by Jim Coon, Dick Gusefski, and Jakob Lang
With the multitude of features available today on mainframe computer systems, it is more advantageous for a company to sell an entire system with all features integrated within the system than it is to ship desired features later when they are purchased. The z13 takes advantage of this strategy by activating and storing feature license records in a tamper-proof database which is protected against data loss. Using a state of the art security mechanism, a client’s entitlements are protected while at the same time IBM is protected from “feature fraud”.
This article will describe the new Feature-on-Demand (FoD) solution. This uses a smart card to store both a database of the feature activation state as well as control access to that database while preventing its usage on rogue systems.
The basic problem to solve is how to protect the database such that features that have not been paid for are not surreptitiously enabled, or features that have been removed are not re-enabled, especially with a system-resident database of enabled features.
The previous solution was implemented to only work with the mainframe (CEC). With the new z13, IBM introduced a zEnterprise BladeCenter Extension (zBX) as a standalone version that does not include a CEC. This forced the development team to find a new solution that works without the CEC as the central point for the feature security handling.
The new approach provides a solution to the problems of tampering, data loss, secure update, removal, frame roll, and mirroring of the FoD database associated with the system by using a smart card. The smart card serves as a Hardware Security Module (HSM) and is used as the base security technology integrated into the System. The HSM provides a tamper-resistant mechanism and management procedure for asset protection without any interaction required with the CEC. It also provides RAS capabilities.
The figure below shows the overview picture of the FoD/smart card solution:
During manufacturing, the smart card is coupled to the system via the Service Element (SE) and initialized with a dedicated firmware applet. Once initialized, the FoD records can be installed on the smart card. The serial number of the system is embedded in the FoD database and serves as the verification mechanism for all subsequent smart card accesses. The verification is realized by the requirement to pass the serial number on all API interfaces. This provides a tight “coupling” of the system to the smart card via an SE, which prevents the smart card from being used on a different system with a different serial number.
Feature licenses can be added or removed from the FoD database on the smart card only through the APIs. The FoD database is secured by a signature mechanism to ensure the integrity of the stored feature licenses by providing both point of origin verification and protection from tampering.
To provide RAS (Reliability, Availability, & Servicability) capabilities both SEs (primary SE and alternate SE) have smartcards so that there is a redundant physical setup. The alternate SE's smart card (alternate SC) is also coupled to its SE. The FoD database is mirrored to the alternate SC securely using an elliptic curve cryptography protocol. This provides a redundant fallback alternative in case of an SE or smart card failure. The primary SE's smart card (primary SC) sends its public key to the alternate SC. The FoD database is signed by the private key of the primary SC and sent over to the alternate SC for verification. The FoD database is installed, and a new database signature is created and compared to the one embedded in the database. The new database gets activated only if the signatures match. Thereafter, the FoD databases on the two smart cards are kept synchronized by querying the time stamp of the last FoD update on each smart card.
In summary, by querying information from the FoD database, a feature application running on the SE, Hardware Management Console (HMC) or CEC can retrieve protected entitlement information about the allowed license limitations. This CAMSS solution protects both the client and IBM and provides added value to the z13.