The Crypto Express5 feature can be configured as a coprocessor
for secure key operation or as an accelerator for clear key RSA operations.
If configured as a coprocessor, it may be configured for CCA or PKCS
#11. When configured as the latter, it is known as an Enterprise PKCS
#11 coprocessor.
The Crypto Express5 feature’s configuration may be switched
from a CCA coprocessor to an accelerator and back without undergoing
zeroization. If master keys have been loaded into the registers on
the Crypto Express5 feature, the master keys will not be zeroized
when the configuration is changed.
Note: This is not true for the
Enterprise PKCS #11 coprocessor configuration. A switch from CCA or
accelerator to PKCS #11 will result in the zeroization of the CCA
master keys (DES, AES, RSA, and ECC) and settings. A switch from PKCS
#11 to CCA or accelerator will result in the zeroization of the P11
master key and settings.
The Crypto Express5 is configured from the support element. See Support
Element Operations Guide, SC28-6820, for details.
When changing the configuration:
- The coprocessor/accelerator must be deactivated on all partitions
using that coprocessor/accelerator. From a z/OS System, you can do
this using the ICSF coprocessor management panel. This allows any
existing work queued to the coprocessor/accelerator to complete and
prevents new work from being enqueued.
- When the configuration change is complete (please allow sufficient
time for the support element to complete the change), the coprocessor/accelerator
can be activated on the ICSF coprocessor management panel. If the
support element hasn't completed the change when a coprocessor/accelerator
is activated, the status will be 'busy'.
- Coprocessors with valid master keys will become active and will
be used to process work. Coprocessors without valid master keys will
need to have a master key loaded. Accelerators will become active
and will be used to process work.