Optional Crypto Express adapters

Optional cryptographic adapters (Crypto Express) can be configured as:

• A CCA cryptographic coprocessor.
• An accelerator.
• A PKCS #11 cryptographic coprocessor.

For details on hardware adapters and their configuration options, see 'Cryptographic Hardware Features supported by z/OS ICSF' in z/OS Cryptographic Services ICSF Administrator's Guide.

In some cases, an optional adapter is required. When the optional adapter is not required, ICSF uses the optional adapter if available with some restrictions. Otherwise, the operation is done in software. To determine which services use available hardware, see z/OS Cryptographic Services ICSF Application Programmer's Guide.

• A secure PKCS #11 cryptographic coprocessor is required to generate and use secure PKCS #11 keys. It can also be used, if present, to offload MIPS for some clear key operations such as DSA and DH domain parameter generation.
• The CCA cryptographic coprocessor or accelerator adapters are optional. If present, they can be used to offload MIPS for the following clear key operations:
  • For an Accelerator or CCA coprocessor:
    • RSA Sign/Verify (but not RSA PSS), Encrypt/Decrypt, Key Wrap/Unwrap.
    • DH Key Agreement.
  • For a CCA coprocessor only:
    • RSA and EC Key-pair Generate.
    • EC-DH Key Agreement.
    • ECDSA Signature Verify.
• Operations that must meet FIPS 140-2 standards are not directed to the CCA cryptographic coprocessors.
• Operations that must meet FIPS 140-2 standards are only directed to an accelerator when at least one accelerator was online at ICSF startup. If the first accelerator comes online after ICSF startup, you must restart ICSF if you want that accelerator to be used for any PKCS #11 RSA functions that require adherence to the FIPS 140-2 standard. For non-FIPS restricted functions, the accelerator is used regardless of when the first accelerator comes online.