Authors: Richard Kisley, Volker Urban, Eric Rossman

How do you determine the number of Crypto Express cards that you need and/or when to consider purchasing more cards? 

To get started, here are some of the important questions: 

Performance-based capacity planning

Two questions that seem simple at the start, but usually require analysis and planning:

1. What capacity do you need for your highest workload at your busiest time of year, for each cryptography application?

1. This will give the maximum burst capacity that you need now for a single system, or the current single-system maximum.

2. The performance metrics gathering methods below can help you determine this for an existing Z system.

3. For migration to IBM Z cryptography from other hardware cryptography providers, the performance white paper links at the end of this post show performance for example calls for both CCA and EP11. For special cases, please contact IBM Crypto support, and we are glad to help.

4. While not specific to cryptography, it is also important to account for the CPU cost of the cryptography calls in your z/OS WorkLoad Manager configuration to ensure that your applications run with sufficient priority.

2. What should you allow above the current single-system maximum?

1. Consider capacity for near-term growth plans.

2. Consider allowance for unpredictable bursts or business changes: what is an acceptable threshold for utilization per card in your environment?

3. Consider longer-term growth plans against the time frame it usually takes to add cryptographic capacity to a system, for all systems where the capacity is usually needed.

4. This is the planning single-system maximum.

Continuity

Questions to ask

1. What failover needs do you have at each level of system deployment?

   1. This usually acts as a multiplier for the planning single-system maximum determined above.

2. within the system: do you have capacity to maintain applications if a crypto express card fails?

3. across data centers: do you have capacity if a data center needs to go offline and workload shifts?

In practical terms, you usually start with at least 2 cards of each type needed in your environment (e.g. Accelerator, CCA Coprocessor, EP11 Coprocessor) for redundancy. If one card needs to be taken offline (for example, MCL upgrade), the second card (loaded with the same Master Key/Wrapping Key as the first) would be able to handle the same requests.

Determining current single-system maximum with IBM tools

One good method to determine capacity need is to run in an environment with a baseline number of cards and monitor their usage. This can help to establish if over-allowance has occurred if utilization is low, or under-allowance has occurred if utilization is high or bottlenecked at certain times of the year.

The step-by-step process would be:

1. Establish a crypto card utilization threshold (for example, 50% utilization)

2. Monitor crypto card utilization over a period of time

3. If the crypto card utilization exceeds the threshold, decide if you want to plan for more cards 

Monitoring Card Usage - Hardware Management Console (HMC)/Support Element (SE)

The Monitors Dashboard on the SE can be used in real time to view adapter type and monitor usage. It takes measurements every 15 seconds and displays the value. You can also start a histogram to show adapter utilization as a line graph over time.
https://www.ibm.com/docs/en/module_1721331501652/pdf/HMCVersion2170-30July2025.pdf (Monitors Dashboard, p. 1147)

Monitoring Card Usage - z/OS

There are options within z/OS Resource Measurement Facility (RMF) for viewing and/or monitoring card usage:

• z/OS RMF can create post-processed Crypto Hardware Activity reports which would show the utilization percentage for each card. https://www.ibm.com/docs/en/zos/3.2.0?topic=cchar-contents-report

• z/OS RMF has a REST interface to the RMF data, a user would likely want to sample the data over a period of time: https://www.ibm.com/docs/en/zos/3.1.0?topic=server-how-specify-http-requests-dds-performance-data

• SMF Explorer: There is also the SMF explorer which uses the REST interface to the Data Gatherer https://ibm.github.io/IBM-SMF-Explorer/

Monitoring Card Usage - Linux on IBM Z

The Linux crypto device driver zcrypt allows reporting of raw request counts, available directly or via the output of the lszcrypt tool : https://www.ibm.com/docs/en/linux-on-systems?topic=commands-lszcrypt.

The zcryptstats tool implements a good interface for metrics gathering with automation capabilities built-in: https://www.ibm.com/docs/en/linux-on-systems?topic=z-zcryptstats.

Crypto Card Performance / Throughput

For general crypto card performance throughput, reference the Crypto Performance WhitePaper associated with your z System / Crypto Express cards

• z16 / CEX8S

• z15 / CEX7S

• z14 / CEX6S