Tectia Server for IBM z/OS can use the CP Assist for Cryptographic Functions (CPACF) and Cryptographic Coprocessors such as the CryptoExpress feature. Cryptographic hardware reduces the CPU load and may reduce elapsed times.
CPACF can be used to secure SSH network traffic with the AES algorithms for encryption (see Configuring Ciphers) and the message authentication codes that are based on SHA-1 or SHA-2 (see Configuring MACs). Note that the longer key lengths do not have CPACF support on all mainframe models.
The CPACF support for SHA-1 and SHA-2 is also used for digest calculations in key exchange and authentication.
The Tectia Server for IBM z/OS random number generator (RNG) can use cryptographic hardware
support when adding entropy to its internal state. Tectia Server for IBM z/OS uses the ICSF
Random Number Generate callable service if it is available (it requires a
CryptoExpress feature). It will also use /dev/random
if
it is available.
Cryptographic hardware may be used in certificate-based authentication if the keys and certificates are stored in SAF and use RSA. Keys generated with the RACDCERT command can be stored in the CryptoExpress device or stored encrypted with a master key.
To use cryptographic hardware in Tectia Server for IBM z/OS the machine must be enabled for cryptography and the z/OS Integrated Cryptographic Service Facility (ICSF) must be active.
The configuration parameter UseCryptoHardware
specifies how the cryptographic hardware is to be used. The value is a list of
support values for algorithm groups and it may include a default support level.
The support levels are:
no
- use the software implementation
yes
- use cryptographic hardware if available, otherwise software
must
- use cryptographic hardware, fail server startup if not available.
The algorithm groups are:
rng
- random number generator
sha
- SHA-1 and SHA-2 digest algorithms
aes
- AES algorithms
3des
- Triple DES
sha1
may be used as a synonym of sha
.
An example of the configuration parameters:
UseCryptoHardware yes,aes:must,sha:must
RACF users can control the use of the ICSF services with the CSFSERV class. If the class is defined, SSHD2, the user that runs the Tectia Server for IBM z/OS server, must have READ access to the CSFRNG profile if the random number generator support is to be used and to the CSFOWH profile if SHA support is to be used.