CP Assist for Cryptographic Function (CPACF) support

Edit online

Applications capable of offloading cryptographic operations to CPACF use, for example, the libICA library.

The libICA library includes CPACF interfaces that allow applications to make use of CPACF. This means that the IBM WebSphere Application Server (WAS) Version 8 can exploit IBM® System z® cryptographic features when correctly configured.

The libICA package provides a command icainfo that lists the libICA supported cryptographic operations for an IBM System z system. CPACF is part of the IBM System z processor complex, hence the supported operations may vary with the IBM System z system model.

Sample command: icainfo command output on an IBM z196 (Model 2817-M66) system 

# icainfo 
The following CP Assist for Cryptographic Function (CPACF) 
operations are supported by libica on this system: 
SHA-1:        yes 
SHA-256:      yes 
SHA-512:      yes 
DES:          yes 
TDES-128:     yes 
TDES-192:     yes 
AES-128:      yes 
AES-192:      yes 
AES-256:      yes 
PRNG:         yes 
CCM-AES-128:  yes 
CMAC-AES-128: yes 
CMAC-AES-192: yes 
CMAC-AES-256: yes
Note: The output of this command becomes important when selecting middleware application cryptographic cipher suites. For example, the WAS SSL cipher suite SSL_RSA_WITH_AES_256_CBC_SHA would be a CPACF supported suite (AES-256 and SHA). It is important to select a cipher suite that uses ciphers and hashing functions supported by CPACF.

The libICA package provides another useful command icastats, which shows statistics about its supported cryptographic functions. Once the application cryptographic setup is done, it can be easily checked that any cryptographic operations using the libICA library are executed in hardware or software. However applications using other interfaces than libICA (for example, IBM Crypto for C (ICC)) for communicating with IBM System z cryptographic features are not considered in this statistics.

Sample command: icastats command output 

# icastats 
 function | # hardware | # software 
----------+------------+------------ 
    SHA-1 |         12 |          0 
  SHA-224 |          0 |          0 
  SHA-256 |          0 |          0 
  SHA-384 |          0 |          0 
  SHA-512 |          0 |          0 
   RANDOM |          1 |         35 
 MOD EXPO |          7 |          0 
  RSA CRT |         62 |          0  
  DES ENC |          0 |          0 
  DES DEC |          0 |          0 
 3DES ENC |          0 |          0 
 3DES DEC |          0 |          0 
  AES ENC |         94 |          0 
  AES DEC |         93 |          0 
 CMAC GEN |          0 |          0 
 CMAC VER |          0 |          0

The output shows that the cryptographic hardware is used for the authentication process (RSA), data encryption and decryption with cipher AES and for hashes (SHA). This indicates a correctly configured setup for cryptographic hardware support.