SSH

Cryptographic Hardware Support

Tectia Server for IBM z/OS can use the CP Assist for Cryptographic Functions (CPACF) and Cryptographic Coprocessors such as the CryptoExpress feature. Cryptographic hardware reduces the CPU load and may reduce elapsed times.

CPACF can be used to secure SSH network traffic with the AES algorithms for encryption (see Configuring Ciphers) and the message authentication codes that are based on SHA-1 or SHA-2 (see Configuring MACs). Note that the longer key lengths do not have CPACF support on all mainframe models.

The CPACF support for SHA-1 and SHA-2 is also used for digest calculations in key exchange and authentication.

The Tectia Server for IBM z/OS random number generator (RNG) can use cryptographic hardware support when adding entropy to its internal state. Tectia Server for IBM z/OS uses the ICSF Random Number Generate callable service if it is available (it requires a CryptoExpress feature). It will also use /dev/random if it is available.

Cryptographic hardware may be used in certificate-based authentication if the keys and certificates are stored in SAF and use RSA. Keys generated with the RACDCERT command can be stored in the CryptoExpress device or stored encrypted with a master key.

To use cryptographic hardware in Tectia Server for IBM z/OS the machine must be enabled for cryptography and the z/OS Integrated Cryptographic Service Facility (ICSF) must be active.

The configuration parameter UseCryptoHardware specifies how the cryptographic hardware is to be used. The value is a list of support values for algorithm groups and it may include a default support level. The support levels are:

  • no - use the software implementation

  • yes - use cryptographic hardware if available, otherwise software

  • must - use cryptographic hardware, fail server startup if not available.

The algorithm groups are:

  • rng - random number generator

  • sha - SHA-1 and SHA-2 digest algorithms

  • aes - AES algorithms

  • 3des - Triple DES

sha1 may be used as a synonym of sha.

An example of the configuration parameters:

UseCryptoHardware yes,aes:must,sha:must

RACF users can control the use of the ICSF services with the CSFSERV class. If the class is defined, SSHD2, the user that runs the Tectia Server for IBM z/OS server, must have READ access to the CSFRNG profile if the random number generator support is to be used and to the CSFOWH profile if SHA support is to be used.