My Account Log in

2 options

zSeries crypto guide update / [Chris Rayns ... et al.].

Ebook Central Academic Complete Available online

View online

Ebook Central College Complete Available online

View online
Format:
Book
Contributor:
Rayns, Chris.
International Business Machines Corporation. International Technical Support Organization.
Series:
IBM redbooks.
IBM redbooks
Language:
English
Subjects (All):
Computer security.
Cryptography.
z/OS.
Physical Description:
xiv, 346 p. : ill.
Edition:
1st ed.
Place of Publication:
[S.l.] : IBM, International Technical Support Organization, 2003.
Language Note:
English
Contents:
Front cover
Notices
Trademarks
Contents
Preface
The team that wrote this redbook
Become a published author
Comments welcome
Chapter 1. Introduction
1.1 IBM Cryptographic Common Architecture
1.2 CCA key management functions
1.3 Implementing CCA key management concepts in S/390
1.3.1 S/390 Cryptographic Coprocessor Facility (CCF)
1.3.2 S/390 PCI Cryptographic Coprocessor (PCICC)
1.3.3 S/390 PCI Cryptographic Accelerator (PCICA)
1.4 S/390 integrated cryptography implementation
1.4.1 S/390 integrated cryptography implementation
1.4.2 Enablement of the cryptographic coprocessors
1.4.3 LPAR domains and Trusted Key Entry (TKE)
1.5 Crypto support for z/VM™ and Linux
1.6 Industry standards for cryptographic modules
Chapter 2. PCICC and PCICA product overview
2.1 Description of hardware
2.1.1 Definitions
2.1.2 Hardware implementation
2.1.3 Introduction to the S/390 PCI Cryptographic Coprocessors
2.1.4 PCICC card: physical security, handling, and shipping
2.2 Adjunct Processor (AP) management
2.2.1 Introduction to Adjunct Processor architecture
2.2.2 AP management and PCICC initialization
2.3 PCICC microcode load
2.3.1 The IBM 4758 CCA application
2.3.2 The software hierarchy in the coprocessor
2.3.3 PCICC microcode patches
2.3.4 Function Control Vector (FCV) enablement
2.3.5 Software support of PCICC coprocessors
2.3.6 The TKE V3.1 Workstation
Chapter 3. Planning and hardware installation
3.1 Hardware requirements
3.1.1 Hardware required by product
3.2 Feature codes
3.3 Concurrent PCICC/PCICA installation tasks
3.3.1 First scenario
3.3.2 Second scenario (adding PCICC concurrently)
3.3.3 Third scenario (UDX installation - hardware side)
3.3.4 Removing one PCICC
3.4 The z900 channel subsystem.
3.4.1 The z900 internal structure
3.4.2 View Hardware Configuration icon (CPC configuration task)
3.5 Planning list items
3.5.1 Capacity planning considerations
3.5.2 Installation of the ordered PCICCs
3.6 PR/SM setup
3.6.1 Host definitions
3.6.2 CCF crypto modules, domains, and authority definitions
3.6.3 Authority signature keys on IBM Personal Security Card (PSC)
3.6.4 Authority signature key in the TKE Workstation key storage
3.6.5 IMP-PKA keys in the workstation key storage
3.6.6 Migration of master or operational key parts on PSC
3.7 Site security policy
Chapter 4. Installation, configuration and startup of ICSF
4.1 PCICC and PCICA card plugging
4.1.1 PCICC enablement
4.2 Installing User Defined Extensions (UDX)
4.3 LPAR setup
4.3.1 The image profile processor page
4.3.2 The Crypto page
4.3.3 The PCI Crypto page
4.3.4 Changing LPAR Cryptographic controls dynamically
4.4 Integrated Cryptographic Services Facility (ICSF) setup
4.4.1 Major changes from previous releases
4.4.2 Started task and the first time start
4.4.3 Master Keys
4.4.4 Initial Master Key entry with the pass phrase initialization utility
4.4.5 Installation of the PCICC and PCICA cards
4.4.6 Changing the PKA Master Keys via ICSF panels
4.4.7 UDX-related definitions in the OPTIONS Data Set
4.4.8 Installation of the UDX shown in ICSF panels
Chapter 5. Customizing PCICC and CCF using TKE V3.1
5.1 Introduction to the TKE V3.1 Workstation
5.1.1 Major changes
5.1.2 Before using the new TKE
5.1.3 The TKE V3.1 software
5.1.4 TKE Workstation installation - general information
5.1.5 TKE definitions
5.2 TKE Workstation TCP/IP setup
5.2.1 z/OS TCP/IP Host Transaction Program
5.2.2 TKE Workstation 4758 setup
5.2.3 TKE access control administration.
5.2.4 Starting the TKE application
5.3 TKE application: managing host Crypto coprocessors
5.3.1 Managing modules
5.3.2 PCICC and CCF setup on the TKE Workstation
5.3.3 Manage and update the Crypto module notebook on TKE
5.3.4 PCICC module notebook
5.3.5 Crypto CCF notebook
5.3.6 Backing up the TKE files
5.4 4753 Key Token Migration facility
Chapter 6. Support functions
6.1 RACF access control to ICSF services
6.1.1 New profiles in the CSFSERV class
6.2 Crypto usage measurement
6.2.1 SMF record type 82
6.2.2 SMF record type 70, subtype 2
6.2.3 SMF record type 72, subtype 3
6.3 RMF reporting
Chapter 7. Linux for zSeries support of cryptographic coprocessors
7.1 Support of hardware coprocessors
7.1.1 The provided hardware services
7.2 Access to cryptographic services
7.2.1 Functions of z90crypt API
7.2.2 The libica API
7.2.3 The PKCS#11 API
7.2.4 Functions of the OpenSSL "engine"
7.3 Virtualization
7.3.1 Using a crypto device in VM
7.4 Our installation with a 31-bit Linux
7.4.1 Preparation
7.4.2 Installing the crypto device driver
7.4.3 Running the modified install script
7.4.4 Loading the device driver and defining the crypto device node
7.4.5 Checking the device status
7.5 Low-level testing
7.5.1 Installation and test of the Crypto Interface Library (libica)
7.6 Example SSL-enabled application: Apache Web server
7.7 Low-level test programs
7.7.1 testcrtde.c
7.7.2 icacrtde.c
7.7.3 tell.h
7.7.4 tellit.c
7.7.5 makecrtde
7.7.6 makeicacr
Appendix A. PCICC User Defined Extensions (UDX)
UDX overview
PCICC code structure and UDX
ICSF and PCICC communications
UDX invocation
UDX function code identifier
The UDX callable service and the stub
The UDX development process
What the UDX does, and how.
The PCICC UDX development process
UDX process phase 2 support
PCICC UDX generation process overview
Building the UDX coprocessor executable
Installing the PCICC UDX
Designing and developing the host piece of the UDX
The ICSF callable service and the service stub
The access control point exit
Appendix B. Callable services access control points
The access control points
Access control points in the PCICC and ICSF
New access control points and TKE users
Non TKE users
New TKE users
TKE users
Appendix C. Exploitation of the cryptographic coprocessors
Exploitation of the zSeries CCFs and PCI coprocessors
The IBM exploiters
z/OS System SSL
z/OS Open Cryptographic Services Facility (OCSF)
IBM HTTP Server for z/OS
z/OS LDAP server and client
CICS Transaction Server and CICS Transaction Gateway
z/OS TN3270 Server
z/OS Firewall Technologies
z/OS DCE
z/OS Network Authentication Service (Kerberos)
Payment Processing products
VTAM Session Level Encryption
RACF
z/OS Public Key Infrastructure (PKI) Services
Crypto Based Transactions (CBT) banking solution
Java cryptography
Appendix D. Crypto performance considerations
General considerations for performance of cryptographic operations
RMF support for Crypto
Appendix E. TKE host TCP/IP server setup
The main TCP/IP files to check and modify
TCPIP.HOSTS.LOCAL
TCPIP.DATA
TCPIP.PROFILE
TKE Host Transaction Program installation
CSFTTCP started procedure installation
The CSFTTKE module
The CSFTHTP3 REXX exec
Starting the TKE Host Transaction Program
Related publications
IBM Redbooks
Other resources
Referenced Web sites
How to get IBM Redbooks
IBM Redbooks collections
Index
Back cover.
Notes:
"April 2003."
"SG24-6870-00."
Includes bibliographical references and index.
OCLC:
137342220

The Penn Libraries is committed to describing library materials using current, accurate, and responsible language. If you discover outdated or inaccurate language, please fill out this feedback form to report it and suggest alternative language.

Find

Home Release notes

My Account

Shelf Request an item Bookmarks Fines and fees Settings

Guides

Using the Find catalog Using Articles+ Using your account