EKMF Web software and hardware prerequisites
Deploying an EKMF Web and pervasive encryption solution on Linux® on IBM® Z and IBM LinuxONE requires minimum levels of hardware and software on Linux.
For software and hardware prerequisites for EKMF Web, see the EKMF Web UI Configuration and Operation Guide, SC28-2022.
Hardware prerequisites
- IBM Z hardware as of IBM z13, or any LinuxONE system with the CPACF feature installed.
- A Crypto Express6S or later configured in CCA coprocessor mode.
- Volumes to be encrypted (for example, SCSI or DASD volumes). For DASD volumes, you can encrypt partitions only, not the complete DASD.
- The AES and APKA master keys must be set using the TKE (or the panel.exe program in a test environment).
Software prerequisites
- Linux kernel upstream version 5.4 or later for the support of secure keys of type CCA-AESCIPHER. Older versions where the required modules have been back-ported might also work.
- The cryptsetup utility version 2.0.3 or later is required to configure an encrypted volume.
- The zkey utility from the s390-tools package (as of upstream version 2.15.1) that contains the enhancements for EKMF Web. Both Red Hat Enterprise Linux 8.4 and SUSE Linux Enterprise 15.3 contain the correct version of zkey.
- The CCA 6.0 package or later from the software-package selection page.
Access rights
The zkey user ID that is to be used for generating keys requires the following access rights:
- EKMF Web roles:
certificates:import certificates:import:untrusted keys:active:install keys:export keys:generate keys:non_existing:generate keys:non_existing:import keys:pre_activation:activate keys:read keys:write keys:write:tags templates:read user:passcode:createIf you want to allow that zkey changes the key state in EKMF Web during removal of keys from the zkey repository, these are also needed:
keys:active:deactivate keys:active:mark_compromisedSee EKMF Web UI Configuration and Operation Guide, SC28-2022 for a full list of roles.
- In RACF, role-specific profiles must be defined. For each role, in the EJBROLE class and all user IDs must have READ access to the profiles corresponding to their required level of access. See EKMF Web UI Configuration and Operation Guide, SC28-2022 for examples.