Crypto as a Service and easy consumable crypto services has become very important in most companies to enable many more applications to consume cryptographic services. Regulatory requirements like PCI and GDPR put encryption demands on sensitive data where ever they are located - on premise or in the cloud. This means that the need for access to cryptographic hardware in both distributed and mainframe environments has also increased. But cryptographic hardware is expensive, and so is the management of it, especially when the crypto hardware is in both distributed and mainframe environments. So how about centralizing the cryptographic capabilities - Or even better, begin leveraging the full potential of already existing hardware?

The Advanced Crypto Service Provider (ACSP) is a remote crypto services solution that enables applications in distributed environments with access to cryptographic hardware over the network. ACSP enables cost effective use of available cryptographic capacity, easy deployment of cryptographic services, and easier key management because the cryptographic key material is centralized and thereby easier to manage. It also allow for a much better utilization of the cryptographic hardware - which is particular true on IBM Z. Multiple decentral HSMs can often be replaced with a single crypto card in IBM Z.

Overview

The IBM DKMS ACSP solution consists of two components, a server component and client component. The client exposes the standard IBM CCA interface or a PKCS#11 interface mapped to CCA. The client provides the business application with a transparent access to the cryptographic services on a centrally managed server equipped with cryptographic hardware.

ACSP Client

The ACSP Client exposes the standard IBM CCA interface, a PKCS#11 interface and a JCE provider to the business applications. The IBM CCA interface is available as a Java and C interface. RestCCA interfaces are also available and the framework lets customers add their own RestCrypto services that can be made with a very simple interface asking for a minimum set of parameters.

  • ACSP client platforms: AIX, Linux, Windows, iOS, zOS (in reality any Java platform)
  • ACSP client APIs: IBM CCA in Java and C, PKCS#11 basic set (mapped to CCA) and a Java JCE Provider (basic set mapped to CCA), Rest APIs
  • User Defined Functions (UDF) that alow customers to build crypto services from more atomic services
  • Access to UDXss are also supported

ACSP Server

On arrival of a new request from a business application, the ACSP server schedules and performs the operation in the hardware, subsequently the response is transferred back to the requesting application. All operations coming through the server are monitored so statistics can be made and acted upon. The server runs on all platforms supporting IBM cryptographic hardware:

  • IBM Z with ICSF on zOS and CEX4C/CEX5C/CEX6 crypto hw
  • Lenovo intel86 (former IBM system x) with Linux and IBM 4767 crypto hw
  • IBM Power with AIX 7/8 and IBM 4767 crypto hw
  • IBM PureFlex systems with IBM 476x
  • Linux on IBM Z

Application development and test

Application developers can write their applications on windows or linux platforms calling the correct CCA crypto functions that exist on IBM Z. When the application is tested it can be deployed on IBM Z without changing the crypto. This also means that the keys to be used can be generated by the IBM Z key management system like EKMF the right way from start. Further, applications can be tested with the right access controls early in the process. Having the right functions and keys available is crucial.

Communication

ACSP is using a client and server authenticated TLS connection over TCP.

Performance and Load Balancing

ACSP imposes practically no reduction in crypto capacity compared to direct utilization. However the response time is influenced by network latency, so the actual performance depends on the quality of the network available. To reduce the impact of network latency it is possible to aggregate crypto commands that are logically called in sequence to one single command. With the ACSP Server installed on zOS on IBM Z the ACSP Server (Java) workload can be handled by any ZIIP processors available.

Key Management

To fully leverage the advantage of having a centralized infrastructure for hardware based cryptography, an efficient key management system is needed to maintain and synchronize the key stores on the ACSP servers. The IBM EKMF Enterprise Key Management system is such a system. For more information about IBM EKMF, please refer to www.ibm.com/security/key-management/ekmf

Ready to buy or need more information?