Front cover
System z Cryptographic Services and z/OS PKI Services
Hardware cryptography monitoring
PKCS#11 support on z/OS
Java cryptography
Guillaume Hoareau Nikhil V Kapre MuHyun Kim Gerard Laumay Patrick Kappeler Jonathan Barney Joel Porterie Jean Marc Darees Vicente Ranieri, Jr. Pekka Hanninen Dominique Richard Robert Herman Daniel L. Turkenkopf
ibm.com/redbooks
International Technical Support Organization
System z Cryptographic Services and z/OS PKI Services May 2008
SG24-7470-00
Note: Before using this information and the product it supports, read the information in “Notices” on page vii.
First Edition (May 2008)
This edition applies to Version 1, Release 9 of z/OS (product number 5694-A01).
© Copyright International Business Machines Corporation 2008. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents
Notices ...... vii Trademarks ...... viii
Preface ...... ix The team that wrote this book ...... ix Become a published author ...... xi Comments welcome...... xi
Part 1. Using cryptography with advanced technologies ...... 1
Chapter 1. System z cryptography infrastructure ...... 3 1.1 Message-security assist ...... 4 1.2 Cryptographic hardware ...... 9 1.2.1 CP Assist for Cryptographic Functions (CPACF) ...... 10 1.2.2 Cryptographic Coprocessor Feature (CCF) ...... 12 1.2.3 PCI Cryptographic Accelerator (PCICA) ...... 13 1.2.4 PCI-X Cryptographic Coprocessor (PCIXCC)...... 14 1.2.5 Crypto Express 2 Feature ...... 17 1.2.6 Comparison of CPACF, CEX2C, and CEX2A...... 19 1.3 IBM Common Cryptographic Architecture...... 20 1.3.1 Rationale for the IBM CCA ...... 20 1.3.2 CCA callable services ...... 21 1.3.3 DES key management ...... 24 1.3.4 PKA key management ...... 30 1.4 ICSF ...... 34 1.4.1 Audit trails ...... 38 1.5 Logical partitioning and System z hardware cryptography exploitation...... 38 1.6 Monitoring the cryptographic workload on z/OS ...... 39 1.7 Sysplex and System z hardware cryptography ...... 40 1.8 Software requirements ...... 40
Chapter 2. Hardware cryptography activity assessment on System z ...... 41 2.1 What is exploiting the System z hardware cryptography?...... 42 2.1.1 Hardware cryptography exploitation on z/OS ...... 42 2.1.2 Hardware cryptography exploitation in Linux on System z ...... 46 2.2 Assessing the use of hardware cryptography on z/OS ...... 47 2.2.1 Detecting the use of RACF-protected cryptographic resources ...... 47 2.2.2 z/OS System SSL example...... 49 2.2.3 The ICSF component trace...... 56 2.3 Assessing the use of hardware cryptography on z/VSE ...... 58 2.4 Assessing the use of hardware cryptography on Linux on System z ...... 58 2.4.1 Status of the z90crypt device driver ...... 59 2.4.2 Collecting information about hardware cryptography activity ...... 60 2.4.3 Programs that invoke hardware cryptography ...... 61 2.5 Setting up hardware cryptography configuration of z/VM ...... 61 2.5.1 Checking the hardware cryptography configuration with z/VM ...... 63
© Copyright IBM Corp. 2008. All rights reserved. iii Chapter 3. Measuring hardware cryptography activity on z/OS with RMF ...... 65 3.1 Overview of ICSF cryptographic workload balancing ...... 66 3.2 SMF reporting of hardware cryptography activity ...... 66 3.3 Using RMF to measure the z/OS hardware cryptography activity...... 68 3.3.1 RMF data collection infrastructure for hardware cryptography ...... 69 3.4 RMF post-processor reports ...... 70 3.4.1 Crypto Hardware Activity RMF report ...... 71 3.4.2 Crypto Hardware Activity report example ...... 74 3.4.3 Crypto Hardware Activity report without local activity ...... 75 3.4.4 Workload Activity report ...... 75 3.4.5 Overview report...... 77
Chapter 4. Assessing activity with OMEGAMON XE on z/OS and RMF...... 79 4.1 Tivoli OMEGAMON XE on z/OS - Cryptographic coprocessor support ...... 80 4.2 OMEGAMON XE on z/OS graphical interface ...... 81 4.3 Measuring activity with RMF and OMEGAMON XE on z/OS ...... 82 4.3.1 SHA-1 activity (CPACF activity) ...... 82 4.3.2 CEX2C activity ...... 85 4.3.3 CEX2A activity ...... 86 4.4 Using the OMEGAMON XE on z/OS Service Call Performance workspace...... 88
Chapter 5. Java cryptography ...... 91 5.1 Java cryptography...... 92 5.1.1 Cryptography overview ...... 92 5.1.2 Types of encryption algorithms ...... 95 5.1.3 Key-management challenge ...... 98 5.1.4 Java cryptography in z/OS ...... 99 5.2 Cryptography providers on z/OS...... 102 5.2.1 How to select a provider (registering a provider in the java.security file) ...... 103 5.2.2 JCE - Java Cryptography Extension ...... 103 5.2.3 JCECCA - JCE using CCA hardware cryptographic devices on z/OS ...... 104 5.2.4 CertPath - Certificate generation and path validation ...... 104 5.2.5 JSSE - Java Secure Sockets Extension (SSL and TLS)...... 105 5.2.6 Map the providers and algorithms...... 105 5.3 Setting up hardware cryptographic features ...... 106 5.3.1 Policy files ...... 107 5.4 Keystore and SAF digital certificates (keyrings) ...... 107 5.4.1 JCEKS ...... 108 5.4.2 JCECCAKS...... 110 5.4.3 JCERACFKS...... 114 5.4.4 JCECCARACFKS ...... 116 5.5 Tools ...... 120 5.5.1 Software keytool ...... 120 5.5.2 Hardware keytool ...... 120 5.5.3 Different characteristics of keystores ...... 120 5.6 Java examples ...... 121 5.6.1 RSA encryption and decryption ...... 121 5.6.2 RSA signature...... 124 5.6.3 Symmetric key encryption...... 127 5.6.4 Generating a true random number ...... 130 5.6.5 Hashing a message ...... 131 5.6.6 Exporting keys from software to hardware keystores ...... 132 5.6.7 Hybrid encryption ...... 134
iv System z Cryptographic Services and z/OS PKI Services 5.7 SOAP examples ...... 137 5.8 Configuring SLL for WebSphere Application Server hardware cryptography ...... 151
Chapter 6. z/OS PKCS#11...... 155 6.1 Public Key Cryptography Standard #11 (PKCS#11)...... 156
6.1.1 PKCS#11 concepts...... 156 6.1.2 Benefits of PKCS#11 on z/OS ...... 157 6.1.3 Mapping PKCS#11 concepts to z/OS cryptographic technology ...... 157 6.2 z/OS PKCS#11 infrastructure and setup...... 158 6.2.1 Tokens ...... 158 6.2.2 Token Key Data Set (TKDS)...... 159 6.2.3 Controlling access to tokens ...... 161 6.2.4 ICSF services provided by z/OS PKCS#11 ...... 162 6.3 z/OS PKCS#11 token administration ...... 163 6.3.1 ICSF panels, token browser ...... 163 6.3.2 RACF panels and RACDCERT commands ...... 171 6.3.3 gskkyman panels ...... 178 6.3.4 Examples ...... 185 6.4 z/OS PKCS#11 programming example...... 194
Part 2. Managing keys ...... 205
Chapter 7. z/OS PKI Services...... 207 7.1 Public Key Infrastructure ...... 208 7.1.1 Certificate life cycle ...... 208 7.1.2 z/OS PKI Services ...... 208 7.1.3 z/OS PKI Services structure ...... 209 7.1.4 Scalability and availability ...... 213 7.2 A product in constant evolution ...... 214 7.2.1 z/OS V1.4 enhancements ...... 214 7.2.2 z/OS V1.5 enhancements ...... 215 7.2.3 z/OS V1.7 enhancements ...... 219 7.2.4 z/OS V1.8 enhancements ...... 222 7.2.5 z/OS V1.9 enhancements ...... 225 7.3 z/OS R9 PKI Services deployment ...... 225 7.3.1 IBM HTTP servers...... 225 7.3.2 IKYSETUP REXX ...... 240 7.3.3 UNIX environment configuration ...... 247 7.3.4 OCSF and OCEP ...... 252 7.3.5 LDAP directory ...... 253 7.3.6 VSAM ObjectStore and ICL data sets...... 253 7.3.7 Starting and stopping PKI Services ...... 255 7.4 Accessing our z/OS PKI Services Home page ...... 255
Chapter 8. Sample scenario ...... 257 8.1 Overall architecture ...... 258 8.1.1 Structure of sample scenario ...... 258 8.2 ITSO implementation ...... 260 8.2.1 Java implementation ...... 261 8.2.2 PKI Services core ...... 265 8.2.3 C code implementation ...... 267
Contents v Appendix A. Additional material ...... 273 Locating the Web material ...... 273 Using the Web material ...... 273 Related publications ...... 275
Publications ...... 275 How to get Redbooks...... 275 Help from IBM ...... 275
Index ...... 277
vi System z Cryptographic Services and z/OS PKI Services Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing, IBM Corporation, North Castle Drive, Armonk, NY 10504-1785 U.S.A.
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.
COPYRIGHT LICENSE:
This information contains sample application programs in source language, which illustrate programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs.
© Copyright IBM Corp. 2008. All rights reserved. vii Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. These and other IBM trademarked terms are marked on their first occurrence in this information with the appropriate symbol (® or ™), indicating US registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at http://www.ibm.com/legal/copytrade.shtml
The following terms are trademarks of the International Business Machines Corporation in the United States, other countries, or both:
Redbooks (logo) ® OS/390® System/370™ AIX® Parallel Sysplex® Tivoli® CICS® PowerPC® VSE/ESA™ DB2® RACF® VTAM® developerWorks® Rational® WebSphere® Enterprise Systems Redbooks® z/Architecture® Architecture/370™ REXX™ z/OS® eServer™ RMF™ z/VM® FICON® S/390® z/VSE™ IBM® System z™ z9™ MVS™ System z9® zSeries® OMEGAMON® System/360™
The following terms are trademarks of other companies:
EJB, Enterprise JavaBeans, J2EE, J2SE, Java, JavaBeans, JDK, JNI, JVM, and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
Windows, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
Intel, Intel logo, Intel Inside logo, and Intel Centrino logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Linux is a trademark of Linus Torvalds in the United States, other countries, or both.
Other company, product, or service names may be trademarks or service marks of others.
viii System z Cryptographic Services and z/OS PKI Services Preface
This IBM® Redbook describes System z cryptographic services and technologies. This document also discusses the cryptographic support available for Java™ and J2EE™ applications and the new support introduced in z/OS® V1.9 for PKCS#11. We briefly describe the new PKI Services enhancement introduced with z/OS V1.9. Finally we provide a sample scenario of how an installation can use this technology, and we explain how to download the sample.
The team that wrote this book
This book was produced by a team of specialists from around the world working at the International Technical Support Organization, Poughkeepsie Center.
Patrick Kappeler has held during his 36-year career in IBM many international positions, all dealing with mainframe hardware and software technical support and education. He is now a lead consulting IT Specialist in the Montpellier European Product and Solutions Support Center (PSSC) and has specialized for the past 10 years on e-business security. He extensively presents, writes, and provides advanced technical support and consulting on this topic worldwide. He is also the co-author and leader of many other ITSO projects on z/OS security and e-business.
Jonathan Barney is an Enterprise Security Architect in the United States. He has six years of experience in z/OS, Java, and UNIX® System Services. He holds a Bachelor of Science degree in Computer Science from Clarkson University. His areas of expertise include Java, RACF® Java security, tape encryption, host encryption facility, the WebSphere® family of products, and the PKI and PGP systems.
Jean Marc Darees joined IBM in 1984 as a MVS™ system engineer. Since this time he has held several specialist and architect positions dealing with mainframes and other technologies that support customer and internal projects. He joined the PSSC in Montpellier in 1997, where he now provides consulting and pre-sales technical support in the area of large IT infrastructures.
Pekka Hanninen is an IT specialist working with the Integrated Technology Services team in Finland. He has over 35 years of experience in IBM large systems software. He has worked at IBM for 11 years, and his areas of expertise include cryptography, RACF, and security administration. He holds certificates for CISSP, CISA, and CISM.
Robert Herman was a Senior IT Specialist, Systems Management Integrator with IBM Global Services in Endicott, New York until his death in 2007. He had 27 years of experience supporting CICS® and related products for a variety of IBM internal and external customer accounts. Bob worked on several IBM Redbooks®, including Enterprise JavaBeans for z/OS and OS/390 CICS Transaction Server.
Guillaume Hoareau is an IT Specialist at the New Technology Center of the PSSC in Montpellier, France. He is responsible for ISV sizing support on the z platform, part of the mission of the Virtual International Competency Center at Montpellier. He has worked on several z/VM® and Linux® for System z projects.
© Copyright IBM Corp. 2008. All rights reserved. ix Nikhil V Kapre is an Application Architect in IBM India. He has over 9 years experience and has been deeply involved in designing solutions for customers around the world. He holds a degree in Industrial Engineering from the Delhi College of Engineering in New Delhi, India. His areas of expertise include Java, J2EE, WebSphere Application Server, WebSphere MQ, ORM (Toplink/Hibernate), and several open source distributions. He spends a significant part
of his time in mentoring and training programmers in Java and J2EE and in writing articles.
MuHyun Kim is an Advisory IT Specialist in IBM Korea. He supports field engineers on AIX®, Java, and security issues. Before joining IBM, he worked as a security consultant performing IT audit, penetration test and incident investigation, and developing security policies for four years. He has completed courses at Korea University’s Graduate School of Information Security, majoring in cryptography protocols. He holds certificates for CISA, ITILF, and SCJP.
Gerard Laumay is a System z IBM certified IT Specialist at PSSC in Montpellier, France. He has more than 21 years of experience in the large systems field, as a consultant with IBM customers. His areas of expertise include IBM System z9® hardware, z/OS, z/VM, Linux operating systems, and new workloads on System z. As a member of the zChampion worldwide technical team, he teaches at numerous IBM external and internal conferences. He is a frequent participant in international projects and has written several IBM Redbooks.
Joel Porterie is a Senior IT Specialist who has been with IBM France for 30 years. He works for Network and Channel Connectivity Services in the EMEA Product Support Group. His areas of expertise include z/OS, TCP/IP, VTAM®, OSA-Express, and Parallel Sysplex®. He has taught OSA-Express and FICON® problem determination classes and provided on-site assistance in these areas in numerous countries. He also co-authored the IBM Redbooks Using the IBM S/390 Application StarterPak; OSA-Express Gigabit Ethernet Implementation Guide; OSA-Express Implementation Guide; Introduction to the New Mainframe: Networking; and Communications Server for z/OS V1R7 TCP/IP Implementation, Volume 4 Policy-Based Network Security.
Vicente Ranieri, Jr. is an Executive IT Specialist at the Advanced Technical Support (ATS) team reporting to the Washington Systems Center. He has 28 years of experience working with IBM customers, 23 of which providing technical support for the System z™ platform. He is the System z Security Regional Designated Specialist for Americas South Region, leading several security projects across the region. He writes extensively and has co-authored several Redbooks. He also teaches IBM classes worldwide on all areas of System z security. He has been teaching System z Security Update ITSO workshops since 2001.
Dominique Richard is an IT Specialist at IBM France. He joined IBM in 1982 and was a System Engineer supporting MVS customers in France. Since 2005 he has been part of the European Products and Solutions Support Center, located in Montpellier, where he is involved in testing and establishing benchmarks. He has specialized in the area of host system security.
Daniel L. Turkenkopf is a Solutions Architect in the IBM Design Center for IT Optimization and Business Flexibility located in Poughkeepsie, New York. He leads collaborative design sessions with clients to effectively leverage IBM technology in their infrastructures. His areas of expertise include service-oriented architectures and systems management. Prior to this role, Dan was a J2EE Application Architect with IBM Global Business Services Public Sector where he was responsible for the user interface tier of a multi-billion dollar modernization effort for a federal agency. His Product experience includes WebSphere Application Server, WebSphere Portal Server, and Tivoli® Provisioning Manager. He holds a BA in Mathematics and a BS in Economics with a concentration in Management and Information Systems from the University of Pennsylvania.
x System z Cryptographic Services and z/OS PKI Services Thanks to the following people for their contributions to this project: Paola Bari Richard Conway Robert Haimowitz International Technical Support Organization, Poughkeepsie Center
Wai Choi John Dayka Frank DeGilio Anne Emerick Terry Green Jim Sweeny IBM Poughkeepsie
Alyson Comer IBM Endicott
Special thanks to Dario Facchinetti, IBM Italy, for his support in writing the sample C code used in the PKI sample scenario.
Become a published author
Join us for a two- to six-week residency program! Help write a book dealing with specific products or solutions, while getting hands-on experience with leading-edge technologies. You will have the opportunity to team with IBM technical professionals, Business Partners, and Clients.
Your efforts will help increase product acceptance and customer satisfaction. As a bonus, you will develop a network of contacts in IBM development labs, and increase your productivity and marketability.
Find out more about the residency program, browse the residency index, and apply online at: ibm.com/redbooks/residencies.html
Comments welcome
Your comments are important to us!
We want our books to be as helpful as possible. Send us your comments about this book or other IBM Redbooks in one of the following ways: Use the online Contact us review Redbooks form found at: ibm.com/redbooks Send your comments in an e-mail to: [email protected] Mail your comments to: IBM Corporation, International Technical Support Organization Dept. HYTD Mail Station P099 2455 South Road Poughkeepsie, NY 12601-5400
Preface xi
xii System z Cryptographic Services and z/OS PKI Services
Part 1
Part 1 Using cryptography with advanced technologies
This part covers the following aspects of cryptography: Java middleware - J2EE, WebSphere Application Server, Web services PKCS#11 Cryptography performance and monitoring
© Copyright IBM Corp. 2008. All rights reserved. 1
2 System z Cryptographic Services and z/OS PKI Services
1
Chapter 1. System z cryptography infrastructure
The System z platform offers standard and optional hardware cryptographic devices. These devices are available with the proper software components in the different operating systems to provide applications with APIs to invoke the system’s hardware cryptography and to provide key repository management facilities. In this chapter, we focus on the support z/OS provides for applications using hardware cryptography.
This chapter contains a description of the cryptographic elements of System z and how they can be invoked.
© Copyright IBM Corp. 2008. All rights reserved. 3 1.1 Message-security assist
The architecture of a system defines its attributes as seen by the programmer - that is, the conceptual structure and functional behavior of the machine, as distinct from the organization of the data flow, the logical design, the physical design, and the performance of any particular implementation. Several dissimilar machine implementations may conform to a single architecture.
z/Architecture® is the next step in the evolution from the System/360™ to the System/370™, System/370 extended architecture (370-XA), Enterprise Systems Architecture/370™ (ESA/370), and Enterprise Systems Architecture/390 (ESA/390). z/Architecture includes most of the facilities of ESA/390 and also provides significant extensions, among which are: 64-bit general registers and control registers. A 64-bit addressing mode, in addition to the 24-bit and 31-bit addressing modes of ESA/390. Both operand addresses and instruction addresses can be 64-bit addresses. The program status word (PSW) is expanded to 16 bytes to contain the larger instruction address. The PSW also contains a newly assigned bit that specifies the 64-bit addressing mode.
IBM announced the z/Architecture in October, 2000. In June, 2003 IBM announced an extension to the z/Architecture called message security assist (MSA). MSA provides the following instructions: CIPHER MESSAGE (KM) CIPHER MESSAGE WITH CHAINING (KMC) COMPUTE INTERMEDIATE MESSAGE DIGEST (KIMD) COMPUTE LAST MESSAGE DIGEST (KLMD) COMPUTE MESSAGE AUTHENTICATION CODE (KMAC)
Each instruction can perform several functions. The MSA basic facility supplies a query function with each instruction so that the programmer can determine whether a given function is available on a given processor. If a programmer attempts to use a function that is not available, the program receives a program interruption with interruption code 6 (specification exception). In z/OS this code is normally presented as an 0C6 abend.
The MSA basic facility also provides two functions for generating a message digest based on the SHA-1 algorithm. One of these functions is provided with the KIMD instruction, and the other is provided with the KLMD instruction.
The MSA data encryption algorithm (DEA) facility provides the following: Six additional functions for encrypting messages, with or without chaining. Three of these functions are provided with the KM instruction and three with the KMC instruction. Three additional functions for generating a message authentication code (MAC). These functions are provided with the KMAC instruction.
In September, 2005 IBM announced MSA Extension 1. MSA Extension 1 provides five additional functions as follows: Two functions for generating a message digest based on the SHA-256 algorithm. One of these functions is provided with the KIMD instruction, and the other is provided with the KLMD instruction.
4 System z Cryptographic Services and z/OS PKI Services Two functions for encrypting messages using the AES-128 algorithm. One of these functions is provided with the KM instruction and the other with the KMC instruction. One function for generating a pseudorandom number.
Each of these instructions has the RRE format shown in Figure 1-1, where R1 and R2 represent general registers. Bits 16-23 of the instruction are ignored.
op code R1 R2
0 16 24 28 31 Figure 1-1 RRE format of the KM, KMC, KIMD, KLMD, and KMAC instructions
These instructions use registers as follows: General register 0 (GR0) Bits 57-63 of GR0 specify the function code of the function that the instruction is to perform. For the KM and KMC instructions, bit 56 of GR0 specifies whether an encryption or decryption operation is to be performed. For the other instructions, bit 56 should be set to 0. General register 1 (GR1) GR1 contains the address of the leftmost byte of the parameter block.