EKMF Web software and hardware prerequisites

Deploying an EKMF Web and pervasive encryption solution on Linux® on IBM® Z and IBM LinuxONE requires minimum levels of hardware and software on Linux.

For software and hardware prerequisites for EKMF Web, see the EKMF Web UI Configuration and Operation Guide, SC28-2022.

Hardware prerequisites

  • IBM Z hardware as of IBM z13, or any LinuxONE system with the CPACF feature installed.
  • A Crypto Express6S or later configured in CCA coprocessor mode.
  • Volumes to be encrypted (for example, SCSI or DASD volumes). For DASD volumes, you can encrypt partitions only, not the complete DASD.
  • The AES and APKA master keys must be set using the TKE (or the panel.exe program in a test environment).

Software prerequisites

  • Linux kernel upstream version 5.4 or later for the support of secure keys of type CCA-AESCIPHER. Older versions where the required modules have been back-ported might also work.
  • The cryptsetup utility version 2.0.3 or later is required to configure an encrypted volume.
  • The zkey utility from the s390-tools package (as of upstream version 2.15.1) that contains the enhancements for EKMF Web. Both Red Hat Enterprise Linux 8.4 and SUSE Linux Enterprise 15.3 contain the correct version of zkey.
  • The CCA 6.0 package or later from the software-package selection page.

Access rights

The zkey user ID that is to be used for generating keys requires the following access rights:

  • EKMF Web roles:
    
    certificates:import
    certificates:import:untrusted
    keys:active:install
    keys:export
    keys:generate
    keys:non_existing:generate
    keys:non_existing:import
    keys:pre_activation:activate
    keys:read
    keys:write
    keys:write:tags
    templates:read
    user:passcode:create
    

    If you want to allow that zkey changes the key state in EKMF Web during removal of keys from the zkey repository, these are also needed:

     
    keys:active:deactivate
    keys:active:mark_compromised
    

    See EKMF Web UI Configuration and Operation Guide, SC28-2022 for a full list of roles.

  • In RACF, role-specific profiles must be defined. For each role, in the EJBROLE class and all user IDs must have READ access to the profiles corresponding to their required level of access. See EKMF Web UI Configuration and Operation Guide, SC28-2022 for examples.