2 options
zSeries crypto guide update / [Chris Rayns ... et al.].
- Format:
- Book
- Series:
- IBM redbooks.
- IBM redbooks
- Language:
- English
- Subjects (All):
- Computer security.
- Cryptography.
- z/OS.
- Physical Description:
- xiv, 346 p. : ill.
- Edition:
- 1st ed.
- Place of Publication:
- [S.l.] : IBM, International Technical Support Organization, 2003.
- Language Note:
- English
- Contents:
- Front cover
- Notices
- Trademarks
- Contents
- Preface
- The team that wrote this redbook
- Become a published author
- Comments welcome
- Chapter 1. Introduction
- 1.1 IBM Cryptographic Common Architecture
- 1.2 CCA key management functions
- 1.3 Implementing CCA key management concepts in S/390
- 1.3.1 S/390 Cryptographic Coprocessor Facility (CCF)
- 1.3.2 S/390 PCI Cryptographic Coprocessor (PCICC)
- 1.3.3 S/390 PCI Cryptographic Accelerator (PCICA)
- 1.4 S/390 integrated cryptography implementation
- 1.4.1 S/390 integrated cryptography implementation
- 1.4.2 Enablement of the cryptographic coprocessors
- 1.4.3 LPAR domains and Trusted Key Entry (TKE)
- 1.5 Crypto support for z/VM™ and Linux
- 1.6 Industry standards for cryptographic modules
- Chapter 2. PCICC and PCICA product overview
- 2.1 Description of hardware
- 2.1.1 Definitions
- 2.1.2 Hardware implementation
- 2.1.3 Introduction to the S/390 PCI Cryptographic Coprocessors
- 2.1.4 PCICC card: physical security, handling, and shipping
- 2.2 Adjunct Processor (AP) management
- 2.2.1 Introduction to Adjunct Processor architecture
- 2.2.2 AP management and PCICC initialization
- 2.3 PCICC microcode load
- 2.3.1 The IBM 4758 CCA application
- 2.3.2 The software hierarchy in the coprocessor
- 2.3.3 PCICC microcode patches
- 2.3.4 Function Control Vector (FCV) enablement
- 2.3.5 Software support of PCICC coprocessors
- 2.3.6 The TKE V3.1 Workstation
- Chapter 3. Planning and hardware installation
- 3.1 Hardware requirements
- 3.1.1 Hardware required by product
- 3.2 Feature codes
- 3.3 Concurrent PCICC/PCICA installation tasks
- 3.3.1 First scenario
- 3.3.2 Second scenario (adding PCICC concurrently)
- 3.3.3 Third scenario (UDX installation - hardware side)
- 3.3.4 Removing one PCICC
- 3.4 The z900 channel subsystem.
- 3.4.1 The z900 internal structure
- 3.4.2 View Hardware Configuration icon (CPC configuration task)
- 3.5 Planning list items
- 3.5.1 Capacity planning considerations
- 3.5.2 Installation of the ordered PCICCs
- 3.6 PR/SM setup
- 3.6.1 Host definitions
- 3.6.2 CCF crypto modules, domains, and authority definitions
- 3.6.3 Authority signature keys on IBM Personal Security Card (PSC)
- 3.6.4 Authority signature key in the TKE Workstation key storage
- 3.6.5 IMP-PKA keys in the workstation key storage
- 3.6.6 Migration of master or operational key parts on PSC
- 3.7 Site security policy
- Chapter 4. Installation, configuration and startup of ICSF
- 4.1 PCICC and PCICA card plugging
- 4.1.1 PCICC enablement
- 4.2 Installing User Defined Extensions (UDX)
- 4.3 LPAR setup
- 4.3.1 The image profile processor page
- 4.3.2 The Crypto page
- 4.3.3 The PCI Crypto page
- 4.3.4 Changing LPAR Cryptographic controls dynamically
- 4.4 Integrated Cryptographic Services Facility (ICSF) setup
- 4.4.1 Major changes from previous releases
- 4.4.2 Started task and the first time start
- 4.4.3 Master Keys
- 4.4.4 Initial Master Key entry with the pass phrase initialization utility
- 4.4.5 Installation of the PCICC and PCICA cards
- 4.4.6 Changing the PKA Master Keys via ICSF panels
- 4.4.7 UDX-related definitions in the OPTIONS Data Set
- 4.4.8 Installation of the UDX shown in ICSF panels
- Chapter 5. Customizing PCICC and CCF using TKE V3.1
- 5.1 Introduction to the TKE V3.1 Workstation
- 5.1.1 Major changes
- 5.1.2 Before using the new TKE
- 5.1.3 The TKE V3.1 software
- 5.1.4 TKE Workstation installation - general information
- 5.1.5 TKE definitions
- 5.2 TKE Workstation TCP/IP setup
- 5.2.1 z/OS TCP/IP Host Transaction Program
- 5.2.2 TKE Workstation 4758 setup
- 5.2.3 TKE access control administration.
- 5.2.4 Starting the TKE application
- 5.3 TKE application: managing host Crypto coprocessors
- 5.3.1 Managing modules
- 5.3.2 PCICC and CCF setup on the TKE Workstation
- 5.3.3 Manage and update the Crypto module notebook on TKE
- 5.3.4 PCICC module notebook
- 5.3.5 Crypto CCF notebook
- 5.3.6 Backing up the TKE files
- 5.4 4753 Key Token Migration facility
- Chapter 6. Support functions
- 6.1 RACF access control to ICSF services
- 6.1.1 New profiles in the CSFSERV class
- 6.2 Crypto usage measurement
- 6.2.1 SMF record type 82
- 6.2.2 SMF record type 70, subtype 2
- 6.2.3 SMF record type 72, subtype 3
- 6.3 RMF reporting
- Chapter 7. Linux for zSeries support of cryptographic coprocessors
- 7.1 Support of hardware coprocessors
- 7.1.1 The provided hardware services
- 7.2 Access to cryptographic services
- 7.2.1 Functions of z90crypt API
- 7.2.2 The libica API
- 7.2.3 The PKCS#11 API
- 7.2.4 Functions of the OpenSSL "engine"
- 7.3 Virtualization
- 7.3.1 Using a crypto device in VM
- 7.4 Our installation with a 31-bit Linux
- 7.4.1 Preparation
- 7.4.2 Installing the crypto device driver
- 7.4.3 Running the modified install script
- 7.4.4 Loading the device driver and defining the crypto device node
- 7.4.5 Checking the device status
- 7.5 Low-level testing
- 7.5.1 Installation and test of the Crypto Interface Library (libica)
- 7.6 Example SSL-enabled application: Apache Web server
- 7.7 Low-level test programs
- 7.7.1 testcrtde.c
- 7.7.2 icacrtde.c
- 7.7.3 tell.h
- 7.7.4 tellit.c
- 7.7.5 makecrtde
- 7.7.6 makeicacr
- Appendix A. PCICC User Defined Extensions (UDX)
- UDX overview
- PCICC code structure and UDX
- ICSF and PCICC communications
- UDX invocation
- UDX function code identifier
- The UDX callable service and the stub
- The UDX development process
- What the UDX does, and how.
- The PCICC UDX development process
- UDX process phase 2 support
- PCICC UDX generation process overview
- Building the UDX coprocessor executable
- Installing the PCICC UDX
- Designing and developing the host piece of the UDX
- The ICSF callable service and the service stub
- The access control point exit
- Appendix B. Callable services access control points
- The access control points
- Access control points in the PCICC and ICSF
- New access control points and TKE users
- Non TKE users
- New TKE users
- TKE users
- Appendix C. Exploitation of the cryptographic coprocessors
- Exploitation of the zSeries CCFs and PCI coprocessors
- The IBM exploiters
- z/OS System SSL
- z/OS Open Cryptographic Services Facility (OCSF)
- IBM HTTP Server for z/OS
- z/OS LDAP server and client
- CICS Transaction Server and CICS Transaction Gateway
- z/OS TN3270 Server
- z/OS Firewall Technologies
- z/OS DCE
- z/OS Network Authentication Service (Kerberos)
- Payment Processing products
- VTAM Session Level Encryption
- RACF
- z/OS Public Key Infrastructure (PKI) Services
- Crypto Based Transactions (CBT) banking solution
- Java cryptography
- Appendix D. Crypto performance considerations
- General considerations for performance of cryptographic operations
- RMF support for Crypto
- Appendix E. TKE host TCP/IP server setup
- The main TCP/IP files to check and modify
- TCPIP.HOSTS.LOCAL
- TCPIP.DATA
- TCPIP.PROFILE
- TKE Host Transaction Program installation
- CSFTTCP started procedure installation
- The CSFTTKE module
- The CSFTHTP3 REXX exec
- Starting the TKE Host Transaction Program
- Related publications
- IBM Redbooks
- Other resources
- Referenced Web sites
- How to get IBM Redbooks
- IBM Redbooks collections
- Index
- Back cover.
- Notes:
- "April 2003."
- "SG24-6870-00."
- Includes bibliographical references and index.
- OCLC:
- 137342220
The Penn Libraries is committed to describing library materials using current, accurate, and responsible language. If you discover outdated or inaccurate language, please fill out this feedback form to report it and suggest alternative language.