +1.817.255.3225 This message (including any attachments) contains confidential information intended for a specific individual and purpose, and its' content is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this transmission, or taking any action based on it, is strictly prohibited.
FW: Crypto and IFL
The note I got from Mr. Brandt below shows why we're confused. Very inconsitent information in this redbook. Use the Best! Linux for Servers Macintosh for Graphics Palm for Mobility Windows for Solitaire. Gordon W. Wolfe, Ph.D. VM Linux Systems Support Enterprise Servers, The Boeing Company (425)865-5940 -- From: Brandt, Mark H Sent: Friday, November 7, 2003 6:16 AM To: Wolfe, Gordon W; Preuett, Lance M; Nihart, Mark B; Brening, Jeff Subject: RE: Crypto and IFL Below are excepts from IBM's redbook SG24-6870-00 zSeries Crypto Guide Update . As you can see they are quite confusing and inconsistent .. pg 264 zSeries Crypto Guide Update 4. If you are using a zSeries z900 GA2 machine, do the following: On the PR/SM panel where you choose which architecture your LPAR will support, choose ESA390. (Do not choose Linux only; if you choose Linux only, no crypto devices will be available to your LPAR.) pg 23 Note: PCICC cards cannot be ordered with the Linux-only z800 model. pg 24 Linux for zSeries will also support the PCICA card for SSL usage. This applies whether the Linux-only model is used, or the Integrated Facility for Linux (IFL) on a general-purpose model is used, or if Linux is running under a normal CP, or if Linux is under VM. -Original Message- From: Wolfe, Gordon W Sent: Thursday, November 06, 2003 3:58 PM To: Preuett, Lance M; Nihart, Mark B; Brandt, Mark H; Brening, Jeff Subject: FW: Crypto and IFL The definitive answer from Poughkeepsie: see below (in bold) Use the Best! Linux for Servers Macintosh for Graphics Palm for Mobility Windows for Solitaire. Gordon W. Wolfe, Ph.D. VM Linux Systems Support Enterprise Servers, The Boeing Company (425)865-5940 -- From: Alan Altmark Reply To: Linux on 390 Port Sent: Thursday, November 6, 2003 3:41 PM To: [EMAIL PROTECTED] Subject: Re: Crypto and IFL On Thursday, 11/06/2003 at 12:55 PST, Wolfe, Gordon W [EMAIL PROTECTED] wrote: Can anyone tell me if it is possible to use a crypto card with an IFL engine? We have a z800 with two standard processors and two IFL processors. We want to add a crypto card so that SuSE SLES8 on an LPAR with the IFLs can offload some of the security processing. IBM's redbook SG24-6870-00 zSeries Crypto Guide Update can be read two ways: one way says they will work and one way says they won't. Also, if it does work, how many cards should we get and what kind? PCICC or PCICA? No, you cannot use crypto with IFLs. Alan Altmark Sr. Software Engineer IBM z/VM Development
Re: FW: Crypto and IFL
On Friday, 11/07/2003 at 08:33 PST, Wolfe, Gordon W [EMAIL PROTECTED] wrote: The note I got from Mr. Brandt below shows why we're confused. Very inconsitent information in this redbook. pg 264 zSeries Crypto Guide Update 4. If you are using a zSeries z900 GA2 machine, do the following: On the PR/SM panel where you choose which architecture your LPAR will support, choose ESA390. (Do not choose Linux only; if you choose Linux only, no crypto devices will be available to your LPAR.) pg 23 Note: PCICC cards cannot be ordered with the Linux-only z800 model. pg 24 Linux for zSeries will also support the PCICA card for SSL usage. This applies whether the Linux-only model is used, or the Integrated Facility for Linux (IFL) on a general-purpose model is used, or if Linux is running under a normal CP, or if Linux is under VM. The PCICC is definitely out. The only question is really about PCICA and whether it is available on IFLs. I will double-check to verify. (Hey, this wouldn't be the first time I've been wrong today...) Alan Altmark Sr. Software Engineer IBM z/VM Development
Re: Crypto and IFL
On Friday, 11/07/2003 at 07:32 CST, McKown, John [EMAIL PROTECTED] wrote: Alan, Do you know why IBM did this? Just curious since it seems so strange to disable a coprocessor function in this manner. It was a side effect of basing IFLs on Coupling Facility engines. Part of the h/w sees them as IFL, the other sees them as CF. CFs can't have crypto. I'm investigating whether there was a change to PCICA attachment to IFLs and, if so, when it happened. I.e. if it was model- or machine-specific. Alan Altmark Sr. Software Engineer IBM z/VM Development
Re: FW: Crypto and IFL
On Friday, 11/07/2003 at 08:33 PST, Wolfe, Gordon W [EMAIL PROTECTED] wrote: The note I got from Mr. Brandt below shows why we're confused. Very inconsitent information in this redbook. And now I have the source of *my* confusion. It appears that in z800/z900 GA3, the ability to have PCICA attachment to IFLs was added. My mistake. Alan Altmark Sr. Software Engineer IBM z/VM Development
Re: FW: Crypto and IFL
Thanks, Alan. that settles it, I guess. PCICA cards it is. Use the Best! Linux for Servers Macintosh for Graphics Palm for Mobility Windows for Solitaire. Gordon W. Wolfe, Ph.D. VM Linux Systems Support Enterprise Servers, The Boeing Company (425)865-5940 -- From: Alan Altmark Reply To: Linux on 390 Port Sent: Friday, November 7, 2003 11:30 AM To: [EMAIL PROTECTED] Subject: Re: FW: Crypto and IFL On Friday, 11/07/2003 at 08:33 PST, Wolfe, Gordon W [EMAIL PROTECTED] wrote: The note I got from Mr. Brandt below shows why we're confused. Very inconsitent information in this redbook. And now I have the source of *my* confusion. It appears that in z800/z900 GA3, the ability to have PCICA attachment to IFLs was added. My mistake. Alan Altmark Sr. Software Engineer IBM z/VM Development
Re: Crypto and IFL
The z800 comes with two crypto engines built in. I haven't tried to use them on Linux or z/VM on the IFL yet. I have done some work with them on my test z/OS 1.4 system. -- John McKown Senior Systems Programmer UICI Insurance Center Applications Solutions Team +1.817.255.3225 This message (including any attachments) contains confidential information intended for a specific individual and purpose, and its' content is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this transmission, or taking any action based on it, is strictly prohibited. -Original Message- From: Wolfe, Gordon W [mailto:[EMAIL PROTECTED] Sent: Thursday, November 06, 2003 2:55 PM To: [EMAIL PROTECTED] Subject: Crypto and IFL Can anyone tell me if it is possible to use a crypto card with an IFL engine? We have a z800 with two standard processors and two IFL processors. We want to add a crypto card so that SuSE SLES8 on an LPAR with the IFLs can offload some of the security processing. IBM's redbook SG24-6870-00 zSeries Crypto Guide Update can be read two ways: one way says they will work and one way says they won't. Also, if it does work, how many cards should we get and what kind? PCICC or PCICA? Use the Best! Linux for Servers Macintosh for Graphics Palm for Mobility Windows for Solitaire. Gordon W. Wolfe, Ph.D. VM Linux Systems Support Enterprise Servers, The Boeing Company (425)865-5940
Re: Crypto and IFL
The PCICC is the Crypto Coprocessor and the PCICA is the Crypto Accelerator which is faster and made for the demands of SSL encryption. SSL will still work with PCICC but not as fast. Richard W. Lauck Cornerstone Systems, Inc. Sr. Systems Programmer IBM Certified S/390 Parallel Sysplex Systems Programmer IBM Certified S/390 Parallel Sysplex Operator IBM Parallel Sysplex Top Gun (425)489-4579 Direct - Home Office (425)453-5166 x9024Voice Mail (425)486-4501 Home (888)505-4534 Pager Wolfe, Gordon W [EMAIL PROTECTED]To: [EMAIL PROTECTED] oeing.com cc: Sent by: Linux onSubject: Crypto and IFL 390 Port [EMAIL PROTECTED] IST.EDU 11/06/2003 12:55 PM Please respond to Linux on 390 Port Can anyone tell me if it is possible to use a crypto card with an IFL engine? We have a z800 with two standard processors and two IFL processors. We want to add a crypto card so that SuSE SLES8 on an LPAR with the IFLs can offload some of the security processing. IBM's redbook SG24-6870-00 zSeries Crypto Guide Update can be read two ways: one way says they will work and one way says they won't. Also, if it does work, how many cards should we get and what kind? PCICC or PCICA? Use the Best! Linux for Servers Macintosh for Graphics Palm for Mobility Windows for Solitaire. Gordon W. Wolfe, Ph.D. VM Linux Systems Support Enterprise Servers, The Boeing Company (425)865-5940
