Hardware cryptography

Learn about hardware cryptography.

z/OS® Connect can be configured to use cryptographic hardware.

Two cryptographic hardware devices are available on IBM Z, the CP Assist for Cryptographic Function (CPACF) and the IBM® Crypto Express cards. These devices are supported in different ways.

CPACF is a set of cryptographic instructions available on all CPs, including zIIPs, IFLs, and General Purpose CPUs. Various symmetric algorithms are supported by the CPACF including DES, 3DES, and AES-CBC, and SHA-based digest algorithms. CPACF provides the potential for significantly improved performance for these operations.

The IBM JVM default security provider (IBMJCE) with IBM Java™ 8 automatically detects and uses the CPACF. However, to benefit from the IBM Crypto Express cards you need to configure an alternative security provider, either IBMJCECCA or IBMJCEHYBRID.
Figure 1. Encryption using the CPACF
Diagram showing the difference between security providers.
Note: For IBMJCECCA to initialize, ICSF must be started and at least one coprocessor must be available. If IBMJCECCA cannot be loaded at initialization, the next provider in the Java security provider list is loaded. You must define the order in which to use security providers in the java.security configuration file.

The IBM Crypto Express cards are optional I/O attached cards that implement additional cryptographic functions. On an IBM z14, this feature is available as a Crypto Express 6S (CEX6S) adapter, or Crypto Express 5S (CEX5S).

By default, the Crypto Express card is a coprocessor (CEX6C) and can support a wider range of callable services that include secure key and clear key support for PKA decrypt, digital signature verify, digital signature generate, including RSA and ECC variants. Alternatively, the card can be configured as an accelerator (CEXCA). In this mode, the card supports only three clear key cryptographic APIs, associated with RSA public key encryption, decryption, and verification. When the cryptographic coprocessor is configured as an accelerator it provides better throughput at the expense of supporting fewer services.

For more information about configuring the JCE providers on z/OS to support hardware cryptography, see z/OS Java Security Frequently Asked Questions.

To learn how z/OS Connect can use hardware cryptography, see either API provider confidentiality and integrity when z/OS Connect is acting as an API provider, or API requester confidentiality and integrity when z/OS Connect is acting as an API requester.