Communication between the TKE and the Crypto Express adapter

Edit online

The TKE is a powerful appliance used to manage IBM Z® cryptographic coprocessors. It provides hardware-based key management services with proper encryption strength, dual controls, and security-relevant auditing.

In Linux® on IBM® Z and IBM LinuxONE, the TKE accesses and communicates with the cryptographic coprocessors connected to the system using a TKE daemon (or proxy) which you need to install in the Linux system.

Figure 1 on page 2 depicts the environment in which the Trusted Key Entry workstation applications work. Depending on the type of applications, and therefore depending on the configuration mode of the Crypto Express adapters, you need to install a different daemon.

For CCA coprocessors, the daemon is called catcher.exe and listens for TKE commands on port 50003.
For EP11 coprocessors, the daemon is called EP11 TKE daemon (EP11TKEd) and listens on port 50004 or 50104.

Figure 1. Trusted Key Entry workstation environment

Information on how to set up a Trusted Key Entry workstation is provided in the z/OS Cryptographic Services ICSF Trusted Key Entry Workstation User's Guide which you can access from the z/OS Cryptographic Services website. Or you also may find the z/OS Trusted Key Entry Workstation website useful. Despite of its z/OS-specific title, the description of the TKE operations is independent of the operation system to which the TKE connects and is therefore also valid for Linux and for both coprocessor configuration modes (CCA and EP11).

Note: Each Crypto Express adapter domain that shall be manged by the TKE via a Linux system must be assigned as control domain to the Linux system. In addition, the Linux system needs access to at least one usage domain.