Server hardware

This topic describes the servers on which the cryptographic hardware features are available.

Regional cryptographic server

Regional cryptographic servers are network-attached, stand-alone devices or dedicated Linux LPARs that perform geography-specific cryptography. Later generations of these servers add international algorithm support. These servers are secure key hardware security modules (HSMs) that operate similar to IBM's PKCS #11 secure coprocessors (CEXnP). They are marketed and serviced by third-party vendors. Currently, the only geography-specific cryptography that is supported by these devices is the Chinese SMx family of algorithms. Secure keys are stored in the TKDS, protected by the Regional Cryptography Server Master Key (RCS-MK).

The network-attached, stand-alone devices require no particular zSeries hardware, but do require communicating with z/OS V1R13 or later and ICSF FMID HCR77B1 or later. ICSF communicates with these devices using TCP/IP, with optional TLS protection. The Linux LPARs require IBM z13 or later hardware. ICSF communicates with the Linux LPARs using TCP/IP, with TLS protection required.

Once configured and online, ICSF makes the algorithms that are offered by these devices available as PKCS #11 vendor-defined extensions.

For information on configuring these devices, see z/OS Cryptographic Services ICSF System Programmer's Guide.
For information on the algorithms offered, see z/OS Cryptographic Services ICSF Writing PKCS #11 Applications and z/OS Cryptographic Services ICSF Application Programmer's Guide.

IBM z13 and IBM z13s

The IBM z13 and IBM z13s provide constraint relief and addresses various customer demands. It has several cryptographic features.

CP Assist for Cryptographic Functions is implemented on every processor. SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512 secure hashing is directly available to application programs.
Feature code 3863, CP Assist for Cryptographic Functions (CPACF) DES/TDES Enablement - enables clear key DES and TDES instructions on all CPs. AES 128-bit, AES 192-bit and AES 256-bit support is also available.
Feature code 0890, Crypto Express5 adapter - optional, and only available if you have feature 3863, CPACF DES/TDES Enablement installed. The IBM z13s can support a maximum of 16 adapters. Each feature code has one hardware adapter which can be configured as a CCA coprocessor, a PKCS #11 coprocessor, or an accelerator.

IBM zEnterprise EC12 (zEC12) and IBM zEnterprise BC12 (zBC12)

The IBM zEnterprise EC12 and IBM zEnterprise BC12 provide constraint relief and addresses various customer demands. It has several cryptographic features.

CP Assist for Cryptographic Functions is implemented on every processor. SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512 secure hashing is directly available to application programs.
Feature code 3863, CP Assist for Cryptographic Functions (CPACF) DES/TDES Enablement - enables clear key DES and TDES instructions on all CPs. AES 128-bit, AES 192-bit and AES 256-bit support is also available.
Feature code 0864, Crypto Express3 adapter - optional, and only available if you have feature 3863, CPACF DES/TDES Enablement installed. The IBM zEnterprise EC12 can support a maximum of 8 adapters. Each feature code has two coprocessors/accelerators.
Feature code 0865, Crypto Express4 adapter - optional, and only available if you have feature 3863, CPACF DES/TDES Enablement installed. The IBM zEnterprise EC12 can support a maximum of 16 adapters. Each feature code has one hardware adapter which can be configured as a CCA coprocessor, a PKCS #11 coprocessor, or an accelerator.

IBM zEnterprise 196 (z196) and IBM zEnterprise 114 (z114)

The IBM zEnterprise 196 and IBM zEnterprise 114 provide constraint relief and addresses various customer demands. It has several cryptographic features.

CP Assist for Cryptographic Functions is implemented on every processor. SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512 secure hashing is directly available to application programs.
Feature code 3863, CP Assist for Cryptographic Functions (CPACF) DES/TDES Enablement – enables clear key DES and TDES instructions on all CPs. AES 128-bit, AES 192-bit and AES 256-bit support is also available.
Feature code 0864, Crypto Express3 adapter – optional, and only available if you have feature 3863, CPACF DES/TDES Enablement installed. The IBM zEnterprise 196 and IBM zEnterprise 114 can support a maximum of 8 adapters. Each feature code has two coprocessors/accelerators.

IBM System z10 Enterprise Class (z10EC) and IBM System z10 Business Class (z10 BC)

The IBM System z10 Enterprise Class and IBM System z10 Business Class provide constraint relief and addresses various customer demands. It has several cryptographic features.

CP Assist for Cryptographic Functions is implemented on every processor. SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512 secure hashing is directly available to application programs.
Feature code 3863, CP Assist for Cryptographic Functions (CPACF) DES/TDES Enablement – enables clear key DES and TDES instructions on all CPs. AES 128-bit, AES 192-bit and AES 256-bit support is also available.
Feature code 0863, Crypto Express2 adapter – optional, and only available if you have feature 3863, CPACF DES/TDES Enablement installed. The z10 EC and z10 BC can support a maximum of 8 adapters. Each feature code has two coprocessors/accelerators.
Feature code 0864, Crypto Express3 adapter – optional, and only available if you have feature 3863, CPACF DES/TDES Enablement installed. The z10 EC and z10 BC can support a maximum of 8 adapters. Each feature code has two coprocessors/accelerators.

IBM System z9 Enterprise Class (z9 EC) and IBM System z9 Business Class (z9 BC)

The IBM System z9 Enterprise Class (z9 EC) and IBM System z9 BC provide constraint relief and addresses various customer demands. It has several cryptographic features.

CP Assist for Cryptographic Functions is implemented on every processor. SHA-1, SHA-224 and SHA-256 secure hashing is directly available to application programs.
Feature code 3863, CP Assist for Cryptographic Functions (CPACF) DES/TDES Enablement – enables clear key DES and TDES instructions on all CPs. In addition, ICSF supports hardware implementation of AES 128-bit keys and software implementation of AES 192-bit and AES 256-bit key lengths.
Feature code 0863, Crypto Express2 adapter – optional, and only available if you have feature 3863, CPACF DES/TDES Enablement installed. The IBM System z9 BC can support a maximum of 8 adapters. Each feature code has two coprocessors/accelerators.