Table of Contents
Advertisement
6.5 Crypto Express5S
The Crypto Express5S feature (FC 0890) is an optional feature that is exclusive to z13 and
z13s servers. Each feature has one PCIe cryptographic adapter. The Crypto Express5S
feature occupies one I/O slot in a z13 or z13s PCIe I/O drawer. This feature is an HSM and
provides a secure programming and hardware environment on which crypto processes are
run. Each cryptographic coprocessor includes a general-purpose processor, non-volatile
storage, and specialized cryptographic electronics. The Crypto Express5S feature provides
tamper-sensing and tamper-responding, high-performance cryptographic operations.
Each Crypto Express5S PCI Express adapter can be in one of these configurations:
Secure IBM CCA coprocessor (CEX5C) for FIPS 140-2 Level 4 certification. This
configuration includes secure key functions. It is optionally programmable to deploy more
functions and algorithms by using UDX. See 6.5.2, "Crypto Express5S as a CCA
coprocessor" on page 214.
Secure IBM Enterprise PKCS #11 (EP11) coprocessor (CEX5P) implements an
industry-standardized set of services that adhere to the PKCS #11 specification V2.20 and
more recent amendments. It was designed for extended FIPS and Common Criteria
evaluations to meet public sector requirements. This new cryptographic coprocessor
mode introduced the PKCS #11 secure key function. See 6.5.3, "Crypto Express5S as an
EP11 coprocessor" on page 218.
A TKE workstation is required to support the administration of the Crypto Express5S when
it is configured in EP11 mode.
Accelerator (CEX5A) for acceleration of public key and private key cryptographic
operations that are used with SSL/TLS processing. See 6.5.4, "Crypto Express5S as an
accelerator" on page 218.
These modes can be configured by using the SE, and the PCIe adapter must be configured
offline to change the mode.
Attention: Switching between configuration modes erases all card secrets. The exception
is when you are switching from Secure CCA to accelerator, and vice versa.
The Crypto Express5S feature has been released for enhanced cryptographic performance. It
is designed to provide more than double the performance of the Crypto Express4S feature. To
achieve this performance, L2 Cache has been added, new Crypto ASIC has been
implemented, and the internal processor has been upgraded from PowerPC 405 to
PowerPC 476.
The Crypto Express5S feature does not have external ports and does not use optical fiber or
other cables. It does not use channel-path identifiers (CHPIDs), but requires one slot in the
PCIe I/O drawer and one physical channel ID (PCHID) for each PCIe cryptographic adapter.
Removal of the feature or card
is controlled through the setup in the image profiles on the SE.
Adapter: Although PCIe cryptographic adapters have no CHPID type and are not
identified as external channels, all logical partitions (LPARs) in all channel subsystems
have access to the adapter. In z13s servers, there are up to 40 LPARs per adapter. Having
access to the adapter requires a setup in the image profile for each partition. The adapter
must be in the candidate list.
zeroizes
its content. Access to the PCIe cryptographic adapter
Chapter 6. Cryptography
211
- Quick Links:
- Front Cover
Hide quick links:
Advertisement
Table of Contents
