Your browser does not allow this site to store cookies and other data. Some functionality on this site may not work without them. See Privacy Policy for details on how we would use cookies.

SSH Tectia 
PreviousNextUp[Contents] [Index]

    About This Document >>
    Installing SSH Tectia Server for IBM z/OS >>
    Getting Started with SSH Tectia Server for IBM z/OS >>
    Configuring the Server >>
        Server Configuration Files >>
        Defining Subconfigurations >>
        Configuring Ciphers and MACs >>
            Crypto Hardware Support
            Recommended Algorithms
        Configuring Root Logins
        Restricting User Logins
        Configuring Code Pages
        Defining Subsystems
        Auditing >>
        Securing the Server >>
    Authentication >>
    System Administration >>
    File Transfer Using SFTP >>
    Secure File Transfer Using Transparent FTP Security >>
    Tunneling >>
    Troubleshooting SSH Tectia Server for IBM z/OS >>
    Man Pages and Default Configuration Files >>
    Log Messages >>

Crypto Hardware Support

The configuration file has a keyword, UseCryptoHardware, that governs the use of crypto hardware. The available support depends on the processor model and on the devices that are installed. In the table below, CPACF is available on zSeries and System z machines, except z800 and z900. The CCA column includes the following devices: CCF, PCICC, PCIXCC and CEX2. The Accelerator column includes the PCICA device, PCIXCC and CEX2.

  CPACF CCA Accelerator
3DES-CBC x x
AES128-CBC x*
AES192-CBC x*
AES256-CBC x*
SHA1 x
RNG x
RACF certificate x x

* Hardware support for AES is only available on System z9 and z10.

If any crypto hardware devices are to be used, the machine or the LPAR must be enabled for cryptography.

The table below shows, for each argument of the UseCryptoHardware variable, the names of the resource profiles in the CSFSERV class that users must have access to.

UseCryptoHardware  Resources
 3DES  CSFCKM, CSFENC, CSFDEC *
 AES128  –
 SHA1  CSFOWH
 RNG  CSFRNG

* The resources shown for 3DES are not required on machines that have the CPACF feature.

FIPS Mode

FIPS mode is enabled when the IBM crypto hardware is used. FIPS mode is currently not available in SSH Tectia Server for IBM z/OS when the software crypto library is used.

Thus, if the UseCryptoHardware keyword defines algorithms for hardware acceleration, the FIPS mode is automatically enabled for the defined algorithms and cryptographic operations are performed according to the rules of the FIPS 140-2 certification standard. In all other configurations, FIPS mode is disabled.

PreviousNextUp[Contents] [Index]


[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]

Copyright © 2011 SSH Communications Security Corp.
This software is protected by international copyright laws. All rights reserved.
Copyright Notice

===AUTO_SCHEMA_MARKUP===