Preparing for Installation › Hardware Requirements › Cryptographic Algorithms Supported

Cryptographic Algorithms Supported

CA Tape Encryption provides software implementations of the AES128, AES192, and AES256 algorithms. These algorithms are provided to insure that you can encrypt and decrypt tape files at a disaster recovery site where crypto-processors may not be available. The performance of these software-based algorithms is slower than the same algorithms implemented in hardware (CPACF) or in the IBM ICSF software implementations. For this reason, CA recommends selecting an algorithm supported by your cryptographic hardware. This gives you significant performance improvement.

CA Tape Encryption provides software implementations of the MD5, SHA-1, and SHA-256 hashing algorithms. These algorithms are provided so that you can run CA Tape Encryption at recovery sites where a hardware implementation of the algorithm may not be available.

The DES64, 3DES128, and 3DES192 algorithms are available in hardware on all systems with a CCF or CPACF processor installed. CA Tape Encryption does not have a software implementation of the DES64, 3DES128, and 3DES192 algorithms. Ensure that the algorithm is provided by CCF, CPACF, or ICSF at your disaster recovery site.

Note: Software versions of the AES and hashing algorithms are available on all systems.

The following list identifies when a hardware implementation of an algorithm is available:

IBM z800 or z900 with CCF

The algorithms supported in hardware are the:

• DES64, 3DES128, and 3DES192 symmetric algorithms.
• SHA-1 hashing algorithm.
• RSA asymmetric encryption algorithm.

IBM z800 or z900 without CCF

There are no algorithms supported in hardware.

IBM z890 or z990 with CPACF

The algorithms supported in hardware are the:

• DES64, 3DES128, and 3DES192 symmetric algorithms.
• SHA-1 hashing algorithm.
• RSA asymmetric encryption algorithm. Hardware support is provided by a PCI-based coprocessor. If the hardware is not present, the encryption is performed by software with low CP overhead.

IBM z890 or z990 without CPACF

There are no algorithms supported in hardware.

IBM z9 with CPACF

The algorithms supported in hardware are the:

• DES64, 3DES128, 3DES192, and AES128 symmetric algorithms.
• SHA-1 and SHA-256 hashing algorithms.
• RSA asymmetric encryption algorithm. Hardware support is provided by a PCI-based coprocessor. If the hardware is not present, the encryption is performed by software with low CP overhead.

IBM z10 or z11 with CPACF

The algorithms supported in hardware are the:

• DES64, 3DES128, 3DES192, AES128, AES192 and AES256 symmetric algorithms.
• SHA-1 and SHA-256 hashing algorithms.
• RSA asymmetric encryption algorithm. Hardware support is provided by a PCI-based coprocessor. If the hardware is not present, the encryption is performed by software with low CP overhead.

Note: The RSA encryption algorithm is employed only when encrypting symmetric keys for B2B tapes.

Software Requirements

The software requirements for CA Tape Encryption are:

• IBM supported releases of z/OS 1.6 and above, running in 31-bit or 64-bit mode.

  Note: You need z/OS 1.6 to perform encryption using any AES algorithm.

• IBM's Integrated Cryptographic Service Facility (ICSF). ICSF is a software element of z/OS that works with hardware cryptographic features and the security system (CA ACF2, CA Top Secret, or IBM Security Server RACF) to provide secure, high-speed cryptographic services in the z/OS environment. ICSF is only required for systems without CPACF, Secure Keys or for software algorithms not supported by CPACF.

  ICSF libraries must be available during the installation of CA Tape Encryption. (The CA Tape Encryption SMP/E process must have access to the CSF.SCSFMOD0 ICSF DLIB dataset.) However, ICSF does not need to be active while CA Tape Encryption is running.

• CA Tape Encryption supports the following versions of ICSF (identified by FMID):
  • HCR770B
  • HCR7720
  • HCR7730
  • HCR7731
  • HCR7740
  • HCR7750

  You may need to contact IBM to obtain a current version of ICSF. CA Tape Encryption does not support HCR770A on z800 and z900 platforms. (HCR770A might be packaged with z/OS 1.7 and earlier versions of z/OS.) On z890, z990, and z9 platforms, HCR770A may be used to satisfy the SMP/E install requirements of CA Tape Encryption only, but this ICSF version should not be running in your systems.

• SMP/E must have access to the following IBM libraries:
  • CSF.SCSFMOD0 as DDDEF SCSFMOD0
  • CEE.SCEELIB as DDDEF SCEELIB
  • CBC.SCLBSID as DDDEF SCLBSID
  • SYS1.SIEASID as DDDEF SIEASID
  • CEE.SCEEBND2 as DDDEF SCEEBND2
• Any of these storage management systems:
  • CA 1
  • CA TLMS
  • CA Disk
  • CA Vtape

  Customers running non-CA tape management systems are also supported through the CA Tape Encryption Third Party Option.

• The CA Tape Encryption SAF Interface supports the following security systems:
  • CA ACF2
  • CA Top Secret
  • IBM Security Server RACF
• The IBM TS1120 Encryption Key Manager (EKM) application, running under z/OS UNIX System Services and Java, is required to perform device-based encryption on an encryption-enabled TS1120 using the [assign the value for TEKM in your book] to manage the TS1120 keys. The IBM EKM application is also required to support the IBM TS1130 encrypting drive.

Maintenance for CA Products

Additional maintenance is required for CA ACF2, CA Top Secret, CA 1, CA TLMS, CA Disk, and CA Vtape to enable the interfaces between these products and CA Tape Encryption. The exact PTFs required to enable this interface for each product are documented in the cover letter shipped with the product. Integration with IBM DFSMSrmm is also provided and requires additional maintenance from IBM. For integration with non-CA storage products, check with the vendor to determine support requirements.

Multisystem Requirements

The CA Tape Encryption primary database and mirror database must be on shared DASD to allow these files to be read and written by all subsystems configured to be part of the same CA Tape Encryption complex.

CA Tape Encryption uses a hardware RESERVE to protect the BES database. The QNAME used with the RESERVE is “BESX”, the RNAME is the name of the BES primary data set, and the UCB address used is the UCB address of the volume containing the BES primary data set. The BES primary and mirror data sets should not be placed on volumes containing system catalogs, JES spool data sets or any other high activity data sets. If you have a DASD resource serialization manager such as CA Multi-Image Manager (MIM) or IBM Global Resource Serialization (GRS) you may want to convert the QNAME=BESX hardware reserves to SCOPE=SYSTEMS enqueues.

Note: A reserve is not issued for the BES mirror data set. CA Tape Encryption relies on the reserve of the primary data set to provide the necessary serialization for both the primary and the mirror data sets.

CA Tape Encryption uses ENQ with SCOPE=SYSTEM and QNAME=BESn (where n is a value from 1 to 8) for various other purposes. These enqueues should not be changed by your DASD resource serialization manager since they are intended to serialize within a single system.

Considerations for ExHPDM Users

CA Tape Encryption provides support for the Extended High-Performance Data Mover (ExHPDM) product from Sun Microsystems / Storage Tek. ExHPDM users are cautioned that ExHPDM run times may be elongated when encrypting data with CA Tape Encryption. Run-time elongation may be more significant when the Integrated Compression feature of CA Tape Encryption is also selected for the encrypted volumes. CA recommends that ExHPDM users should evaluate if data compression is needed for the ExHPDM encrypted volumes and in that case, to test production-like workloads to verify if the required resources will be available in the production environment.

For information on enabling compression in ExHPDM environments where FDR and DFDSS are used, see the Administration Guide.