Overview of z/OS support for PKCS #11

PKCS #11, also known as Cryptoki, is the cryptographic token interface standard. It specifies an application programming interface (API) to devices, referred to as tokens, that hold cryptographic information and perform cryptographic functions. The PKCS #11 API is an industry-accepted standard commonly used by cryptographic applications. ICSF supports PKCS #11, providing an alternative to IBM®'s Common Cryptographic Architecture (CCA) and broadening the scope of cryptographic applications that can make use of zSeries cryptography. PKCS #11 applications developed for other platforms can be recompiled and run on z/OS®.

The PKCS #11 standard can be found at PKCS#11: Cryptographic Token Interface Standard. This document describes how ICSF supports that standard. The support includes the following:

A token data set (TKDS) that serves as a repository for persistent cryptographic keys and certificates used by PKCS #11 applications.
Instore memory that serves as a repository for temporary (session-only) cryptographic keys and certificates used by PKCS #11 applications.
A C application programming interface (API) that supports a subset of the V2.20 level of the PKCS #11 specification
PKCS #11 specific ICSF callable services. The C API uses these callable services.