Cryptographic Services
Cryptographic Services includes ICSF, PKI Services, OCSF, and System SSL, and provides cryptographic functions for data secrecy, data integrity, personal identification, digital signatures, and the management of cryptographic keys.
ICSF and PKI Services are provided through the combination of secure cryptographic hardware, the ICSF cryptographic API, and the ICSF administration interface. ICSF supports the Common Cryptographic Architecture (CCA), as well as the DES algorithm, RSA public key cryptography, and the Digital Signature Standard. Cryptographic services support a wide variety of applications with high performance, security, and availability.
- Trusted Key Entry—the key entry unit for master keys has been replaced by a secure channel version implemented on a workstation known as the Trusted Key Entry Workstation. The unit is an optional cost feature.
- Commercial Data Masking Facility supports privacy functions.
- Public Key API (PKA Support) provides additional formatting or message digest standards.
- Public Key Cryptography Standards #11 (PKCS #11)
Public Key Infrastructure Services (PKI Services) allows you to establish a PKI infrastructure and serve as a certificate authority for your internal and external users, issuing and administering digital certificates in accordance with your own organization's policies. You can use a PKI Services application to request and obtain certificates through their own Web browsers, while your authorized PKI administrators approve, modify, or reject these requests through their own Web browsers. The Web applications provided with PKI Services are customizable, and a programming exit is also included for advanced customization. The approval for certificate requests can be manual or automatic if additional authentication such as RACF® user IDs, is provided. You can issue certificates for different purposes, such as virtual private network (VPN) devices, smart cards, and secure e-mail, through different types of templates. PKI Services supports Public Key Infrastructure for X.509 version 3 (PKIX) and Common Data Security Architecture (CDSA) cryptographic standards.
The OCSF Architecture consists of a set of layered security services and associated programming interfaces designed to furnish an integrated set of information and communication security capabilities. Each layer builds on the more fundamental services of the layer directly below it.
These layers start with fundamental components such as cryptographic algorithms, random numbers, and unique identification information in the lower layers, and build up to digital certificates, key management and recovery mechanisms, and secure transaction protocols in higher layers. The OCSF Architecture is intended to be the multiplatform security architecture that is both horizontally broad and vertically robust.
System SSL supports the SSL V2.0, SSL V3.0, TLS (Transport Layer Security) V1.0, TLS V1.1, and TLS V1.2 protocols. TLS V1.2 is the latest version of the secure sockets layer protocol.
z/OS® provides a set of SSL C/C++ callable application programming interfaces that, when used with the z/OS Sockets APIs, provide the functions required for applications to establish this secure sockets communications.
In addition to providing the API interfaces to exploit the Secure Sockets Layer and Transport Layer Security protocols, System SSL is also providing a suite of Certificate Management APIs. These APIs give the capability to create/manage your own certificate databases, utilize certificates stored in key database and key rings for purpose other than SSL and to build/process PKCS #7 standard messages.