Crypto UDX code considerations

A Crypto UDX (User Defined Extensions) is custom code that is installed in the secure hardware of the Crypto Express card. It allows customers to implement their own unique code within the tamper resistant hardware. On IBM Z®, the UDX code is always developed based on customer specifications by IBM® (either the Crypto Competence Center in Denmark or IBM Global Services in the United States) and delivered to the customer for installation inside the Crypto card. There is also a key management software package, DKMS, from the Crypto Competence Center that might require a UDX depending, on the customer environment.

Since a UDX interfaces directly with the card and with ICSF (the z/OS® component that provides a software interface to the crypto hardware), anytime either a new crypto hardware device is installed or the version of ICSF changes, or specific versions of the crypto code changes, the UDX must be rebuilt. If a customer will be migrating from one hardware device to another (for example, from a Crypto Express7S adapter to a Crypto Express8S in an IBM z17) or upgrading the version of ICSF on their new machine, or migrating to a new driver or MCL with new crypto code, the UDX might need to be rebuilt. The UDX rebuild might delay production workload usage.

In most cases, the contract with the service organization covers rebuilding for new hardware and software platforms. Contact the appropriate organization to have the UDX updated and tested. However, you should allow time in the installation schedule for getting the updated UDXs from IBM. Additionally, if the customer's support contract for the UDX has lapsed, there can be extra time that is required to get the paperwork in place.