Overview

The ICSF Program Product provides secure, high-speed cryptographic services in the z/OS and OS/390® environment. By using cryptographic keys on the Integrated Cryptographic Service Facility (ICSF), you can perform functions such as protecting data, verifying messages, generating and verifying signatures, and managing personal identification numbers (PINs). Cryptographic systems use cryptographic keys. A cryptographic key instructs the cryptographic function in its operation. The security of the cryptographic service and its results depend on safeguarding the cryptographic keys.

Cryptographic systems use a variety of keys that must be securely managed. ICSF uses a hierarchical key management approach and provides one or more master keys to protect all the other keys that are active on your system.

Trusted Key Entry (TKE) is an optional hardware feature of IBM Z® that provides a management tool for IBM Z host cryptographic coprocessors. The main features provided by TKE are:
  • Compliance-level, hardware-based, master key management for IBM Z host cryptographic coprocessors.
    Notes:
    • Key material can be kept on smart cards. This provides an additional level of data confidentiality and security. The use of smart card is required to meet some compliance requirements.
    • The same key management mechanisms are also available for many types of Common Cryptographic Architecture (CCA) operational keys.
  • Highly secure management of the configuration of the IBM Z host cryptographic coprocessors.
  • Highly secure and speedy method to collect configuration data from one IBM Z host cryptographic coprocessor and apply the data to another host cryptographic coprocessor. This feature is used for card cloning in the case of new hardware deployments or recovery situations.
  • Grouping support is provided so that multiple IBM Z host cryptographic coprocessors and multiple domains on IBM Z host cryptographic coprocessors can be managed together.
  • The TKE provides separation of duties mechanisms to require multiple security officers to perform critical operations.
TKE works together with ICSF:
  • The TKE manages IBM Z cryptographic coprocessors through a network-connected IBM Z. The ICSF TKE host transaction program must be started.
  • Key registers are loaded from the TKE, but keys are set from ICSF. This requires an active Time Sharing Option/Extended (TSO/E) session on the TKE workstation or another workstation located nearby. The ICSF panels are used to load operational keys from key part registers, set master keys, and initialize or reencipher the CKDS (Cryptographic Key Data Set), PKDS (Public Key Data Set), and TKDS (PKCS #11 Token Data Set). The TSO/E session is also required to disable and enable PKA services so that the Public Key Algorithm (PKA) master keys can be reset and changed and the PKDS can be initialized, reenciphered, and refreshed.