Your browser does not allow storing cookies. We recommend enabling them.

SSH

Enabling Use of IBM Crypto Express Card (CEX)

For client and socks proxy: Ciphers AES-CBC, AES-CTR and 3DES-CBC, Macs hmac-sha* are offloaded to CEX card if proper environment variables are set. CPACF will be used by default. See Tectia Server for IBM z/OS Administrator Manual Appendix H for instructions how to enable cryptographic hardware support with RACF commands.

CEX related environment variables are:

SSH_CRYPTOCARD_CIPHER_IO_THRESHOLD:
Specifies the minimum size of cipher request that will be routed to
IBM cryptographic co-processor card (CEX), if the card is available.
If the request size is less than the SSH_CRYPTOCARD_CIPHER_IO_THRESHOLD
value, the cipher request will be routed to CPACF facility.
Special values are
0                route all cipher requests to IBM cryptographic
co-processor card
65536 or higher  route all cipher requests to CPACF facility

If the variable is not defined, all cipher requests will use CPACF facility.

SSH_CRYPTOCARD_MAC_GENERATE:
Specifies whether to route MAC generation request to IBM cryptographic
co-processor card (CEX). If it is set to yes, MAC generation request will
route to IBM cryptographic co-processor card (CEX), if the card is
available.

If the variable is not defined, all MAC requests will use CPACF facility.


 

 
PrivX
 

 

 
What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.



    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now
  • ISACA Practitioner Guide for SSH



    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now