Crypto Hardware Support
The configuration file has a keyword, UseCryptoHardware, that
governs the use of crypto hardware. The available support depends on the
processor model and on the devices that are installed. In the table
below, CPACF is standard on z890, z990, and z9 machines but is
not available on other machines. The CCA column includes the
following devices: CCF, PCICC, PCIXCC and CEX2. The Accelerator
column includes the PCICA device, PCIXCC and CEX2.
|
| CPACF | CCA | Accelerator |
|
3DES-CBC | x | x | |
|
AES128-CBC | x* | | |
|
SHA1 | x | | |
|
RNG | | x | |
|
[RSA] | | [x] | [x] |
|
[DH] | | | [x] |
|
RACF certificate | | x | |
|
|
* Hardware support for AES is only available on System z9.
If any crypto hardware devices are to be used, the machine or the LPAR must be enabled for cryptography.
Note: The current release has no hardware support for RSA or DH.
The table below shows, for each argument of the
UseCryptoHardware variable, the names of the resource profiles
in the CSFSERV class that users must have access to.
|
UseCryptoHardware | Resources |
|
3DES-CBC | CSFCKM, CSFENC, CSFDEC * |
|
AES128-CBC | – |
|
SHA1 | CSFOWH |
|
RNG | CSFRNG |
|
|
* The resources shown for 3DES are not required on machines that have
the CPACF feature.
FIPS Mode
FIPS mode is enabled when the IBM crypto hardware is used. FIPS mode is
currently not available in SSH Tectia Server for IBM z/OS when the software crypto library is used.
Thus, if the UseCryptoHardware keyword defines algorithms for
hardware acceleration, the FIPS mode is automatically enabled for the
defined algorithms and cryptographic operations are performed according to
the rules of the FIPS 140-2 certification standard. In all other
configurations, FIPS mode is disabled.
