The PTF UD54382 for APAR DY47834 “CRYPTO EXPRESS 7S CARD IS SHOWN AS CRYPTO EXPRESS 6S OR CEX6S IN COMMAND OUTPUT FOR HARDWARE CRYPTO COMMANDS AND MESSAGES” adds support for the Crypto Express7S (CEX7) card to z/VSE 6.2. The Crypto Express7S is the new generation cryptographic coprocessor and accelerator on the IBM z15 Model T01 and T02 servers. You can read more about it on the CEX7S / 4769 web site. With the PTF applied, z/VSE 6.2 identifies the Crypto Express7S cryptographic coprocessors and accelerators as such and reports them as “CEX7” in messages and command output. Without the PTF applied, Crypto Express7S cards are used in toleration mode and treated as Crypto Express6S coprocessors and accelerators and also reported as such.
Following is a sample STATUS=CR command output reporting three Crypto Express6S cards as “CEX6” and three Crypto Express7S cards as “CEX7”. Cryptographic accelerators are reported with suffix "A", CCA coprocessors with suffix "C", and EP11 coprocessors with suffix "P". Note that the latter cannot be used with z/VSE. Cryptographic accelerators can be used in z/VSE to boost RSA. CCA coprocessors can be used in z/VSE to boost RSA as well as Elliptic Curve Cryptography (ECC) and as a true random number generator. Note that z/VSE does not make use of the hardware security module (HSM) functionality of CCA coprocessors. ECC is currently only supported by OpenSSL on z/VSE.
MSG FB,DATA=STATUS=CR
AR 0015 1I40I READY
FB 0011 BST223I CURRENT STATUS OF THE SECURITY TRANSACTION SERVER:
FB 0011 CRYPTO DEVICE DRIVER STATUS:
FB 0011 AP CRYPTO SUBTASK STARTED .......... : YES
FB 0011 MAX REQUEST QUEUE SIZE ............. : 0
FB 0011 MAX PENDING QUEUE SIZE ............. : 0
FB 0011 TOTAL NO. OF AP REQUESTS ........... : 0
FB 0011 NO. OF POSTED CALLERS .............. : 0
FB 0011 AP-QUEUE INTERRUPTS AVAILABLE ...... : NO
FB 0011 AP-QUEUE INTERRUPTS STATUS ......... : DISABLED
FB 0011 AP CRYPTO POLLING TIME (1/300 SEC).. : 1
FB 0011 AP CRYPTO WAIT ON BUSY (1/300 SEC).. : 75
FB 0011 AP CRYPTO RETRY COUNT .............. : 5
FB 0011 AP CRYPTO TRACE LEVEL .............. : 3
FB 0011 TOTAL NO. OF WAITS ON BUSY ......... : 0
FB 0011 CURRENT REQUEST QUEUE SIZE ......... : 0
FB 0011 CURRENT PENDING QUEUE SIZE ......... : 0
FB 0011 ASSIGNED APS : CEX2C / CEX2A ....... : 0 / 0
FB 0011 CEX3C / CEX3A ....... : 0 / 0
FB 0011 CEX4C / CEX4A / CEX4P : 0 / 0 / 0
FB 0011 CEX5C / CEX5A / CEX5P : 0 / 0 / 0
FB 0011 CEX6C / CEX6A / CEX6P : 1 / 1 / 1
FB 0011 CEX7C / CEX7A / CEX7P : 1 / 1 / 1
FB 0011 AP 0 : CEX6A - ONLINE
FB 0011 AP 1 : CEX6C - ONLINE
FB 0011 AP 2 : CEX6P - ONLINE
FB 0011 AP 7 : CEX7A - ONLINE
FB 0011 AP 9 : CEX7C - ONLINE
FB 0011 AP 11 : CEX7P - ONLINE
FB 0011 ASSIGNED AP QUEUE (CRYPTO DOMAIN)... : 3
FB 0011 NO. OF AVAILABLE CRYPTO DOMAINS .... : 85
FB 0011 END OF CRYPTO DEVICE DRIVER STATUS
The use of Crypto Express cards with z/VSE is documented in detail in the z/VSE Administration manual, chapter Implementing Hardware Cryptographic Support. The IBM Redbooks publication Introduction to the New Mainframe: IBM z/VSE Basics provides an overview in the chapter Cryptographic support in IBM z/VSE. Further information on using hardware cryptographic support with z/VSE networking can be found in the IBM Redbooks publication Enhanced Networking on IBM z/VSE.
By default the z/VSE hardware cryptographic support is activated by the Basic Security Manager (BSM) security server startup job SECSERV, which runs in partition FB by default. When using an external security manager (ESM) you can use the hardware crypto task IJBHCOPR on z/VSE 6.2 instead of the legacy IJBCRYPT one to activate the z/VSE hardware cryptographic support. IJBHCOPR provides an operator communication interface that is very similar to the BSM security server one. You can read more about this in the section Using Crypto Support and an External Security Manager of the z/VSE Administration manual.
I greatly appreciate your feedback either in the comments or via the z/VSE contact form.
Disclaimer: My posts and opinions are my own.