Front cover -- Notices -- Trademarks -- Contents -- Preface -- The team that wrote this redbook -- Become a published author -- Comments welcome -- Chapter 1. Introduction -- 1.1 IBM Cryptographic Common Architecture -- 1.2 CCA key management functions -- 1.3 Implementing CCA key management concepts in S/390 -- 1.3.1 S/390 Cryptographic Coprocessor Facility (CCF) -- 1.3.2 S/390 PCI Cryptographic Coprocessor (PCICC) -- 1.3.3 S/390 PCI Cryptographic Accelerator (PCICA) -- 1.4 S/390 integrated cryptography implementation -- 1.4.1 S/390 integrated cryptography implementation -- 1.4.2 Enablement of the cryptographic coprocessors -- 1.4.3 LPAR domains and Trusted Key Entry (TKE) -- 1.5 Crypto support for z/VM™ and Linux -- 1.6 Industry standards for cryptographic modules -- Chapter 2. PCICC and PCICA product overview -- 2.1 Description of hardware -- 2.1.1 Definitions -- 2.1.2 Hardware implementation -- 2.1.3 Introduction to the S/390 PCI Cryptographic Coprocessors -- 2.1.4 PCICC card: physical security, handling, and shipping -- 2.2 Adjunct Processor (AP) management -- 2.2.1 Introduction to Adjunct Processor architecture -- 2.2.2 AP management and PCICC initialization -- 2.3 PCICC microcode load -- 2.3.1 The IBM 4758 CCA application -- 2.3.2 The software hierarchy in the coprocessor -- 2.3.3 PCICC microcode patches -- 2.3.4 Function Control Vector (FCV) enablement -- 2.3.5 Software support of PCICC coprocessors -- 2.3.6 The TKE V3.1 Workstation -- Chapter 3. Planning and hardware installation -- 3.1 Hardware requirements -- 3.1.1 Hardware required by product -- 3.2 Feature codes -- 3.3 Concurrent PCICC/PCICA installation tasks -- 3.3.1 First scenario -- 3.3.2 Second scenario (adding PCICC concurrently) -- 3.3.3 Third scenario (UDX installation - hardware side) -- 3.3.4 Removing one PCICC -- 3.4 The z900 channel subsystem.

3.4.1 The z900 internal structure -- 3.4.2 View Hardware Configuration icon (CPC configuration task) -- 3.5 Planning list items -- 3.5.1 Capacity planning considerations -- 3.5.2 Installation of the ordered PCICCs -- 3.6 PR/SM setup -- 3.6.1 Host definitions -- 3.6.2 CCF crypto modules, domains, and authority definitions -- 3.6.3 Authority signature keys on IBM Personal Security Card (PSC) -- 3.6.4 Authority signature key in the TKE Workstation key storage -- 3.6.5 IMP-PKA keys in the workstation key storage -- 3.6.6 Migration of master or operational key parts on PSC -- 3.7 Site security policy -- Chapter 4. Installation, configuration and startup of ICSF -- 4.1 PCICC and PCICA card plugging -- 4.1.1 PCICC enablement -- 4.2 Installing User Defined Extensions (UDX) -- 4.3 LPAR setup -- 4.3.1 The image profile processor page -- 4.3.2 The Crypto page -- 4.3.3 The PCI Crypto page -- 4.3.4 Changing LPAR Cryptographic controls dynamically -- 4.4 Integrated Cryptographic Services Facility (ICSF) setup -- 4.4.1 Major changes from previous releases -- 4.4.2 Started task and the first time start -- 4.4.3 Master Keys -- 4.4.4 Initial Master Key entry with the pass phrase initialization utility -- 4.4.5 Installation of the PCICC and PCICA cards -- 4.4.6 Changing the PKA Master Keys via ICSF panels -- 4.4.7 UDX-related definitions in the OPTIONS Data Set -- 4.4.8 Installation of the UDX shown in ICSF panels -- Chapter 5. Customizing PCICC and CCF using TKE V3.1 -- 5.1 Introduction to the TKE V3.1 Workstation -- 5.1.1 Major changes -- 5.1.2 Before using the new TKE -- 5.1.3 The TKE V3.1 software -- 5.1.4 TKE Workstation installation - general information -- 5.1.5 TKE definitions -- 5.2 TKE Workstation TCP/IP setup -- 5.2.1 z/OS TCP/IP Host Transaction Program -- 5.2.2 TKE Workstation 4758 setup -- 5.2.3 TKE access control administration.

5.2.4 Starting the TKE application -- 5.3 TKE application: managing host Crypto coprocessors -- 5.3.1 Managing modules -- 5.3.2 PCICC and CCF setup on the TKE Workstation -- 5.3.3 Manage and update the Crypto module notebook on TKE -- 5.3.4 PCICC module notebook -- 5.3.5 Crypto CCF notebook -- 5.3.6 Backing up the TKE files -- 5.4 4753 Key Token Migration facility -- Chapter 6. Support functions -- 6.1 RACF access control to ICSF services -- 6.1.1 New profiles in the CSFSERV class -- 6.2 Crypto usage measurement -- 6.2.1 SMF record type 82 -- 6.2.2 SMF record type 70, subtype 2 -- 6.2.3 SMF record type 72, subtype 3 -- 6.3 RMF reporting -- Chapter 7. Linux for zSeries support of cryptographic coprocessors -- 7.1 Support of hardware coprocessors -- 7.1.1 The provided hardware services -- 7.2 Access to cryptographic services -- 7.2.1 Functions of z90crypt API -- 7.2.2 The libica API -- 7.2.3 The PKCS#11 API -- 7.2.4 Functions of the OpenSSL "engine" -- 7.3 Virtualization -- 7.3.1 Using a crypto device in VM -- 7.4 Our installation with a 31-bit Linux -- 7.4.1 Preparation -- 7.4.2 Installing the crypto device driver -- 7.4.3 Running the modified install script -- 7.4.4 Loading the device driver and defining the crypto device node -- 7.4.5 Checking the device status -- 7.5 Low-level testing -- 7.5.1 Installation and test of the Crypto Interface Library (libica) -- 7.6 Example SSL-enabled application: Apache Web server -- 7.7 Low-level test programs -- 7.7.1 testcrtde.c -- 7.7.2 icacrtde.c -- 7.7.3 tell.h -- 7.7.4 tellit.c -- 7.7.5 makecrtde -- 7.7.6 makeicacr -- Appendix A. PCICC User Defined Extensions (UDX) -- UDX overview -- PCICC code structure and UDX -- ICSF and PCICC communications -- UDX invocation -- UDX function code identifier -- The UDX callable service and the stub -- The UDX development process -- What the UDX does, and how.

The PCICC UDX development process -- UDX process phase 2 support -- PCICC UDX generation process overview -- Building the UDX coprocessor executable -- Installing the PCICC UDX -- Designing and developing the host piece of the UDX -- The ICSF callable service and the service stub -- The access control point exit -- Appendix B. Callable services access control points -- The access control points -- Access control points in the PCICC and ICSF -- New access control points and TKE users -- Non TKE users -- New TKE users -- TKE users -- Appendix C. Exploitation of the cryptographic coprocessors -- Exploitation of the zSeries CCFs and PCI coprocessors -- The IBM exploiters -- z/OS System SSL -- z/OS Open Cryptographic Services Facility (OCSF) -- IBM HTTP Server for z/OS -- z/OS LDAP server and client -- CICS Transaction Server and CICS Transaction Gateway -- z/OS TN3270 Server -- z/OS Firewall Technologies -- z/OS DCE -- z/OS Network Authentication Service (Kerberos) -- Payment Processing products -- VTAM Session Level Encryption -- RACF -- z/OS Public Key Infrastructure (PKI) Services -- Crypto Based Transactions (CBT) banking solution -- Java cryptography -- Appendix D. Crypto performance considerations -- General considerations for performance of cryptographic operations -- RMF support for Crypto -- Appendix E. TKE host TCP/IP server setup -- The main TCP/IP files to check and modify -- TCPIP.HOSTS.LOCAL -- TCPIP.DATA -- TCPIP.PROFILE -- TKE Host Transaction Program installation -- CSFTTCP started procedure installation -- The CSFTTKE module -- The CSFTHTP3 REXX exec -- Starting the TKE Host Transaction Program -- Related publications -- IBM Redbooks -- Other resources -- Referenced Web sites -- How to get IBM Redbooks -- IBM Redbooks collections -- Index -- Back cover.