IBM z13s Technical Manual page 53

operational and master keys. TKE also provides secure management of host cryptographic
module and host capabilities.
Support for an optional smart card reader that is attached to the TKE workstation allows the
use of smart cards that contain an embedded microprocessor and associated memory for
data storage. Access to and the use of confidential data on the smart cards are protected by
a user-defined personal identification number (PIN). A FIPS-certified smart card, part number
00JA710, is now included in the smart card reader and additional smart cards optional
features.
When Crypto Express5S is configured as a Secure IBM Enterprise PKCS #11 (EP11)
coprocessor, the TKE workstation is required to manage the Crypto Express5S feature. The
TKE is recommended for CCA mode processing as well. If the smart card reader feature is
installed in the TKE workstation, the new smart card part 00JA710 is required for EP11 mode.
If EP11 is to be defined, smart cards that are used must have FIPS certification.
For more information about the Cryptographic features, see Chapter 6, "Cryptography" on
page 199. Also, see the Web Deliverables download site for the most current ICSF updates
available (currently HCR77B0 Web Deliverable 14 and HCR77B1 Web Deliverable 15):
http://www.ibm.com/systems/z/os/zos/tools/downloads/
Flash Express
Flash Express
The optional feature is intended to provide performance improvements and
better availability for critical business workloads that cannot afford any impact to service
levels. Flash Express is easy to configure, and provides rapid time to value.
Flash Express implements SCM in a PCIe card form factor. Each Flash Express card
implements an internal NAND Flash SSD, and has a capacity of 1.4 TB of usable storage.
Cards are installed in pairs, which provide mirrored data to ensure a high level of availability
and redundancy. A maximum of four pairs of cards (four features) can be installed on a z13s
server, for a maximum capacity of 5.6 TB of storage.
The Flash Express feature, recently enhanced, is designed to allow each LPAR to be
configured with its own SCM address space. It is used for paging and enables the use of
pageable 1 MB pages.
Encryption is included to improve data security. Data security is ensured through a unique key
that is stored on the SE hard disk drive (HDD). It is mirrored for redundancy. Data on the
Flash Express feature is protected with this key, and is usable only on the system with the key
that encrypted it. The Secure Keystore is implemented by using a smart card that is installed
in the SE. The smart card (one pair, one for each SE) contains the following items:
A unique key that is personalized for each system
A small cryptographic engine that can run a limited set of security functions within the
smart card
Flash Express is supported by z/OS V1R13 (or later) for handling z/OS paging activity, and
has support for 1 MB pageable pages and SAN Volume Controller memory dumps. Support
was added to the CFCC to use Flash Express as an overflow device for shared queue data to
provide emergency capacity to handle WebSphere MQ shared queue buildups during
abnormal situations. Abnormal situations include when "putters" are putting to the shared
queue, but "getters" cannot keep up and are not getting from the shared queue.
Flash memory is assigned to a CF image through HMC windows. The coupling facility
resource management (CFRM) policy definition allows the correct amount of SCM to be used
by a particular structure, on a structure-by-structure basis. Additionally, Linux (RHEL and
Chapter 1. Introducing IBM z13s servers
25