IBM z13s Technical Manual page 243

Consideration: CCA has a new code level for z13s servers, and the UDX clients require a
new UDX.
On z13s servers, the crypto Express5S card is delivered with CCA Level 5.2 firmware. A new
set of cryptographic functions and callable services are provided by the IBM CCA LIC to
enhance the functions that secure financial transactions and keys:
Greater than 16 domains support, up to 40 LPARs on z13s servers and up to 85 LPARs on
z13 servers, exclusive to z13 or z13s servers, and to Crypto Express5S
VFPE support, exclusive to z13 or z13s servers and to Crypto Express5S
AES PIN support for the German banking industry
PKA Translate UDX function into CCA
Verb Algorithm Currency
Greater than 16 domains support
z13s servers have support for up to 40 LPARs, and z13 servers have support for up to 85
LPARs. The z Systems crypto architecture was designed to support 16 domains (which
matched the LPAR maximum at the time). Before z13 and z13s servers, in customer
environments where the number of LPARs was larger than 16, crypto workload separation
could be complex. These customers had to map a large set of LPARs to a small set of crypto
domains.
Now, in z13s and z13 servers, with the Adjunct Processor (AP) Extended Addressing (APXA)
facility that is installed, the z Systems crypto architecture can support up to 256 domains in an
AP. As such, the Crypto Express cards are enhanced to handle 256 domains, and the z
Systems firmware provides up to 40 on z13s and 85 on z13 domains to customers (to match
the current LPAR maximum). Customers have the flexibility of mapping individual LPARs to
unique crypto domains or continuing to share crypto domains across LPARs.
These are the requirements to support 40 or 85 domains:
Hardware requirements:
– z13s servers and Crypto Express5S with CCA V5.2 firmware
– z13 servers and Crypto Express5S with CCA V5.0 or later firmware
Software requirements:
– z/OS V2.2
– z/OS V2.1 and z/OS V1.13 with the Cryptographic Support for z/OS V1R13-z/OS
V2R1 web deliverable (FMID HCR77B0)
– Also, available with HCR7780, HCR7790, HCR77A0, and HCR77A1 (previous WDs
with program temporary fixes (PTFs))
– z/VM V6.2 and Version 6.3 with PTFs for guest use
Visa Format Preserving Encryption
VFPE refers to a method of encryption where the resulting cipher text has the same form as
the input clear text. The form of the text can vary according to use and application. One of the
classic examples is a 16-digit credit card number. After using VFPE to encrypt a credit card
number, the resulting cipher text is another 16-digit number. This helps legacy databases
contain encrypted data of sensitive fields without having to restructure the database or
applications.
Chapter 6. Cryptography
215