How Secure Key Processing Exploits FIPS 140-2 Certified PCI Cryptographic Coprocessors

Using CA Tape Encryption in Your z/OS Environment › Secure Key Processing › How Secure Key Processing Exploits FIPS 140-2 Certified PCI Cryptographic Coprocessors

How Secure Key Processing Exploits FIPS 140-2 Certified PCI Cryptographic Coprocessors

CA Tape Encryption normally selects the cryptographic facility with the highest throughput capacity on your system. This can affect FIPS 140-2 compliance, as the following points outline:

On z800 and z900 systems, CA Tape Encryption calls ICSF to exploit the IBM Cryptographic Coprocessor Facility (CCF) hardware. CCF is FIPS certified.
On z890, z990, and z9 systems, CA Tape Encryption normally bypasses ICSF and invokes the ICPACF hardware. CPACF is not FIPS certified.
On z890, z990, or z9 processors, consider the following configuration possibilities for CA Tape Encryption:
- CA Tape Encryption can be configured to ignore the presence of the CPACF facility and force encryptions and decryptions through one of the optional IBM FIPS certified cryptographic coprocessor cards, such as the PCIXCC or Crypto Express2.
- All encryption and decryption activity can be routed to these optional Peripheral Component Interconnect (PCI) cards.
- Selected encryption and decryption activity can be routed to these PCI cards based on your CA Tape Encryption symmetric key definitions.

Note: These optional IBM PCI cryptographic coprocessors are not designed to handle large amounts of data and can greatly affect the run times of tape jobs when encryption or decryption is employed. For this reason, CA does not recommend forcing all encryption and decryption activities through these external PCI cryptographic coprocessors.

Tell Technical Publications how we can improve this information