Edition SC34-7732-01 - 2025

This edition enhances the original version of this document by describing the following features:

  • A new tool called cpacfinfo is available as part of the s390-tools package, which you can use to retrieve information about CPACF functions and instructions installed on the system.

    On IBM® z17™ and IBM LinuxONE 5 machines, this tool exploits the new query authentication function per CPACF instruction introduced with MSA 13.

  • Table 1 shows additional algorithms and functions that are accelerated by OpenSSL out of the box.
  • The cpacfstats utility provides new and enhanced counters for monitoring the CPACF activities.
  • The description of use cases is enhanced. There are now two separate chapters that describe use cases for connecting OpenSSL with IBMCA and with PKCS#11. Each chapter contains a sub-chapter with a use case how to configure OpenSSL to invoke either a provider or an engine. The use case for connecting OpenSSL with PKCS#11 using a PKCS#11 provider is new.
  • The new IBMCA provider version 2.5.0 supports new parameters and APIs that have previously been introduced into newer OpenSSL releases. These following features are now supported by the IBMCA provider:
    • ECC (since OpenSSL 3.2.0):
      • support of ECDH-KEM key generation
      • support of deterministic ECDSA signatures
    • ECC and RSA (since OpenSSL 3.4.0):
      • support of new sign and verify message APIs for composite hash-then-sign algorithms