IBM Z15 Performance of Cryptographic Operations

Total Page:16

File Type:pdf, Size:1020Kb

IBM Z15 Performance of Cryptographic Operations IBM z15 Cryptographic Performance May 2020 IBM z15 Performance of Cryptographic Operations (Cryptographic Hardware: CPACF, CEX7S) 1 IBM z15 Cryptographic Performance May 2020 © Copyright IBM Corporation 1994, 2019. IBM Corporation Marketing Communications, Server Group Route 100 Somers, NY 10589 U.S.A. Produced in the United States of America All Rights Reserved IBM, the IBM logo, ibm.com, z/OS, RACF, and zEnterprise are trademarks or registered trademarks of International Business Machines Corporation of the United States, other countries or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a worldwide basis. Red Hat®, JBoss®, OpenShift®, Fedora®, Hibernate®, Ansible®, CloudForms®, RHCA®, RHCE®, RHCSA®, Ceph®, and Gluster® are trademarks or registered trademarks of Red Hat, Inc. or its subsidiaries in the United States and other countries. Other company, product and service names may be trademarks or service marks of others. IBM may not offer the products, services or features discussed in this document in all countries in which IBM operates, and the information may be subject to change without notice. Consult your local IBM business contact for information on the product or services available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only IBM's product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any of IBM's intellectual property rights may be used instead of the IBM product, program, or service. Evaluation and verification of operation in conjunction with other products, except those expressly designated by IBM, is the user's responsibility. IBM may have patents or pending patent applications covering subject matter in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to the IBM Director of Licensing, IBM Corporation, North Castle Drive, Armonk, NY, 10504-1785 USA. All statements regarding IBM’s future direction and intent are subject to change or withdrawal without notice and represent goals and objectives only. Performance is in External Throughput Rate (ETR) based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput that any user will experience will vary depending upon considerations such as the amount of multiprogramming in the user’s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve throughput equivalent to the performance rates stated here. 2 IBM z15 Cryptographic Performance May 2020 Contents IBM z15 Performance of Cryptographic Operations ................................................................. 1 (Cryptographic Hardware: CPACF, CEX7S) ...................................................................... 1 Preface .................................................................................................................................. 5 1. Introduction ....................................................................................................................... 5 2. Cryptographic Hardware Supported on z15 ...................................................................... 6 2.1 Central Processor Assist for Cryptographic Function (CPACF) ................................... 6 2.2 Crypto Express7S (CEX7S) Feature ........................................................................... 7 3. Performance Information ................................................................................................... 9 3.1 Definitions .................................................................................................................... 9 3.2 CP Assist for Cryptographic Function (CPACF) ........................................................... 9 3.2.1 CPACF Performance - MSA Architecture Interface ................................................... 9 3.2.1.1 CPACF MSA Architecture Interface - Clear Key Mode ......................................... 10 3.2.1.2 CPACF MSA Architecture Interface - Protected Key Mode .................................. 14 3.2.2 CPACF Performance - ICSF API ............................................................................ 17 3.2.2.1 CPACF ICSF API - Clear Key Operations ............................................................ 18 3.2.2.2 CPACF ICSF API - Protected Key Operations ..................................................... 20 3.3 Crypto Express7S Performance (z/OS) ..................................................................... 23 3.3.1 CEX7S CCA Coprocessor (CEX7C) - Encryption/Decryption and MAC Operations ......................................................................................................................................... 24 3.3.2 CEX7S CCA Coprocessor – Key Management ...................................................... 27 3.3.3 CEX7S CCA Coprocessor - Financial Services ...................................................... 27 3.3.4 CEX7S CCA Coprocessor - VISA Format Preserving Encryption (FPE) ................. 28 3.3.5 CEX7S CCA Coprocessor - Random Number Generation ..................................... 28 3.3.6 CEX7S CCA Coprocessor - PKA Operations .......................................................... 29 3.3.7 CEX7S CCA Coprocessor - PCI-HSM mode .......................................................... 31 3.3.8 CEX7S Enterprise PKCS #11 Coprocessor (CEX7P) – Encryption / Decryption and HMAC operations ............................................................................................................ 32 3.3.9 CEX7S Enterprise PKCS #11 Coprocessor (CEX7P) - PKA Operations ................ 34 3.3.10 CEX7S Accelerator Performance .......................................................................... 36 3.4 Crypto Express7S Performance (Linux on Z) ............................................................ 37 3.4.1 CEX7S CCA Coprocessor (CEX7C) - Encryption/Decryption ................................. 37 3.4.2 CEX7S CCA Coprocessor – Financial Services Examples ..................................... 39 3.4.3 CEX7S CCA Coprocessor - VISA Format Preserving Encryption (FPE) ................. 40 3 IBM z15 Cryptographic Performance May 2020 3.4.4 CEX7S CCA Coprocessor - Random Number Generation ..................................... 40 3.4.5 CEX7S CCA Coprocessor - PKA Operations .......................................................... 40 3.5 SSL Handshake Performance ................................................................................... 42 3.5.1 SSL / TLS Protocol based Communication ............................................................. 42 3.5.2 System SSL with z/OS V2R4 and Cryptographic Support for z/OS V2R1-V2R4 (ICSF FMID HCR77D1) ................................................................................................... 44 4 IBM z15 Cryptographic Performance May 2020 Preface The performance information presented in this publication was measured on IBMTM z15TM in an unconstrained environment for the specific benchmark with a system control program (operating system) as specified. Many factors may result in variances between the presented information and the information a customer may obtain by trying to reproduce the data. IBM does not guarantee that your results will correspond to the results herein. This information is provided ‘as is’ without warranty, express or implied. The features described herein are presented for informational purposes; actual performance and security characteristics may vary depending on individual customer configurations and conditions. The performance numbers stated for some of the operations are only for demonstration purposes. When quoting some key length or cryptographic algorithms one may not conclude that IBM implies the key length or cryptographic algorithm is adequate and can therefore be used safely. The cryptographic functions described here may not be available in all countries and may require special enablement subject to export regulations. 1. Introduction The purpose of this publication is to provide performance information to the user of cryptographic services on z15. z15 supports the following cryptographic hardware features: 1. Central Processor Assist for Cryptographic Function (CPACF). 2. Crypto Express5S (CEX5S) feature. 3. Crypto Express6S (CEX6S) feature. 4. Crypto Express7S (CEX7S) feature. The CPACF delivers cryptographic support for Advanced Encryption Standard (AES), Triple DES (TDES) and Data Encryption Standard (DES) data encryption/decryption, Secure Hash Algorithm (SHA) and some PKCS#11 Public Key Algorithms. The Crypto Express5S, CryptoExpress6S and Crypto Express7S features are supported on z15, however this document does not present performance information for CEX5S or CEX6S. Performance information for CEX5S on z13TM
Recommended publications
  • Optimizing the Ceph Distributed File System for High Performance Computing
    Optimizing the Ceph Distributed File System for High Performance Computing Kisik Jeong Carl Duffy Jin-Soo Kim Joonwon Lee Sungkyunkwan University Seoul National University Seoul National University Sungkyunkwan University Suwon, South Korea Seoul, South Korea Seoul, South Korea Suwon, South Korea [email protected] [email protected] [email protected] [email protected] Abstract—With increasing demand for running big data ana- ditional HPC workloads. Traditional HPC workloads perform lytics and machine learning workloads with diverse data types, reads from a large shared file stored in a file system, followed high performance computing (HPC) systems consequently need by writes to the file system in a parallel manner. In this case, to support diverse types of storage services. Ceph is one possible candidate for such HPC environments, as Ceph provides inter- a storage service should provide good sequential read/write faces for object, block, and file storage. Ceph, however, is not performance. However, Ceph divides large files into a number designed for HPC environments, thus it needs to be optimized of chunks and distributes them to several different disks. This for HPC workloads. In this paper, we find and analyze problems feature has two main problems in HPC environments: 1) Ceph that arise when running HPC workloads on Ceph, and propose translates sequential accesses into random accesses, 2) Ceph a novel optimization technique called F2FS-split, based on the F2FS file system and several other optimizations. We measure needs to manage many files, incurring high journal overheads the performance of Ceph in HPC environments, and show that in the underlying file system.
    [Show full text]
  • Proxmox Ve Mit Ceph &
    PROXMOX VE MIT CEPH & ZFS ZUKUNFTSSICHERE INFRASTRUKTUR IM RECHENZENTRUM Alwin Antreich Proxmox Server Solutions GmbH FrOSCon 14 | 10. August 2019 Alwin Antreich Software Entwickler @ Proxmox 15 Jahre in der IT als Willkommen! System / Netzwerk Administrator FrOSCon 14 | 10.08.2019 2/33 Proxmox Server Solutions GmbH Aktive Community Proxmox seit 2005 Globales Partnernetz in Wien (AT) Proxmox Mail Gateway Enterprise (AGPL,v3) Proxmox VE (AGPL,v3) Support & Services FrOSCon 14 | 10.08.2019 3/33 Traditionelle Infrastruktur FrOSCon 14 | 10.08.2019 4/33 Hyperkonvergenz FrOSCon 14 | 10.08.2019 5/33 Hyperkonvergente Infrastruktur FrOSCon 14 | 10.08.2019 6/33 Voraussetzung für Hyperkonvergenz CPU / RAM / Netzwerk / Storage Verwende immer genug von allem. FrOSCon 14 | 10.08.2019 7/33 FrOSCon 14 | 10.08.2019 8/33 Was ist ‚das‘? ● Ceph & ZFS - software-basierte Storagelösungen ● ZFS lokal / Ceph verteilt im Netzwerk ● Hervorragende Performance, Verfügbarkeit und https://ceph.io/ Skalierbarkeit ● Verwaltung und Überwachung mit Proxmox VE ● Technischer Support für Ceph & ZFS inkludiert in Proxmox Subskription http://open-zfs.org/ FrOSCon 14 | 10.08.2019 9/33 FrOSCon 14 | 10.08.2019 10/33 FrOSCon 14 | 10.08.2019 11/33 ZFS Architektur FrOSCon 14 | 10.08.2019 12/33 ZFS ARC, L2ARC and ZIL With ZIL Without ZIL ARC RAM ARC RAM ZIL ZIL Application HDD Application SSD HDD FrOSCon 14 | 10.08.2019 13/33 FrOSCon 14 | 10.08.2019 14/33 FrOSCon 14 | 10.08.2019 15/33 Ceph Network Ceph Docs: https://docs.ceph.com/docs/master/ FrOSCon 14 | 10.08.2019 16/33 FrOSCon
    [Show full text]
  • Red Hat Openstack* Platform with Red Hat Ceph* Storage
    Intel® Data Center Blocks for Cloud – Red Hat* OpenStack* Platform with Red Hat Ceph* Storage Reference Architecture Guide for deploying a private cloud based on Red Hat OpenStack* Platform with Red Hat Ceph Storage using Intel® Server Products. Rev 1.0 January 2017 Intel® Server Products and Solutions <Blank page> Intel® Data Center Blocks for Cloud – Red Hat* OpenStack* Platform with Red Hat Ceph* Storage Document Revision History Date Revision Changes January 2017 1.0 Initial release. 3 Intel® Data Center Blocks for Cloud – Red Hat® OpenStack® Platform with Red Hat Ceph Storage Disclaimers Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software, or service activation. Learn more at Intel.com, or from the OEM or retailer. You may not use or facilitate the use of this document in connection with any infringement or other legal analysis concerning Intel products described herein. You agree to grant Intel a non-exclusive, royalty-free license to any patent claim thereafter drafted which includes subject matter disclosed herein. No license (express or implied, by estoppel or otherwise) to any intellectual property rights is granted by this document. The products described may contain design defects or errors known as errata which may cause the product to deviate from published specifications. Current characterized errata are available on request. Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade. Copies of documents which have an order number and are referenced in this document may be obtained by calling 1-800-548-4725 or by visiting www.intel.com/design/literature.htm.
    [Show full text]
  • Red Hat Data Analytics Infrastructure Solution
    TECHNOLOGY DETAIL RED HAT DATA ANALYTICS INFRASTRUCTURE SOLUTION TABLE OF CONTENTS 1 INTRODUCTION ................................................................................................................ 2 2 RED HAT DATA ANALYTICS INFRASTRUCTURE SOLUTION ..................................... 2 2.1 The evolution of analytics infrastructure ....................................................................................... 3 Give data scientists and data 2.2 Benefits of a shared data repository on Red Hat Ceph Storage .............................................. 3 analytics teams access to their own clusters without the unnec- 2.3 Solution components ...........................................................................................................................4 essary cost and complexity of 3 TESTING ENVIRONMENT OVERVIEW ............................................................................ 4 duplicating Hadoop Distributed File System (HDFS) datasets. 4 RELATIVE COST AND PERFORMANCE COMPARISON ................................................ 6 4.1 Findings summary ................................................................................................................................. 6 Rapidly deploy and decom- 4.2 Workload details .................................................................................................................................... 7 mission analytics clusters on 4.3 24-hour ingest ........................................................................................................................................8
    [Show full text]
  • Unlock Bigdata Analytic Efficiency with Ceph Data Lake
    Unlock Bigdata Analytic Efficiency With Ceph Data Lake Jian Zhang, Yong Fu, March, 2018 Agenda . Background & Motivations . The Workloads, Reference Architecture Evolution and Performance Optimization . Performance Comparison with Remote HDFS . Summary & Next Step 3 Challenges of scaling Hadoop* Storage BOUNDED Storage and Compute resources on Hadoop Nodes brings challenges Data Capacity Silos Costs Performance & efficiency Typical Challenges Data/Capacity Multiple Storage Silos Space, Spent, Power, Utilization Upgrade Cost Inadequate Performance Provisioning And Configuration Source: 451 Research, Voice of the Enterprise: Storage Q4 2015 *Other names and brands may be claimed as the property of others. 4 Options To Address The Challenges Compute and Large Cluster More Clusters Storage Disaggregation • Lacks isolation - • Cost of • Isolation of high- noisy neighbors duplicating priority workloads hinder SLAs datasets across • Shared big • Lacks elasticity - clusters datasets rigid cluster size • Lacks on-demand • On-demand • Can’t scale provisioning provisioning compute/storage • Can’t scale • compute/storage costs separately compute/storage costs scale costs separately separately Compute and Storage disaggregation provides Simplicity, Elasticity, Isolation 5 Unified Hadoop* File System and API for cloud storage Hadoop Compatible File System abstraction layer: Unified storage API interface Hadoop fs –ls s3a://job/ adl:// oss:// s3n:// gs:// s3:// s3a:// wasb:// 2006 2008 2014 2015 2016 6 Proposal: Apache Hadoop* with disagreed Object Storage SQL …… Hadoop Services • Virtual Machine • Container • Bare Metal HCFS Compute 1 Compute 2 Compute 3 … Compute N Object Storage Services Object Object Object Object • Co-located with gateway Storage 1 Storage 2 Storage 3 … Storage N • Dynamic DNS or load balancer • Data protection via storage replication or erasure code Disaggregated Object Storage Cluster • Storage tiering *Other names and brands may be claimed as the property of others.
    [Show full text]
  • Evaluation of Active Storage Strategies for the Lustre Parallel File System
    Evaluation of Active Storage Strategies for the Lustre Parallel File System Juan Piernas Jarek Nieplocha Evan J. Felix Pacific Northwest National Pacific Northwest National Pacific Northwest National Laboratory Laboratory Laboratory P.O. Box 999 P.O. Box 999 P.O. Box 999 Richland, WA 99352 Richland, WA 99352 Richland, WA 99352 [email protected] [email protected] [email protected] ABSTRACT umes of data remains a challenging problem. Despite the Active Storage provides an opportunity for reducing the improvements of storage capacities, the cost of bandwidth amount of data movement between storage and compute for moving data between the processing nodes and the stor- nodes of a parallel filesystem such as Lustre, and PVFS. age devices has not improved at the same rate as the disk ca- It allows certain types of data processing operations to be pacity. One approach to reduce the bandwidth requirements performed directly on the storage nodes of modern paral- between storage and compute devices is, when possible, to lel filesystems, near the data they manage. This is possible move computation closer to the storage devices. Similarly by exploiting the underutilized processor and memory re- to the processing-in-memory (PIM) approach for random ac- sources of storage nodes that are implemented using general cess memory [16], the active disk concept was proposed for purpose servers and operating systems. In this paper, we hard disk storage systems [1, 15, 24]. The active disk idea present a novel user-space implementation of Active Storage exploits the processing power of the embedded hard drive for Lustre, and compare it to the traditional kernel-based controller to process the data on the disk without the need implementation.
    [Show full text]
  • Design and Implementation of Archival Storage Component of OAIS Reference Model
    Masaryk University Faculty of Informatics Design and implementation of Archival Storage component of OAIS Reference Model Master’s Thesis Jan Tomášek Brno, Spring 2018 Masaryk University Faculty of Informatics Design and implementation of Archival Storage component of OAIS Reference Model Master’s Thesis Jan Tomášek Brno, Spring 2018 Declaration Hereby I declare that this paper is my original authorial work, which I have worked out on my own. All sources, references, and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Jan Tomášek Advisor: doc. RNDr. Tomáš Pitner Ph.D. i Acknowledgement I would like to express my gratitude to my supervisor, doc. RNDr. Tomáš Pitner, Ph.D. for valuable advice concerning formal aspects of my thesis, readiness to help and unprecedented responsiveness. Next, I would like to thank to RNDr. Miroslav Bartošek, CSc. for providing me with long-term preservation literature, to RNDr. Michal Růžička, Ph.D. for managing the very helpful internal documents of the ARCLib project, and to the whole ARCLib team for the great col- laboration and willingness to meet up and discuss questions emerged during the implementation. I would also like to thank to my colleagues from the inQool com- pany for providing me with this opportunity, help in solving of practi- cal issues, and for the time flexibility needed to finish this work. Last but not least, I would like to thank to my closest family and friends for all the moral support. iii Abstract This thesis deals with the development of the Archival Storage module of the Reference Model for an Open Archival Information System.
    [Show full text]
  • Ceph Done Right for Openstack
    Solution Brief: + Ceph done right for OpenStack The rise of OpenStack For years, the desire to standardize on an OpenStack deployments vary drastically open platform and adopt uniform APIs was as business and application needs vary the primary driver behind OpenStack’s rise By its nature and by design from the outset, OpenStack introduces across public and private clouds. choice for every aspect and component that comprises the cloud system. Cloud architects who deploy OpenStack enjoy Deployments continue to grow rapidly; with more and larger a cloud platform that is flexible, open and customizable. clouds, deep adoption throughout users’ cloud infrastructure and maturing technology as clouds move into production. Compute, network and storage resources are selected by business requirement and application needs. For storage needs, OpenStack OpenStack’s top attributes are, not surprisingly, shared by the most cloud architects typically choose Ceph as the storage system for its popular storage software for deployments: Ceph. With Ceph, users scalability, versatility and rich OpenStack support. get all the benefits of open source software, along with interfaces for object, block and file-level storage that give OpenStack what While OpenStack cloud architects find Ceph integrates nicely it needs to run at its best. Plus, the combination of OpenStack without too much effort, actually configuring Ceph to perform and Ceph enables clouds to get faster and more reliable requires experienced expertise in Ceph Software Defined Storage the larger they get. (SDS) itself, hardware architecture, storage device selection and networking technologies. Once applications are deployed It sounds like a match made in heaven - and it is - but it can also be within an OpenStack cloud configured for Ceph SDS, running a challenge if you have your heart set on a DIY approach.
    [Show full text]
  • Shared File Systems: Determining the Best Choice for Your Distributed SAS® Foundation Applications Margaret Crevar, SAS Institute Inc., Cary, NC
    Paper SAS569-2017 Shared File Systems: Determining the Best Choice for your Distributed SAS® Foundation Applications Margaret Crevar, SAS Institute Inc., Cary, NC ABSTRACT If you are planning on deploying SAS® Grid Manager and SAS® Enterprise BI (or other distributed SAS® Foundation applications) with load balanced servers on multiple operating systems instances, , a shared file system is required. In order to determine the best shared file system choice for a given deployment, it is important to understand how the file system is used, the SAS® I/O workload characteristics performed on it, and the stressors that SAS Foundation applications produce on the file system. For the purposes of this paper, we use the term "shared file system" to mean both a clustered file system and shared file system, even though" shared" can denote a network file system and a distributed file system – not clustered. INTRODUCTION This paper examines the shared file systems that are most commonly used with SAS and reviews their strengths and weaknesses. SAS GRID COMPUTING REQUIREMENTS FOR SHARED FILE SYSTEMS Before we get into the reasons why a shared file system is needed for SAS® Grid Computing, let’s briefly discuss the SAS I/O characteristics. GENERAL SAS I/O CHARACTERISTICS SAS Foundation creates a high volume of predominately large-block, sequential access I/O, generally at block sizes of 64K, 128K, or 256K, and the interactions with data storage are significantly different from typical interactive applications and RDBMSs. Here are some major points to understand (more details about the bullets below can be found in this paper): SAS tends to perform large sequential Reads and Writes.
    [Show full text]
  • Cs 5412/Lecture 24. Ceph: a Scalable High-Performance Distributed File System
    CS 5412/LECTURE 24. CEPH: A Ken Birman SCALABLE HIGH-PERFORMANCE Spring, 2019 DISTRIBUTED FILE SYSTEM HTTP://WWW.CS.CORNELL.EDU/COURSES/CS5412/2019SP 1 HDFS LIMITATIONS Although many applications are designed to use the normal “POSIX” file system API (operations like file create/open, read/write, close, rename/replace, delete, and snapshot), some modern applications find POSIX inefficient. Some main issues: HDFS can handle big files, but treats them as sequences of fixed-size blocks. Many application are object-oriented HDFS lacks some of the “file system management” tools big-data needs HTTP://WWW.CS.CORNELL.EDU/COURSES/CS5412/2019SP 2 CEPH PROJECT Created by Sage Weihl, a PhD student at U.C. Santa Cruz Later became a company and then was acquired into Red Hat Linux Now the “InkStack” portion of Linux offers Ceph plus various tools to leverage it, and Ceph is starting to replace HDFS worldwide. Ceph is similar in some ways to HDFS but unrelated to it. Many big data systems are migrating to the system. HTTP://WWW.CS.CORNELL.EDU/COURSES/CS5412/2019SP 3 CEPH HAS THREE “APIS” First is the standard POSIX file system API. You can use Ceph in any situation where you might use GFS, HDFS, NFS, etc. Second, there are extensions to POSIX that allow Ceph to offer better performance in supercomputing systems, like at CERN. Finally, Ceph has a lowest layer called RADOS that can be used directly as a key-value object store. HTTP://WWW.CS.CORNELL.EDU/COURSES/CS5412/2019SP 4 WHY TALK DIRECTLY TO RADOS? SERIALIZATION/DESERIALIZATION! When an object is in memory, the data associated with it is managed by the class (or type) definition, and can include pointers, fields with gaps or other “subtle” properties, etc.
    [Show full text]
  • Leveraging Integrated Cryptographic Service Facility
    Front cover Leveraging Integrated Cryptographic Service Facility Lydia Parziale Redpaper International Technical Support Organization Leveraging Integrated Cryptographic Service Facility January 2018 REDP-5431-00 Note: Before using this information and the product it supports, read the information in “Notices” on page v. First Edition (January 2018) This edition applies to Version 2 Release 3 of IBM z/OS (product number 5650-ZOS). © Copyright International Business Machines Corporation 2018. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . .v Trademarks . vi Preface . vii Authors. vii Now you can become a published author, too! . vii Comments welcome. viii Stay connected to IBM Redbooks . viii Chapter 1. Overview . 1 1.1 The need for cryptography . 2 1.2 Cryptographic architectures . 3 1.2.1 PKCS #11 . 3 1.2.2 IBM Common Cryptographic Architecture. 3 1.3 System Authorization Facility . 4 1.4 What ICSF is . 5 1.4.1 ICSF services . 5 1.4.2 ICSF options . 6 1.4.3 SAF-protecting ICSF services and IBM CCA Keys. 8 Chapter 2. IBM Z hardware cryptography implementation . 9 2.1 CP Assist for Cryptographic Functions . 10 2.2 The IBM Cryptographic Coprocessor . 10 2.3 The Trusted Key Entry workstation . 12 2.3.1 Clear key versus secure key versus protected key. 12 2.3.2 TKE and the benefits of using ICSF and protected keys . 14 Chapter 3. Auditing . 15 3.1 ICSF: Enhanced logging for PCI audit requirements . 16 3.2 ICSF and SMF .
    [Show full text]
  • Openzfs on Linux Hepix 2014 October 16, 2014 Brian Behlendorf [email protected]
    OpenZFS on Linux HEPiX 2014 October 16, 2014 Brian Behlendorf [email protected] LLNL-PRES-XXXXXX This work was performed under the auspices of the U.S. Department of Energy by Lawrence Livermore National Laboratory under Contract DE-AC52-07NA27344. Lawrence Livermore National Security, LLC 1 Lawrence Livermore National Laboratory LLNL-PRES-xxxxxx High Performance Computing Advanced Simulation Massive Scale Data Intensive Top 500 (June 2014) #3 Sequoia 20.1 Peak PFLOP/s 1,572,864 cores 55 PB of storage at 850 GB/s #9 Vulcan 5.0 Peak PFLOPS/s 393,216 cores 6.7 PB of storage at 106 GB/s World class computing resources 2 Lawrence Livermore National Laboratory LLNL-PRES-xxxxxx Linux Clusters 2001 – First Linux cluster Today – ~10 large Linux clusters (100– 3,000 nodes) and 10-20 smaller ones Near-commodity hardware Open source software stack (TOSS) Tri-Labratory Operating System Stack Modified RHEL targeted for HPC RHEL kernel optimized for clusters Moab and SLURM for scheduling Lustre parallel filesystem Additional packages for monitoring, power/console, compilers, etc LLNL Loves Linux 3 Lawrence Livermore National Laboratory LLNL-PRES-xxxxxx Lustre Lustre is our parallel filesystem of choice Livermore Computing Filesystems: Open – 20PB in 5 filesystems Secure – 22PB in 3 filesystems Plus the 55PB Sequoia filesystem 1000+ storage servers Billions of files Users want: Access to their data from every cluster Good performance High availability How do we design a system to handle this? Lustre is used extensively
    [Show full text]