Front cover System z Cryptographic Services and z/OS PKI Services Hardware cryptography monitoring PKCS#11 support on z/OS Java cryptography Guillaume Hoareau Nikhil V Kapre MuHyun Kim Patrick Kappeler Gerard Laumay Jonathan Barney Joel Porterie Jean Marc Darees Vicente Ranieri, Jr. Pekka Hanninen Dominique Richard Robert Herman Daniel L. Turkenkopf ibm.com/redbooks International Technical Support Organization System z Cryptographic Services and z/OS PKI Services May 2008 SG24-7470-00 Note: Before using this information and the product it supports, read the information in “Notices” on page vii. First Edition (May 2008) This edition applies to Version 1, Release 9 of z/OS (product number 5694-A01). © Copyright International Business Machines Corporation 2008. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . vii Trademarks . viii Preface . ix The team that wrote this book . ix Become a published author . xi Comments welcome. xi Part 1. Using cryptography with advanced technologies . 1 Chapter 1. System z cryptography infrastructure . 3 1.1 Message-security assist . 4 1.2 Cryptographic hardware . 9 1.2.1 CP Assist for Cryptographic Functions (CPACF) . 10 1.2.2 Cryptographic Coprocessor Feature (CCF) . 12 1.2.3 PCI Cryptographic Accelerator (PCICA) . 13 1.2.4 PCI-X Cryptographic Coprocessor (PCIXCC). 14 1.2.5 Crypto Express 2 Feature . 17 1.2.6 Comparison of CPACF, CEX2C, and CEX2A. 19 1.3 IBM Common Cryptographic Architecture. 20 1.3.1 Rationale for the IBM CCA . 20 1.3.2 CCA callable services . 21 1.3.3 DES key management . 24 1.3.4 PKA key management . 30 1.4 ICSF . 34 1.4.1 Audit trails . 38 1.5 Logical partitioning and System z hardware cryptography exploitation. 38 1.6 Monitoring the cryptographic workload on z/OS . 39 1.7 Sysplex and System z hardware cryptography . 40 1.8 Software requirements . 40 Chapter 2. Hardware cryptography activity assessment on System z . 41 2.1 What is exploiting the System z hardware cryptography?. 42 2.1.1 Hardware cryptography exploitation on z/OS . 42 2.1.2 Hardware cryptography exploitation in Linux on System z . 46 2.2 Assessing the use of hardware cryptography on z/OS . 47 2.2.1 Detecting the use of RACF-protected cryptographic resources . 47 2.2.2 z/OS System SSL example. 49 2.2.3 The ICSF component trace. 56 2.3 Assessing the use of hardware cryptography on z/VSE . 58 2.4 Assessing the use of hardware cryptography on Linux on System z . 58 2.4.1 Status of the z90crypt device driver . 59 2.4.2 Collecting information about hardware cryptography activity . 60 2.4.3 Programs that invoke hardware cryptography . 61 2.5 Setting up hardware cryptography configuration of z/VM . 61 2.5.1 Checking the hardware cryptography configuration with z/VM . 63 © Copyright IBM Corp. 2008. All rights reserved. iii Chapter 3. Measuring hardware cryptography activity on z/OS with RMF . 65 3.1 Overview of ICSF cryptographic workload balancing . 66 3.2 SMF reporting of hardware cryptography activity . 66 3.3 Using RMF to measure the z/OS hardware cryptography activity. 68 3.3.1 RMF data collection infrastructure for hardware cryptography . 69 3.4 RMF post-processor reports . 70 3.4.1 Crypto Hardware Activity RMF report . 71 3.4.2 Crypto Hardware Activity report example . 74 3.4.3 Crypto Hardware Activity report without local activity . 75 3.4.4 Workload Activity report . 75 3.4.5 Overview report. 77 Chapter 4. Assessing activity with OMEGAMON XE on z/OS and RMF. 79 4.1 Tivoli OMEGAMON XE on z/OS - Cryptographic coprocessor support . 80 4.2 OMEGAMON XE on z/OS graphical interface . 81 4.3 Measuring activity with RMF and OMEGAMON XE on z/OS . 82 4.3.1 SHA-1 activity (CPACF activity) . 82 4.3.2 CEX2C activity . 85 4.3.3 CEX2A activity . 86 4.4 Using the OMEGAMON XE on z/OS Service Call Performance workspace. 88 Chapter 5. Java cryptography . 91 5.1 Java cryptography. 92 5.1.1 Cryptography overview . 92 5.1.2 Types of encryption algorithms . 95 5.1.3 Key-management challenge . 98 5.1.4 Java cryptography in z/OS . 99 5.2 Cryptography providers on z/OS. 102 5.2.1 How to select a provider (registering a provider in the java.security file) . 103 5.2.2 JCE - Java Cryptography Extension . 103 5.2.3 JCECCA - JCE using CCA hardware cryptographic devices on z/OS . 104 5.2.4 CertPath - Certificate generation and path validation . 104 5.2.5 JSSE - Java Secure Sockets Extension (SSL and TLS). 105 5.2.6 Map the providers and algorithms. 105 5.3 Setting up hardware cryptographic features . 106 5.3.1 Policy files . 107 5.4 Keystore and SAF digital certificates (keyrings) . 107 5.4.1 JCEKS . 108 5.4.2 JCECCAKS. 110 5.4.3 JCERACFKS. 114 5.4.4 JCECCARACFKS . 116 5.5 Tools . 120 5.5.1 Software keytool . ..