Guidelines for using hardware cryptographic features

System SSL handshake processing uses the RSA and digital signature functions that are expensive functions when performed in software. For installations that have high volumes of SSL handshake processing, by using the capabilities of the hardware provides maximum performance and throughput. For example, having a Crypto Express Coprocessor or Accelerator or both results in the maximum clear key RSA and digital signature processing being done in hardware.

For installations that are more concerned with the transfer of encrypted data than with SSL handshakes, moving the encrypt/decrypt processing to hardware (CPACF) provides maximum performance. The encryption algorithm is determined by the SSL cipher value. To use hardware, the ciphers symmetric algorithm must be available in hardware. For example, an application encrypting or decrypting data using the symmetric algorithm 3DES or AES would benefit from the processing being done in the hardware.

For maximum performance and throughput, use hardware for both the SSL handshake and data encryption or decryption or both.

For information about the types of hardware cryptographic features that are supported by ICSF, see z/OS Cryptographic Services ICSF Overview as well as Optional Crypto Express adapters in z/OS Cryptographic Services ICSF Writing PKCS #11 Applications. For information about configuring and using ICSF, see z/OS Cryptographic Services ICSF Administrator's Guide and z/OS Cryptographic Services ICSF System Programmer's Guide.

For products using System SSL, see the specific product publications for information about System SSL and ICSF considerations.

Access to ICSF cryptographic services can be controlled by the z/OS Security Server (RACF). For more information, see the topic about controlling who can use cryptographic keys and services in z/OS Cryptographic Services ICSF Administrator's Guide.