H.3 Security On Flash Express - IBM z13s Technical Manual

Data type
Pageable large pages
All other data
Flash Express is used by the Auxiliary Storage Manager (ASM) with paging data sets to
satisfy page-out and page-in requests received from the real storage manager (RSM). It
supports 4 KB and 1 MB page sizes. ASM determines where to write a page based on space
availability, data characteristics, and performance metrics. ASM still requires definition of a
PLPA, Common, and at least one local paging data set. VIO pages are only written to DASD
because persistence is needed for warm starts.
A new PAGESCM keyword in the IEASYSxx member defines the minimum amount of flash to be
reserved for paging. The value can be specified in units of MB, GB, or TB. NONE indicates that
the system does not use flash for paging. ALL (the default) indicates that all flash that is
defined to the partition is available for paging.
The following new messages are issued during z/OS IPL and indicate the status of SCM:
IAR031I USE OF STORAGE-CLASS MEMORY FOR PAGING IS ENABLED - PAGESCM=ALL,
ONLINE=00001536M
IAR032I USE OF STORAGE-CLASS MEMORY FOR PAGING IS NOT ENABLED - PAGESCM=NONE
The D ASM and D M commands are enhanced to display flash-related information/status:
D ASM lists the SCM status along with paging data set status.
D ASM,SCM displays a summary of SCM usage.
D M=SCM displays the SCM online/offline and increment information.
D M=SCM(DETAIL) displays detailed increment-level information.
The CONFIG ONLINE command is enhanced to allow bringing more SCMs online:
CF SCM (amount), ONLINE

H.3 Security on Flash Express

Data that is stored on Flash Express is encrypted by a strong encryption symmetric key that
is in a file on the SE hard disk. This key is also known as the
key/authentication key
generate an asymmetric transport key in which the flash encryption key/authentication key is
wrapped. This transport key is used while in transit from the SE to the firmware management
of the Flash Express adapter.
The SE has an integrated card reader into which one smart card at a time can be inserted.
When an SE is "locked down," removing the smart card is not an option unless you have the
key to the physical lock.
H.3.1 Integrated Key Controller
The SE initializes the environment by starting APIs within the Integrated Key Controller (IKC).
The IKC loads an applet to a smart card inserted in the integrated card reader. The smart
card applet, as part of its installation, creates a Rivest-Shamir-Adleman (RSA) algorithm key
pair, the private component of which never leaves the smart card. However, the public key is
Data page placement
If contiguous flash space is available, pageable large pages
are written to flash.
If space is available on both flash and disk, the system makes
a selection that is based on response time.
. The firmware management of the Flash Express adapter can
Flash encryption
Appendix H. Flash Express
535