Cryptography facility

The cryptography facility protects the confidentiality of data transmitted between network resources by enciphering and deciphering session data. Cryptography is available for both LU 6.2 and non-LU 6.2 sessions. Support is available for both switched and nonswitched LUs. However, support is not available for binary synchronous communication (BSC) or local non-SNA devices.

The facility establishes cryptographic sessions for application programs and peripheral node LUs that require cryptographic services. For an LU to have a cryptographic session, the host processor must support cryptography.

The encryption facility provides two levels of cryptographic sessions:

Selective: Each end of the session selects the data to be enciphered before transmission. The selection is based on the capability of the session partner and the availability of cryptographic services.
Required: All outbound data request units are enciphered and all inbound data request units are deciphered.

The encryption facility uses services provided by the z/OS® Integrated Cryptographic Service Facility (ICSF) and Start of change IBM® z Systems™ End of change Cryptographic Co-Processor. ICSF is a licensed program that runs under MVS™ and provides access to the hardware cryptographic feature for programming applications. The combination of the hardware cryptographic feature and ICSF provides secure high-speed cryptographic services.

Tip: You might be able to use cryptographic products other than ICSF if the cryptographic product runs in one of the supported modes of operation. The following terms are used to see cryptographic products that support one of these modes of operation:

PCF/CUSP - Refers to any cryptographic product that is compatible with PCF/CUSP.
CCA - Refers to any cryptographic product that is compatible with Common Cryptographic Architecture (CCA).

Requirement: Triple-DES 24-byte encryption requires the use of Common Cryptographic Architecture (CCA). CCA defines a set of cryptographic functions, external interfaces, and a set of key management rules that provide a consistent, end-to-end cryptographic architecture across different IBM platforms.

The cryptographic facilities provide services that include handling requests that VTAM® receives to generate a cryptographic key. The cryptographic key is used to encipher and decipher session data.

Using dynamic cryptographic keys, you can do the following actions:

Define both unique and alternate key-encrypting key names for LUs and CP/SSCPs.
Switch between cryptographic products while VTAM is running.
Note: Switching to PCF/CUSP will terminate any sessions using triple-DES.
Establish "clear" sessions (without encryption) if ENCR=COND and when either session partner does not support cryptography, or when cryptographic services are temporarily unavailable.