Table of Contents (exploded view)
Abstract for z/OS Integrated Cryptographic Service Facility (ICSF) Overview
Summary of changes
Changes made in Enhanced Cryptographic Support for z/OS V1R13 - z/OS V2R1 (FMID HCR77B0)
Changes made in Cryptographic Support for z/OS V1R13-V2R1 (FMID HCR77A1) as updated June 2014
Summary of changes for z/OS Version 2 Release 1
Introducing cryptography and ICSF
What is cryptography?
The basic elements of a cryptographic system
Secret key cryptography
Public key cryptography
How does ICSF support cryptography?
How does ICSF extend the uses of cryptography?
Key generation and distribution
Personal Identification Numbers (PINs)
Message Authentication Codes (MACs)
Hashing algorithms
Digital signatures
Payment card verification values
Translation of data and PINs in networks
SET Secure Electronic Transaction
Secure Sockets Layer (SSL)
EMV integrated circuit card specifications
ATM remote key loading
Public Key Cryptography Standard #11 (PKCS #11)
DK AES PIN support
Solving your business needs with ICSF
Keeping your data private
Transporting data securely across a network
Supporting the Internet Secure Sockets Layer protocol
Transacting commerce on the Internet
Exchanging keys safely between networks
Exchanging symmetric keys using callable services
Exchanging DES or AES data-encrypting keys using an RSA key scheme
Creating DES or AES Keys using an ECC Diffie-Hellman key scheme
Exchanging keys and their attributes with non-CCA systems
Managing master keys using a Trusted Key Entry workstation
Integrity and Privacy
Using Personal Identification Numbers (PINs) for personal authentication
Verifying data integrity and authenticity
Using Message Authentication Codes
Generating and verifying digital signatures
Using modification detection codes and message hashing
Verifying payment card data
Maintaining continuous operations
Reducing costs by improving productivity
Improving cryptographic performance
Using RMF and SMF to monitor z/OS ICSF events
Improving performance in a CICS environment
Customizing ICSF to meet your installation's needs
Using ICSF exits to meet special needs
Creating installation-defined callable services
Using options to tailor ICSF
Isolating and protecting PR/SM partitions
Enabling growth
Protecting your investment
Application Programming Interfaces and key management
Callable services
Protecting and controlling DES keys
DES master key variant
DES transport key variant
DES key forms
Control vectors
Types of DES keys
Protecting and controlling AES keys
AES key forms
Types of AES keys
Protecting and controlling HMAC keys
HMAC key forms
HMAC keys
DES key token wrapping
Protecting and controlling PKA keys
PKA master keys
RSA private and public keys
Generating RSA keys on a Cryptographic Coprocessor Feature
ECC private and public keys
Exchanging encrypted keys and PINs on a DES system
Exchanging RSA-encrypted data keys
Using multiple DES encipherment to protect keys and data
Running in special secure mode
Cryptographic Key Data Set (CKDS)
Dynamic CKDS update callable services
Sysplex-wide consistency of CKDS
Restrictions
PKA Cryptographic Key Data Set (PKDS)
Dynamic PKDS update callable services
Sysplex-wide consistency of PKDS
Restrictions
Key Generator Utility Program and key generate callable service
Composing and decomposing SET blocks
Exchanging Secure Sockets Layer session key seed
Enhanced key management for Crypto Assist instructions
Protected-key CPACF
PKCS #11
Tokens
Token Data Set (TKDS)
PKCS #11 and FIPS 140-2
Using ICSF with other cryptographic products
Using IBM’s Common Cryptographic Architecture
Coexisting with other IBM cryptographic products
Running PCF applications under ICSF
Managing keys with the Distributed Key Management System (DKMS)
Encrypting and decrypting information from other products
Encryption facility
What is encryption facility?
Features available with encryption facility
Virtual Telecommunications Access Method (VTAM) session-level encryption
Access Method Services Cryptographic Option
Planning for the Integrated Cryptographic Service Facility
System requirements
z/OS ICSF FMIDs
Migration information
Cryptographic hardware features
Performance considerations
Server hardware
Configuring Servers and Cryptographic Processors
Security
Operating considerations
ICSF initialization options
Effect of multiple records on performance
LPAR considerations
Link Pack Area (LPA) considerations
Standards
Summary of callable service support by hardware configuration