Contributors: JB Mills and Devonte' Hawkins
In our first blog post, we explored the critical role of cryptography in today's interconnected digital landscape, highlighting its significance in safeguarding sensitive information. We discussed how cryptographic systems rely on algorithms and cryptographic keys to ensure secure communication and data protection, with technologies like CP Assist for Cryptographic Function (CPACF) enhancing cryptographic capabilities. Understanding key concepts such as clear, protect, and secure keys underscores the importance of safeguarding cryptographic processes. Additionally, we examined how secure communication protocols like Secure Sockets Layer (SSL) and Transport Layer Security (TLS) further fortify data protection over networks. In this blog, we'll delve into acquiring CPACF, configuring it on IBM Z and LinuxONE effectively to bolster cryptographic security measures.
CPACF can be enabled on IBM z16, z15, z14, z14 zR1, z13, z13s and Linux One. CPACF must be enabled by using Feature Code (FC) 3863. The z/OS operating system automatically detects and uses any available CPACF features. CPACF is typically enabled through system parameters and configurations. System administrators can configure CPACF to accelerate cryptographic operations, enhancing performance and bolstering security measures. One key aspect of CPACF's utilization in z/OS is its integration with cryptographic services and subsystems within the operating environment.
These services and subsystems are designed to leverage CPACF's capabilities, enabling accelerated cryptographic operations while ensuring compatibility with existing applications and systems. z/OS utilizes CPACF to handle cryptographic operations securely and efficiently across a wide range of use cases. Whether encrypting sensitive data in transit, securing communication channels, or protecting stored information, CPACF plays a vital role in fortifying cryptographic processes on z/OS.
On IBM LinuxONE systems CPACF must be enabled by using Feature Code (FC) 3863. Since ICSF isn’t available on LinuxONE it uses Common Cryptographic Architecture (CCA) libraries at the Linux distribution and associated kernel level, such as OpenSSL and OpenCryptoki. They play crucial roles in enhancing cryptographic security measures within computing environments.
OpenSSL, an extensively used open-source toolkit, provides a comprehensive array of cryptographic functions and protocols, covering basic encryption and decryption to advanced tasks like key generation and certificate management. Supporting a wide range of cryptographic algorithms, including symmetric and asymmetric encryption, hash functions, and digital signatures, OpenSSL's versatility makes it a preferred choice for implementing secure communication channels, data protection, and identity validation across diverse platforms and applications.
OpenCryptoki acts as an open-source implementation of the PKCS #11 standard, offering a standardized interface for cryptographic operations in hardware security modules (HSMs) and other cryptographic devices. By abstracting hardware-specific details, OpenCryptoki enables applications to interact with cryptographic tokens and HSMs in a vendor-neutral manner, streamlining the integration of cryptographic hardware into software applications and facilitating the deployment of secure cryptographic solutions.
Integrated Cryptographic Service Facility (ICSF), stands as IBM's robust cryptographic framework within z/OS. Offering a diverse array of cryptographic services such as encryption, decryption, key management, and digital signatures, ICSF serves as a centralized hub for cryptographic operations. It ensures interoperability and consistency across applications and subsystems through its standardized interface. With its ability to leverage hardware acceleration, including CPACF.
ICSF enhances both performance and efficiency by offloading cryptographic tasks to dedicated hardware accelerators. This integration with cryptographic hardware devices, along with centralized management for keys and certificates, fortifies security measures and streamlines administration across the enterprise.
To inquire more information/implementation on CPACF customization and configuration and ICSF please contact your IBM Representative or Business Partner or visit https://www.ibm.com.