Crypto adapters

The term cryptos is a commonly used abbreviation for adapters that provide cryptographic processing functions. Industry Public Key Cryptography Standards (PKCS) and the Common Cryptographic Architecture (CCA) define various cryptographic functions, external interfaces, and a set of key cryptographic algorithms. These specifications provide a consistent, end-to-end cryptographic architecture across supported operating systems.

The use of the IBM® cryptographic architecture is enabled through Crypto Express features, which provide a secure hardware and programming environment for cryptographic processes. The supported Crypto Express features vary, depending on the system configuration; for example, the z14 supports the Crypto Express6S and Crypto Express5S features. For a list of the cryptographic adapters that are supported on a specific system, see the appropriate system technical guide on the IBM Redbooks® web site at http://www.redbooks.ibm.com/.

DPM automatically discovers cryptographic features that are installed on the system. Each Crypto Express adapter can be configured in one of the following modes.
  • Secure CCA coprocessor (CEX4C) for Federal Information Processing Standard (FIPS) 140-2 Level 4 certification.
  • IBM Enterprise PKCS#11 (EP11) coprocessor (CEX4P) for an industry-standardized set of services that adhere to the PKCS #11 specification v2.20 and more recent amendments.
  • Accelerator (CEX5A) for acceleration of public key and private key cryptographic operations that are used with Secure Sockets Layer/Transport Layer Security (SSL/TLS) processing.

Additionally, you can enable or disable the key import functions that are available through the CP Assist for Cryptographic Functions (CPACF) feature. CPACF supports clear and protected key encryption based on the Advanced Encryption Standard (AES) algorithm, and the Secure Hash Algorithm (SHA) with the Data Encryption Standard (DES) algorithm, and the Elliptic Curve Cryptography (ECC) algorithm. For operating systems and applications to take advantage of key encryption support, the partition in which they run must be configured to permit AES, or DES, or ECC protected key import functions.

Crypto features are optional and, therefore, might not be installed on the system. If these features are installed, your decision to enable your partition to access them depends on your company's security policies, and the workload that your partition will support. Your system planner or security administrator can advise you about the use of available crypto features.