IBM z13s Technical Manual page 52

Configurable Crypto Express5S feature
Crypto Express5S represents the newest generation of cryptographic features. It is designed
to complement the cryptographic capabilities of the CPACF. It is an optional feature of the z13
and z13s server generation. The Crypto Express5S feature is designed to provide granularity
for increased flexibility with one PCIe adapter per feature. For availability reasons, a minimum
of two features are required.
With z13 and z13s servers, a cryptographic coprocessor can be shared across more than
16 domains, up to the maximum number of LPARs on the system.(up to 85 domains for z13
servers and 40 domains for z13s servers).
The Crypto Express5S is a state-of-the-art, tamper-sensing, and tamper-responding
programmable cryptographic feature that provides a secure cryptographic environment. Each
adapter contains a tamper-resistant hardware security module (HSM). The HSM can be
configured as a Secure IBM CCA coprocessor, as a Secure IBM Enterprise PKCS #11
(EP11) coprocessor, or as an accelerator:
A Secure IBM CCA coprocessor is for secure key encrypted transactions that use CCA
callable services (default).
A Secure IBM Enterprise PKCS #11 (EP11) coprocessor implements an industry
standardized set of services that adhere to the PKCS #11 specification v2.20 and more
recent amendments. This new cryptographic coprocessor mode introduced the PKCS #11
secure key function.
An accelerator for public key and private key cryptographic operations is used with Secure
Sockets Layer/Transport Layer Security (SSL/TLS) acceleration.
The Crypto Express5S is designed to meet these cryptographic standards, among others:
– FIPS 140-2 Level 4
– ANSI 9.97
– Payment Card Industry (PCI) HSM
– Deutsche Kreditwirtschaft (DK)
FIPS 140-2 certification is supported only when Crypto Express5S is configured as a CCA or
an EP11 coprocessor.
Crypto Express5S supports a number of ciphers and standards that include those in this
section. For more information about cryptographic algorithms and standards, see Chapter 6,
"Cryptography" on page 199.
TKE workstation and support for smart card readers
The TKE feature is an integrated solution that is composed of workstation firmware,
hardware, and software to manage cryptographic keys in a secure environment. The TKE is
either network-connected or isolated in which case smart cards are used.
The Trusted Key Entry (TKE) workstation and the most recent TKE 8.1 LIC are optional
features on the z13s. The TKE 8.1 requires the crypto adapter FC 4767. You can use TKE 8.0
to collect data from previous generations of Cryptographic modules and apply the data to
Crypto Express5S coprocessors.
The TKE workstation offers a security-rich solution for basic local and remote key
management. It provides to authorized personnel a method for key identification, exchange,
separation, update, and backup, and a secure hardware-based key loading mechanism for
24
IBM z13s Technical Guide