IBM z13s Technical Manual page 233

Finally, for entering keys in a secure way into the Crypto Express5S HSM, a TKE is required,
usually also equipped with smart card readers. Section 6.6, "TKE workstation" on page 222
provides additional information.
Table 6-1 lists the feature codes and describes the purpose of these hardware features.
Table 6-1 Cryptographic features for IBM z13s servers
Feature Description
code
3863 CP Assist for Cryptographic Function (CPACF) enablement:
This feature is a prerequisite to use CPACF (except for SHA-1, SHA-224, SHA-256,
SHA-384, and SHA-512) and the Crypto Express5S feature.
0890 Crypto Express5S card:
A maximum of 16 features can be ordered (minimum of two adapters). This is an
optional feature, and each feature contains one PCI Express cryptographic adapter
(adjunct processor). This feature is supported only in z13 and z13s servers.
0847 Trusted Key Entry (TKE) tower workstation:
A TKE provides basic key management (key identification, exchange, separation,
update, and backup) and security administration. It is optional for running a Crypto
Express5S card in CCA mode and required for running it in EP11 mode.
The TKE workstation has one Ethernet port, and supports connectivity to an Ethernet
local area network (LAN) operating at 10, 100, or 1000 Mbps. Up to 10 features per
z13s server can be ordered.
0097 Trusted Key Entry (TKE) rack mounted workstation:
The rack-mounted version of the TKE, which needs a customer-provided standard
19-inch rack. It comes with a 1u TKE unit and a 1u console tray (screen, keyboard, and
pointing device). When using smart card readers, an extra customer provided tray is
needed. Up to 10 features per z13s server can be ordered.
0877 TKE 8.0 Licensed Internal Code (LIC):
Shipped with the TKE tower workstation FC 0847 since z13 GA. This LIC is not
orderable with a z13s server, but it is able to manage a Crypto Express5S card FC 0890
installed in a z13s server.
0878 TKE 8.1 Licensed Internal Code (LIC):
Shipped with the TKE tower workstation FC 0847 and the TKE rack-mounted
workstation FC 0097 since z13 GA2 and z13s GA.
0891 TKE Smart Card Reader:
Access to information in the smart card is protected by a PIN. One feature code
includes two smart card readers, two cables to connect them to the TKE workstation,
and 20 smart cards. Smart card part 74Y0551 is required to support CEX5P.
0892 TKE additional smart cards:
When one feature code is ordered, 10 smart cards are shipped. The order increment is
1 - 99 (990 blank smart cards). Smart cards 74Y0551 and 54D3338 can be used. A new
card 00JA710 will be released because of the end of life of 74Y0551.
A TKE includes support for the AES encryption algorithm with 256-bit master keys and key
management functions to load or generate master keys to the cryptographic coprocessor.
If the TKE workstation is chosen to operate the Crypto Express5S features in a z13s server,
TKE workstation with the TKE 8.0 LIC or the TKE 8.1 LIC is required. For more information,
see 6.6, "TKE workstation" on page 222.
Chapter 6. Cryptography
205