TKE setup for CCA

Read the summary of steps about how to configure the catcher.exe daemon for Linux® on IBM® Z.

You find information on how to configure your TKE environment with CCA coprocessors in the CCA documentation:

Secure Key Solution with the Common Cryptographic Architecture Application Programmer's Guide

Communication between the TKE workstation and the catcher.exe daemon (controlled by the CSUTKEcat script) can be sent through a plain TCP connection (TCP mode) or, starting with CCA 8.0, a TLS connection (TLS mode). In both modes, the TKE catcher.exe daemon listens on port 50003.

Information about the TLS mode is provided in topic TKE catcher configuration for a TLS connection. Starting with the availability of the TLS mode (CCA 8.0), this mode is the default. You can either set back the catcher mode to TCP mode and then restart the catcher daemon. Or you can complete the TLS mode setup as described.

Summary of the required actions

Here is a summary of the required actions for obtaining and installing the CCA host library including the actions for configuring and starting the TKE catcher.exe daemon. Pointers to the related detailed information in the CCA documentation are provided.

  • Step 1: Download the CCA DEB or RPM package to a temporary directory:

    CCA Host Code for Linux on IBM Z

    1. You need to logon to this page with your IBMid. If you do not have such an account, you are offered a link where you can create one.
    2. Click on the View license link to read the license information.
    3. Select the I agree check box to confirm that you had the opportunity to review the license agreement and to agree that you are to be bound by its terms..
    4. Click on the I confirm button to need to confirm your acceptance of the license agreement.
    5. On the opening page, you can then download the following items:
      • CCA Host Installation Package for Linux on IBM Z:

        Separate packages are available for the latest releases of CCA, each package in both RPM and DEB formats. For example, at the time of writing, the name of the most current RPM package was csulcca-8.2.54-01.s390x.rpm.

        Note: Before you continue, read the information provided in the README and RELEASE NOTES files. These files may contain important information which is more up to date than this publication.
      • Furthermore, you can download the License file, a Readme file and the Release Notes.
  • Step 2: Install the adequate CCA library package. Detailed information on how to install the library is in topic CCA installation instructions of the Secure Key Solution with the Common Cryptographic Architecture Application Programmer's Guide.

    The files required for setting up the CCA TKE environment are listed in topic Files in the RPM or DEB. Check this documentation for the most up to date information.

  • Step 3: Configure the TKE catcher.exe: Use the /etc/cca/catcher.conf configuration file for the CCA catcher.exe daemon (CSUTKEcat). It is used to enable or disable a TLS connection on the server side for communication with the TKE. This file is installed with the default value of TLS_ON set, and thus the catcher daemon is automatically started with a TLS connection upon installation. For more details on enabling or disabling a TLS connection for the catcher, see the

    CCA documentation Secure Key Solution with the Common Cryptographic Architecture Application Programmer's Guide in topic Files in the RPM or DEB

  • Step 4: Start the TKE catcher.exe:

    Use the /etc/init.d/CSUTKEcat system initialization script that automatically starts the catcher.exe daemon when Linux starts. There may be situations when you need to explicitly start or stop the catcher.exe daemon. Select from one of the following methods:

    Start or stop the daemon from the command line:

    /etc/init.d/CSUTKEcat start
    /etc/init.d/CSUTKEcat stop
    The preferred way for Linux distributions providing systemd is to use the following commands:
    # systemctl start CSUTKEcat
    # systemctl stop CSUTKEcat
    In older distributions without systemd, you may be able to start or stop the catcher.exe using system services:
    # service CSUTKEcat start
    # service CSUTKEcat stop