Hardware requirements
In order to make use of the verbs provided in the Common Cryptographic Architecture (CCA) API for Linux® on IBM® Z, your hardware must meet certain minimum requirements.
This is the minimum supported hardware configuration:
- Minimum supported generation of IBM Z® systems: IBM z13®.
- One CEX5S adapter feature configured in CCA cryptographic coprocessor mode assigned to the LPAR or z/VM® guest that uses CCA. This is a CEX5C adapter with CCA 5.0.0z or greater firmware loaded.
- If you plan to use a Trusted Key Entry
(TKE) workstation, you must have a
TKE V10.0 or later to manage CEX8C
adapters and PCI-HSM 2016 compliance mode.
- A TKE V8.0 workstation is required to manage CEX5C adapters.
- A TKE V9.1 workstation is required to manage CEX6C adapters, especially to start exploiting PCI-HSM 2016 compliance mode.
- A TKE V9.2 workstation is required to manage CEX7C adapters.
- A TKE V10.0 or V10.1 workstation is required to manage CEX8C adapters.
- A TKE V10.1 version of the Migrate Host Crypto Module Public Configuration Data application is required if the source or target host HSM is running CCA 8.4 firmware.
For more detailed information about required TKE versions for accessing the various CEX*C features, see CEX8C information.
This is the maximum supported hardware configuration:
- IBM z17 ™ with carry-forward configuration and CCA host library 8.4 loaded (see also IBM z17 (9175) Technical Guide).
With the following restrictions:
- 60 total adapters, minimum of 2 adapters
- maximum of 16 single adapter features
- maximum of 30 dual adapter features
In any combination of:
- 1-30 FC-0908 (dual CEX8C) features
- 1-16 FC-0909 (single CEX8C) features
- 1-30 FC-0898 (dual CEX7C) features
- 1-16 FC-0899 (single CEX7C) features
This hardware configuration is also supported:
- IBM z16® with 60 CEX8C adapters total in the machine with CCA 8.1z firmware loaded. The CEX8S adapter feature is available as single (feature code 0909) or dual HSM feature (feature code 0908). The maximum number of combined features of all types cannot exceed 60 HSMs on an IBM z16 A01. This means the maximum number for feature code 0908 (dual HSM) is 30, for all other (single HSM) types is 16 when installed exclusively (see IBM z16 (3931) Technical Guide).
- IBM
z16 with carry-forward configuration and CCA host library 8.4
loaded.
With the following restrictions:
- 60 total adapters, minimum of 2 adapters
- maximum of 16 single adapter features
- maximum of 30 dual adapter features
In any combination of:
- 1-30 FC-0908 (dual CEX8C) features
- 1-16 FC-0909 (single CEX8C) features
- 1-30 FC-0898 (dual CEX7C) features
- 1-16 FC-0899 (single CEX7C) features
- 1-16 FC-0893 (single CEX6C) features
- IBM z15® with carry-forward configuration and CCA host library 8.4
loaded. loaded.
With the following restrictions:
- 60 total adapters, minimum of 2 adapters
- maximum of 16 single adapter features
- maximum of 30 dual adapter features
In any combination of:
- 1-30 FC-0898 (dual CEX7C) features
- 1-16 FC-0899 (single CEX7C) features
- 1-16 FC-0893 (single CEX6C) features
- 1-16 FC-0890 (single CEX5C) features
- IBM z14® with carry-forward configuration and CCA host library 8.4
loaded.
With the following restrictions:
- 16 total adapters, minimum of 2 adapters
- maximum of 16 single adapter features
In any combination of:
- 1-16 FC-0893 (single CEX6C) features
- 1-16 FC-0890 (single CEX5C) features
- IBM
z13® with CCA host library 8.4
loaded. loaded.
With the following restrictions:
- 16 total adapters, minimum of 2 adapters
- maximum of 16 single adapter features
In a combination of:
- 2-16 FC-0890 (single CEX5C) features
See Concurrent installations/> for details about a mixed environment of CEX8S and previous CEX*C features.
To determine whether a Crypto Express adapter available to Linux on IBM Z is a CEX5C, CEX6C, CEX7C, or a CEX8C, see Listing CCA coprocessors.
Apply the following APAR fixes on the appropriate z/VM systems to achieve the applicable cryptographic coprocessor support:
On z/VM 7.2, apply the following APAR fixes:
- VM66496
- APVIRT live guest relocation (LGR) improvements
- VM66532
- Guest exploitation support for CEX8s adapters on the IBM z16family.
- VM66534
- Host interrupt support for APVIRT processing
On z/VM 7.3, apply the following APAR fixes:
- VM66423
- Hardware filtering to enforce restrictions on classes of requests. This support is intended to be used to limit operations on shared crypto resources
For z/VM 7.4, there are no crypto-relevant APARS. The z/VM 7.4 base is adequate.