Authors: Richard Kisley, Volker Urban, Eric Rossman
How do you determine the number of IBM Crypto Express cards (IBM Hardware Security Modules - HSMs) that you need and/or when to consider purchasing more cards?
How do you configure and manage the IBM HSM cards after installation?
To get started, here are some of the important questions:
Performance-based capacity planning
Two questions that seem simple at the start, but usually require analysis and planning:
-
What capacity do you need for your highest workload at your busiest time of year, for each cryptography application?
-
This will give the maximum burst capacity that you need now for a single system, or the current single-system maximum.
-
The performance metrics gathering methods below can help you determine this for an existing Z system.
-
For migration to IBM Z cryptography from other hardware cryptography providers, the performance white paper links at the end of this post show performance for example calls for both CCA and EP11. For special cases, please contact IBM Crypto support, and we are glad to help.
-
While not specific to cryptography, it is also important to account for the CPU cost of the cryptography calls in your z/OS WorkLoad Manager configuration to ensure that your applications run with sufficient priority.
-
What should you allow above the current single-system maximum?
-
Consider capacity for near-term growth plans.
-
Consider allowance for unpredictable bursts or business changes: what is an acceptable threshold for utilization per card in your environment?
-
Consider longer-term growth plans against the time frame it usually takes to add cryptographic capacity to a system, for all systems where the capacity is usually needed.
-
This is the planning single-system maximum.
Continuity
Questions to ask
-
What failover needs do you have at each level of system deployment?
-
This usually acts as a multiplier for the planning single-system maximum determined above.
-
Within the system: do you have capacity to maintain applications if a crypto express card fails?
-
Across data centers: do you have capacity if a data center needs to go offline and workload shifts?
In practical terms, you usually start with at least 2 cards of each type needed in your environment (e.g. Accelerator, CCA Coprocessor, EP11 Coprocessor) for redundancy. If one card needs to be taken offline (for example, MCL upgrade), the second card (loaded with the same Master Key/Wrapping Key as the first) would be able to handle the same requests.
Determining current single-system maximum with IBM tools
One good method to determine capacity need is to run in an environment with a baseline number of cards and monitor their usage. This can help to establish if over-allowance has occurred if utilization is low, or under-allowance has occurred if utilization is high or bottlenecked at certain times of the year.
The step-by-step process would be:
-
Establish a crypto card utilization threshold (for example, 50% utilization)
-
Monitor crypto card utilization over a period of time
-
If the crypto card utilization exceeds the threshold, decide if you want to plan for more cards
Monitoring Card Usage - Hardware Management Console (HMC)/Support Element (SE)
The Monitors Dashboard on the SE can be used in real time to view adapter type and monitor usage. It takes measurements every 15 seconds and displays the value. You can also start a histogram to show adapter utilization as a line graph over time.
Monitoring Card Usage - z/OS
There are options within z/OS Resource Measurement Facility (RMF) for viewing and/or monitoring card usage:
Monitoring Card Usage - Linux on IBM Z
The Linux crypto device driver zcrypt allows reporting of raw request counts, available directly or via the output of the lszcrypt tool : https://www.ibm.com/docs/en/linux-on-systems?topic=commands-lszcrypt.
The zcryptstats tool implements a good interface for metrics gathering with automation capabilities built-in: https://www.ibm.com/docs/en/linux-on-systems?topic=z-zcryptstats.
Crypto Card Performance / Throughput
For general crypto card performance throughput, reference the Crypto Performance WhitePaper associated with your z System / Crypto Express cards
Management of the IBM Crypto Express cards
Management of an HSM to achieve both secure operations and compliance is a large and complex topic, with international standards and multiple reference guides. IBM resources to get you started are below.
- Start with capacity planning as addressed here
- For configuration of the IBM Crypto Express to set the modes, load firmware or assign Crypto Express Domains to an LPAR, use the Support Element of the HMC. Refer to the SE documentation for your IBM Z, for example the SE reference for IBM z17 is here.
- Refer to the IBM CCA Operations Management Manual for further details on HSM lifecycle, specific to the IBM CEX8S/4770.
- For configuration and use on IBM z/OS, refer to the Cryptographic Services Integrated Cryptographic Service Facility Overview for z/OS 3.2, which will point to the Administrator's Guide, the System Programmer's Guide, and the Application Programmer's Guide.
- For configuration and use of the IBM CCA for Linux on Z installation package, refer to the Secure Key Solution for CCA Application Programmer's Guide.
- For use of IBM CCA or EP11 with openCryptoki for Linux on IBM Z, refer to OpenCryptoki - An Open Source Implementation of PKCS#11.
- Once basic host packages are installed and configured, you may want to use the Trusted Key Entry workstation (TKE) to configure the Main Wrapping Keys / Master Keys of the IBM Crypto Express, for compliance-grade security. Refer to this TKE resource to get started.