Table of Contents
Advertisement
6.6 TKE workstation
The TKE workstation is an optional feature that offers key management functions. A TKE
tower workstation feature (FC 0847) or a TKE rack mounted workstation feature (FC 0097) is
required for z13s servers to manage the Crypto Express5S feature.
The TKE contains a combination of hardware and software. A mouse, keyboard, flat panel
display, PCIe adapter, and a writable USB media to install the TKE LIC are included with the
system unit. The TKE workstation requires an IBM 4767 crypto adapter.
A TKE workstation is part of a customized solution for using the ICSF for z/OS on Linux for z
Systems. This program provides a basic key management system for the cryptographic keys
of a z13s server that has Crypto Express features installed.
The TKE provides a secure, remote, and flexible method of providing Master Key Part Entry,
and to manage remotely PCIe cryptographic coprocessors. The cryptographic functions on
the TKE are run by one PCIe cryptographic coprocessor. The TKE workstation communicates
with the z Systems server through a TCP/IP connection. The TKE workstation is available
with Ethernet LAN connectivity only. Up to 10 TKE workstations can be ordered. TKE FCs
0847 and 0097 can be used to control the Crypto Express5S cards on z13s servers. They
can also be used to control the Crypto Express5S on z13, and the older crypto cards on
zEC12, zBC12, z196, z114, z10 EC, z10 BC, z9 EC, z9 BC, z990, and z890 servers.
Tip: For handling a TKE, a series of instructive video clips is provided at:
http://www.youtube.com/user/IBMTKE
6.6.1 Logical partition, TKE host, and TKE target
If one or more LPARs are configured to use Crypto Express5S coprocessors, the TKE
workstation can be used to manage DES, AES, ECC, and PKA master keys. This
management can be done for all cryptographic domains of each Crypto Express coprocessor
feature that is assigned to the LPARs defined to the TKE workstation.
Each LPAR in the same system that uses a domain that is managed through a TKE
workstation connection is either a TKE host or a TKE target. An LPAR with a TCP/IP
connection to the TKE is referred to as the
The cryptographic controls that are set for an LPAR through the SE determine whether the
workstation is a TKE host or a TKE target.
6.6.2 Optional smart card reader
An optional smart card reader (FC 0885) can be added to the TKE workstation. One FC 0885
includes two smart card readers, two cables to connect them to the TKE workstation, and 20
smart cards. The reader supports the use of smart cards that contain an embedded
microprocessor and associated memory for data storage. The memory can contain the keys
to be loaded into the Crypto Express features.
Access to and use of confidential data on the smart card are protected by a user-defined PIN.
Up to 990 more smart cards can be ordered for backup. The additional smart card feature
code is FC 0884. When one feature code is ordered, 10 smart cards are shipped. The order
increment is 1 - 99 (10 - 990 blank smart cards).
222
IBM z13s Technical Guide
TKE host
. All other partitions are
TKE targets
.
- Quick Links:
- Front Cover
Hide quick links:
Advertisement
Table of Contents
