Your browser does not allow this site to store cookies and other data. Some functionality on this site may not work without them. See Privacy Policy for details on how we would use cookies.

SSH

Cryptographic Hardware Support

Tectia Server for IBM z/OS can use the CP Assist for Cryptographic Functions (CPACF) and Cryptographic Coprocessors such as the CryptoExpress feature. Cryptographic hardware reduces the CPU load and may reduce elapsed times.

CPACF can be used to secure SSH network traffic with the AES algorithms for encryption (see Configuring Ciphers) and the message authentication codes that are based on SHA-1 or SHA-2 (see Configuring MACs). Note that the longer key lengths do not have CPACF support on all mainframe models.

The CPACF support for SHA-1 and SHA-2 is also used for digest calculations in key exchange and authentication.

The Tectia Server for IBM z/OS random number generator (RNG) can use cryptographic hardware support when adding entropy to its internal state. Tectia Server for IBM z/OS uses the ICSF Random Number Generate callable service if it is available (it requires a CryptoExpress feature). It will also use /dev/random if it is available.

Cryptographic hardware may be used in certificate-based authentication if the keys and certificates are stored in SAF and use RSA or ECC. Keys generated with the RACDCERT command can be stored in the CryptoExpress device or stored encrypted with a master key.

To use cryptographic hardware in Tectia Server for IBM z/OS the machine must be enabled for cryptography and the z/OS Integrated Cryptographic Service Facility (ICSF) must be active.

The configuration parameter UseCryptoHardware specifies how the cryptographic hardware is to be used. The value is a list of support values for algorithm groups and it may include a default support level. The support levels are:

  • no - use the software implementation

  • yes - use cryptographic hardware if available, otherwise software

  • must - use cryptographic hardware, fail server startup if not available.

The algorithm groups are:

  • rng - random number generator

  • sha - SHA-1 and SHA-2 digest algorithms

  • aes - AES algorithms

  • 3des - Triple DES

sha1 may be used as a synonym of sha.

An example of the configuration parameters:

UseCryptoHardware yes,aes:must,sha:must

RACF users can control the use of the ICSF services with the CSFSERV class. If the class is defined, SSHD2, the user that runs the Tectia Server for IBM z/OS server, must have READ access to the CSFRNG profile if the random number generator support is to be used and to the CSFOWH profile if SHA support is to be used.

Enabling Use of IBM Crypto Express Card (CEX)

To enable cryptographic hardware you need to enable the CSFSERV profiles for all client, and server IDs in RACF. See Appendix H for instructions.

Ciphers AES-CBC, AES-CTR, and 3DES-CBC, and Macs hmac-sha* are offloaded to CEX card, if they are configured in sshd2_config. CPACF will be used by default.

CEX related configuration parameters in sshd2_config are:

#      CryptoCardCipherIOThreshold    65536
Specifies the minimum size of cipher request that will be routed to
IBM cryptographic co-processor card (CEX), if the card is available and
UseCryptoHardware is set to yes/must, for cipher processing.  If the
request size is less than the CryptoCardCipherIOThreshold value, the
cipher request will be routed to CPACF facility.  Special values are
0 route all cipher requests to IBM cryptographic co-processor card
65536 or higher  route all cipher requests to CPACF facility
  
#      CryptoCardMACGenerate          no
Specifies whether to route MAC generation request to IBM cryptographic
co-processor card (CEX).  If it is set to yes, MAC generation request will
route to IBM cryptographic co-processor card (CEX), if the card is available
and UseCryptoHardware is set to yes/must, for MAC generation processing.

To use cryptographic hardware in Tectia Server for IBM z/OS the machine must be enabled for cryptography, and the z/OS Integrated Cryptographic Service Facility (ICSF) must be active. If IBM Crypto Express Card (CEX) is installed, Tectia Server for IBM z/OS will direct cipher operations to the co-processors in CEX via ICSF. The co-processors in CEX must be initialized with the master keys which are the same keys used to initialize the key data sets. You can refer to chapter Using the pass phrase initialization utility in IBM z/OS ICSF Administrator's Guide to initialize the co-processors in CEX.

[Note]Note

There is a bug (APAR QA52113) in ICSF when processing AES cipher request on CEX card. We recommend you to install the related PTF when it is available. Toleration logic is implemented in v6.6 to bypass the deficiency.