My colleague Tony Sharkey wrote the following words for a customer. I thought it was worth sharing them
z Machines (z13) these days have:
Each drawer has 2 nodes
Each node has 3 memory chip modules (MCM)
Each MCM has between 6-8 processors, which can be configured as GP’s, zIIP, IFL etc
Each processor also has a CPACF (Central Processor Assist Crypto Function)
- This changed on zEC12 (prior to that, it was 1 CPACF per 2 processors)
The CPACF processor: is used for encryption, decryption and hashing and supports a ‘special’ instruction set. The instructions are used by System SSL (GSKit) of which MQ (and MQ AMS) exploits these.
They must be enabled (feature #3863).
Work run on CPACF is charged to the owning Address Space
Work is run in series – i.e. either GP or CPACF is doing work – not in parallel.
- on zEC12 onwards, this means no waiting for the CPACF processor..
MQ can run SSL channels which are secure using just GP’s (and CPACF).
However there are CryptoExpress (CEX) cards which can be added to offload (some) of the cost of cryptography.
CEX cards can be configured as co-processors or accelerators or PKCS processors.
Each card has a number (8?) processors that can be configured for different purposes
MQ can use either co-processors or accelerators. We have been given guidance than the accelerator is more optimal for MQ’s purposes.
MQ (as it uses System SSL) can only offload secret key negotiation to the CEX card, i.e. at channel start and when SSLRKEYC trigger is met.
In reality, some part of the key negotiation will be performed on GP (and CPACF) regardless of CEX availability.
Also certain SSLCIPH specs are not supported by the CEX cards (as per https://www.ibm.com/developerworks/community/blogs/c4142f9d-6cf1-44ef-a44a-b09428ad96d1/entry/is_my_ssl_channel_using_hardware_assist?lang=en )
MQ does not need CEX to run – it can work perfectly well with just GP (and CPACF), but you will see increased cost relating to secret key negotiation, and this may have an impact on what else the processors can do.
This is documented in MP16 (see https://ibm-messaging.github.io/mqperf/mp16.pdf) in the Channel Initiator section, specifically SSL and TLS.
So now you know.