Your browser does not allow storing cookies. We recommend enabling them.

SSH

Verifying that Cryptographic Hardware is Used

To verify that cryptographic hardware is being used, set the debug level for SecShPlugin*ZosIcsf to 4. Setting all debug to level 4 would have the same result, but you would end up with a large amount of data to look through.

You can use this command from USS to verify that cryptographic hardware is enabled:

> sshg3 -DSecShPlugin*ZosIcsf=4 127.0.0.1

The command should produce the following type of output without CEX:

Setting debug level string to 'SecShPlugin*ZosIcsf=4'.
...

ssh_secsh_plugin_init: Card IO Threshold = 65536
state_determine: Hardware for 3des-cbc: ICSF-CPACF
state_determine: Hardware for aes128-cbc: ICSF-CPACF
state_determine: Hardware for aes192-cbc: ICSF-CPACF
state_determine: Hardware for aes256-cbc: ICSF-CPACF
state_determine: Hardware for aes128-ctr: ICSF-CPACF
state_determine: Hardware for aes192-ctr: ICSF-CPACF
state_determine: Hardware for aes256-ctr: ICSF-CPACF
state_determine: Hardware for aes128-ecb: ICSF-CPACF
        
ssh_secsh_plugin_init: Card HMAC generate = FALSE    
state_determine: Hardware for hmac-sha1: ICSF-CPACF
state_determine: Hardware for hmac-sha1-96: ICSF-CPACF
state_determine: Hardware for hmac-sha256@ssh.com: ICSF-CPACF
state_determine: Hardware for hmac-sha2-256: ICSF-CPACF
state_determine: Hardware for hmac-sha256-2@ssh.com: ICSF-CPACF
state_determine: Hardware for hmac-sha224@ssh.com: ICSF-CPACF
state_determine: Hardware for hmac-sha384@ssh.com: ICSF-CPACF
state_determine: Hardware for hmac-sha2-512: ICSF-CPACF
state_determine: Hardware for hmac-sha512@ssh.com: ICSF-CPACF

The command should produce the following type of output when CEX is enabled:

Setting debug level string to 'SecShPlugin*ZosIcsf=4'.

...

ssh_secsh_plugin_init: Card IO Threshold = 0        
state_determine: Hardware for 3des-cbc:   ICSF-COP
state_determine: Hardware for aes128-cbc: ICSF-COP
state_determine: Hardware for aes192-cbc: ICSF-COP
state_determine: Hardware for aes256-cbc: ICSF-COP
state_determine: Hardware for aes128-ctr: ICSF-COP
state_determine: Hardware for aes192-ctr: ICSF-COP
state_determine: Hardware for aes256-ctr: ICSF-COP
state_determine: Hardware for aes128-ecb: ICSF-COP
        
ssh_secsh_plugin_init: Card HMAC generate = TRUE    
state_determine: Hardware for hmac-sha1: ICSF-COP
state_determine: Hardware for hmac-sha1-96: ICSF-COP
state_determine: Hardware for hmac-sha256@ssh.com: ICSF-COP
state_determine: Hardware for hmac-sha2-256: ICSF-COP
state_determine: Hardware for hmac-sha256-2@ssh.com: ICSF-COP
state_determine: Hardware for hmac-sha224@ssh.com: ICSF-COP
state_determine: Hardware for hmac-sha384@ssh.com: ICSF-COP
state_determine: Hardware for hmac-sha2-512: ICSF-COP
state_determine: Hardware for hmac-sha512@ssh.com: ICSF-COP