Your browser does not allow storing cookies. We recommend enabling them.

SSH

Enabling Use of IBM Crypto Express Card (CEX)

For client and socks proxy: Ciphers AES-CBC, AES-CTR and 3DES-CBC, Macs hmac-sha* are offloaded to CEX card if proper environment variables are set. CPACF will be used by default. See Tectia Server for IBM z/OS Administrator Manual Appendix H for instructions how to enable cryptographic hardware support with RACF commands.

CEX related environment variables are:

SSH_CRYPTOCARD_CIPHER_IO_THRESHOLD:
Specifies the minimum size of cipher request that will be routed to
IBM cryptographic co-processor card (CEX), if the card is available.
If the request size is less than the SSH_CRYPTOCARD_CIPHER_IO_THRESHOLD
value, the cipher request will be routed to CPACF facility.
Special values are
0                route all cipher requests to IBM cryptographic
co-processor card
65536 or higher  route all cipher requests to CPACF facility

If the variable is not defined, all cipher requests will use CPACF facility.

SSH_CRYPTOCARD_MAC_GENERATE:
Specifies whether to route MAC generation request to IBM cryptographic
co-processor card (CEX). If it is set to yes, MAC generation request will
route to IBM cryptographic co-processor card (CEX), if the card is
available.

If the variable is not defined, all MAC requests will use CPACF facility.