IBM Crypto Education Community

  • 1.  Using ICSF z/OS in a non-mainframe environment

    Posted Thu September 16, 2021 07:35 AM
    Hello,

    Does anyone know if it is possible to use ICSF z/OS as a general installation HSM? For example, we use its features from a non-mainframe environment without the need to make programs on the mainframe (C, Assembler, Cobol... etc). Similar to what is done with DB2 on z/OS, which can be activated from a non-mainframe environment without the need to write programs on the mainframe.

    Thanks.


    ------------------------------
    Renato Almeida de Brito
    ------------------------------


  • 2.  RE: Using ICSF z/OS in a non-mainframe environment

    Posted Thu September 16, 2021 01:00 PM
    Edited by Eric Rossman Thu September 16, 2021 05:05 PM
    <Edited: ACSP was the tool I was trying to think of, not the remote crypto plugin>.

    ------------------------------
    Eric Rossman
    ------------------------------



  • 3.  RE: Using ICSF z/OS in a non-mainframe environment

    IBM Select
    Posted Thu September 16, 2021 01:30 PM

    I think this product from IBM might be helpful.  It has REST API etc. that can be called from distributed or mainframe.

     

    https://www.ibm.com/security/key-management/acsp

     

    We are using it.

     

    Dan

     

     

    Dan W Little | Senior Director, Mainframe Operating Systems | Mainframe & Midrange Hosting Services | Tech Infrastructure | Tech & Ops | RBC | T. 416-348-4502 | C. 647-271-7485

    155 Wellington St W | 5th Floor | Toronto, Ontario M5V 3K7

     

     

    _______________________________________________________________________

    If you received this email in error, please advise the sender (by return email or otherwise) immediately. You have consented to receive the attached electronically at the above-noted email address; please retain a copy of this confirmation for future reference.

    Si vous recevez ce courriel par erreur, veuillez en aviser l'expéditeur immédiatement, par retour de courriel ou par un autre moyen. Vous avez accepté de recevoir le(s) document(s) ci-joint(s) par voie électronique à l'adresse courriel indiquée ci-dessus; veuillez conserver une copie de cette confirmation pour les fins de reference future.






  • 4.  RE: Using ICSF z/OS in a non-mainframe environment

    Posted Thu September 16, 2021 05:04 PM
    Dan, you are exactly right. THAT was the product I was thinking of, not the remote crypto plugin.

    ------------------------------
    Eric Rossman
    ------------------------------



  • 5.  RE: Using ICSF z/OS in a non-mainframe environment

    IBM Select
    Posted Thu September 16, 2021 01:35 PM
    I have no experience with this remote crypto plugin.   It is a little concerning maybe that it refers to zBX which no longer exists to my knowledge.

    <quote>
    Therefore, you should limit the use of the remote crypto plug-in to zEnterprise 196 (z196) systems where applications or appliances deployed on IBM® zEnterprise® BladeCenter® Extensions (zBX) communicates with the remote crypto plug-in over the intraensemble data network (IEDN).
    </quote>

    Dan

    ------------------------------
    Dan Little
    ------------------------------



  • 6.  RE: Using ICSF z/OS in a non-mainframe environment

    Posted Thu September 16, 2021 02:09 PM
    The crypto card is available as a separate product (sold by IBM Z division) that can be installed in a PCI slot in a play machine.

    IIRC the machine code is 4767 or 4668.

    Personally, I would rather have it in a real Z.





  • 7.  RE: Using ICSF z/OS in a non-mainframe environment

    Posted Thu September 16, 2021 02:55 PM
    The Advanced Crypto Service Provider (ACSP) that Dan mentioned would be a good option to explore. It essentially turns IBM Z into a remote crypto HSM.  https://www.ibm.com/security/key-management/acsp

    If you have questions on it, just contact cccc@dk.ibm.com.

    ------------------------------
    Eysha Shirrine
    ------------------------------



  • 8.  RE: Using ICSF z/OS in a non-mainframe environment

    Posted Thu September 16, 2021 03:56 PM
    I would like to thank everyone for their contribution. Let's analyze what is the best alternative for our infrastructure.

    ------------------------------
    Renato Almeida de Brito
    ------------------------------



  • 9.  RE: Using ICSF z/OS in a non-mainframe environment

    Posted Fri September 17, 2021 09:35 AM
    Hi - Henrik from the CCC, I am product owner for the ACSP solution. I will be happy to give a brief introduction to ACSP and it's use cases.
    Regrads - Henrik Lyksborg

    ------------------------------
    Henrik Lyksborg
    ------------------------------