News
Abstract
IBM i Common Cryptographic Architecture Cryptographic Service Provider (CCA CSP), delivered as IBM i Option 35, will include the support for IBM Cryptographic Hardware Initialization and Maintenance (CHIM) Catcher. This support is provided with IBM i PTFs.
Content
You are in: IBM i Technology Updates > IBM i Security > IBM Cryptographic Hardware Initialization and Maintenance (CHIM) Catcher for the IBM 4769 Cryptographic Coprocessor
CHIM is a PCI-compliant interface to configure the IBM 4769 Cryptographic Coprocessor.
With CHIM you can work from a central trusted location to securely manage remote IBM PCIe Cryptographic Coprocessors located in IBM i systems in a hostile environment. Management tasks are done using a specialized workstation, the CHIM workstation. CHIM uses smart cards for profile authentication and storage of coprocessor master key parts.
The CHIM workstation connects via secure sessions to the cryptographic coprocessors to let authorized personnel perform the following tasks:
• View coprocessor status
• View and manage coprocessor configuration
• Manage coprocessor access control (user roles and profiles)
• Generate and load coprocessor master keys
• Create and load operational key parts
CHIM is documented primarily in the "IBM CHIM (Crypto Hardware Initialization and Maintenance) - Workstation User's Guide". The user guide and the software for the CHIM workstation can be downloaded from here. The "Publications and Documentation" offering includes the CHIM manual, while the "4769 Embedded Code Download for 7.x" offering includes the software to be loaded on the CHIM client. Note that an IBM ID is required to access the link.
The following topics address information specific to using CHIM on IBM i.
Requirements
The following are the requirements to use CHIM to manage IBM 4769 Cryptographic Coprocessor(s) located in IBM i systems:
- Installation of the following products (with appropriate PTF levels):
- 5770SS1 option 35 - CCA Cryptographic Service Provider
- 5733CY3 - Cryptographic Device Manager
- 5733SC1 option 1 - OpenSSH, OpenSSL, zlib
- The Secure Shell (SSH) server daemon must be active (use STRTCPSVR *SSHD), must be configured to allow local port forwarding from the CHIM workstation to the CHIM catcher port (which defaults to 50003) on localhost, and must have logging configured for at least the INFO level (the default).
- The CHIM catcher must be active (use STRTCPSVR *CHIM). The CHIM catcher will not start successfully if the previous requirements are not met.
- Cryptographic device descriptions must be created for each IBM 4769 Cryptographic Coprocessor being managed (use CRTDEVCRP) and must be in *ACTIVE status (use VRYCFG or WRKCFGSTS).
- The IBM i user profile used when authenticating from the CHIM workstation must have *IOSYSCFG special authority and have *USE authority for the cryptographic device descriptions for each IBM 4769 Cryptographic Coprocessor being managed.
CHIM Catcher Control
The CHIM catcher is controlled like all other TCP servers on IBM i. The STRTCPSVR, ENDTCPSVR, and CHGTCPSVR commands can be used to manage the CHIM catcher. The server application value for CHIM is *CHIM. The CHIM catcher port is configured with service name "chim" which is set to port 50003. The CHIM catcher will only listen for incoming connections on localhost. The CHIM catcher will end itself if no server activity occurs for 1 hour.
Single/Dual Control
IBM 4769 Cryptographic Coprocessors support both single and dual control operations when performing administrative operations (creating and deleting both roles and profiles). For dual control, those operations are a 2-step process where the first step establishes the desired operation and then the second step enables the operation. Previously, adapters on IBM i have always used single control operations. When managed by CHIM, adapters will be set to run in dual control mode. Most "normal" applications are not affected by single versus dual control, but this may affect existing applications which perform those administrative operations. This includes the Cryptographic Coprocessor Configuration web application currently provided.
Keystores
CHIM provides the ability to manage keys/keystores. Keystores on IBM i correspond to database files (<library-name>/<file-name>). There are 3 keystores which CHIM can manage for 3 types of keys: (1) DES, (2) PKA, and (3) AES. The keystore managed by CHIM is based on the type of key and the following logic which stops once a keystore is determined.
- The keystore specified in the cryptographic device description for the adapter being managed by CHIM. Note that only DES and PKA keystores can be specified in cryptographic device descriptions.
- The keystore specified by the QIBM_CCA_xxx_KEYSTORE system-level environment variable where xxx is replaced by the appropriate key type (DES, PKA, or AES).
- The keystore specified by the CSUxxxDS system-level environment variable where xxx is replaced by the appropriate key type (DES, PKA, or AES).
- The keystore QGPL/QCCAxxxKS where xxx is replaced by the appropriate key type (DES, PKA, or AES).
Role and Profile Names
Role and profile names are allowed to be encoded either in EBCDIC or ASCII. Role and profile names created by CHIM will be encoded in ASCII. That will be particularly important when using the CSUALCT() API to log on/off the adapter. Many IBM i CCA applications are encoded to use character strings which are encoded in EBCDIC. Applications which log on to a profile created by CHIM must specify the user_id in ASCII and generate the auth_data parameter based on a passphrase encoded in ASCII (when applicable).
Cryptographic Coprocessor Configuration Web Application
CHIM and the Cryptographic Coprocessor Configuration web application can NOT be used together.
The web application will NOT work to manage an adapter previously managed by CHIM. The primary issue is due to the adapters being set to dual mode by CHIM. Many operations will simply fail with return/reason code 8/2433 (Dual control required). Another issue is the profiles and roles created using CHIM will show up as garbage characters because they are encoded in ASCII.
CHIM will also have trouble managing an adapter previously managed by the web application. One issue is that CHIM needs the default role (DFLT0000) to have the original authorities set when the adapter was shipped. The default role typically has most authorities removed when the adapter is configured using the web application. Insufficient authority will not allow CHIM to discover or manage the adapter. Another issue is that CHIM will also show profiles and roles as garbage characters because they are encoded in EBCDIC. Those roles and profiles can not be deleted.
To manage an adapter using CHIM which was previously managed by the web application, the adapter should be reinitialized and then configured using CHIM as described in the CHIM user guide. The master key parts can be manually set (and stored) on smart cards using CHIM and a smart card reader to match the previous values configured using the web application. If the same master key is established using CHIM, then there is no need to update any existing keys stored in keystores. As mentioned previously, existing CCA applications may also need to be updated to use profiles and passphrases encoded in ASCII based on the roles and profiles created using CHIM.
CHIM is the more secure solution for management of cryptographic coprocessors and is the recommended tool going forward.
PTF Numbers
The PTF support for this new function is available by applying the following PTF numbers:
IBM i 7.5
SJ00560 5770SS1
SJ00554 5770SS1
MJ00552 5770999
IBM i 7.4
SJ00402 5770SS1
SJ00470 5770SS1
MJ00367 5770999
[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z000000cwGcAAI","label":"Cryptography-\u003ECryptographic Co-Processor"}],"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.4.0;7.5.0"}]
Was this topic helpful?
Document Information
Modified date:
14 June 2024
UID
ibm17150340