Tectia Server for IBM z/OS can use the CP Assist for Cryptographic Functions (CPACF) and Cryptographic Coprocessors such as the CryptoExpress feature. Cryptographic hardware reduces the CPU load and may reduce elapsed times.
CPACF can be used to secure SSH network traffic with the AES algorithms for encryption (see Configuring Ciphers) and the message authentication codes that are based on SHA-1 or SHA-2 (see Configuring MACs). Note that the longer key lengths do not have CPACF support on all mainframe models.
The CPACF support for SHA-1 and SHA-2 is also used for digest calculations in key exchange and authentication.
The Tectia Server for IBM z/OS random number generator (RNG) can use cryptographic hardware support when adding entropy to its internal state. Tectia Server for IBM z/OS uses the ICSF Random Number Generate callable service if it is available (it requires a CryptoExpress feature). It will also use
/dev/random if it is available.
Cryptographic hardware may be used in certificate-based authentication if the keys and certificates are stored in SAF and use RSA or ECC. Keys generated with the RACDCERT command can be stored in the CryptoExpress device or stored encrypted with a master key.
To use cryptographic hardware in Tectia Server for IBM z/OS the machine must be enabled for cryptography and the z/OS Integrated Cryptographic Service Facility (ICSF) must be active.
The configuration parameter
UseCryptoHardware specifies how the cryptographic hardware is to be used. The value is a list of support values for algorithm groups and it may include a default support level. The support levels are:
no- use the software implementation
yes- use cryptographic hardware if available, otherwise software
must- use cryptographic hardware, fail server startup if not available.
The algorithm groups are:
rng- random number generator
sha- SHA-1 and SHA-2 digest algorithms
aes- AES algorithms
3des- Triple DES
sha1 may be used as a synonym of
An example of the configuration parameters:
RACF users can control the use of the ICSF services with the CSFSERV class. If the class is defined, SSHD2, the user that runs the Tectia Server for IBM z/OS server, must have READ access to the CSFRNG profile if the random number generator support is to be used and to the CSFOWH profile if SHA support is to be used.
To enable cryptographic hardware you need to enable the CSFSERV profiles for all client, and server IDs in RACF. See Appendix H for instructions.
Ciphers AES-CBC, AES-CTR, and 3DES-CBC, and Macs hmac-sha* are offloaded to CEX card, if they are configured in
sshd2_config. CPACF will be used by default.
CEX related configuration parameters in
# CryptoCardCipherIOThreshold 65536 Specifies the minimum size of cipher request that will be routed to IBM cryptographic co-processor card (CEX), if the card is available and UseCryptoHardware is set to yes/must, for cipher processing. If the request size is less than the CryptoCardCipherIOThreshold value, the cipher request will be routed to CPACF facility. Special values are 0 route all cipher requests to IBM cryptographic co-processor card 65536 or higher route all cipher requests to CPACF facility # CryptoCardMACGenerate no Specifies whether to route MAC generation request to IBM cryptographic co-processor card (CEX). If it is set to yes, MAC generation request will route to IBM cryptographic co-processor card (CEX), if the card is available and UseCryptoHardware is set to yes/must, for MAC generation processing.
To use cryptographic hardware in Tectia Server for IBM z/OS the machine must be enabled for cryptography, and the z/OS Integrated Cryptographic Service Facility (ICSF) must be active. If IBM Crypto Express Card (CEX) is installed, Tectia Server for IBM z/OS will direct cipher operations to the co-processors in CEX via ICSF. The co-processors in CEX must be initialized with the master keys which are the same keys used to initialize the key data sets. You can refer to chapter Using the pass phrase initialization utility in IBM z/OS ICSF Administrator's Guide to initialize the co-processors in CEX.
There is a bug (APAR QA52113) in ICSF when processing AES cipher request on CEX card. We recommend you to install the related PTF when it is available. Toleration logic is implemented in v6.6 to bypass the deficiency.