Eric Still I am trying to understand encryption and decryption load goes to general CP Incase if you don't have CPACF or ICSF ?
On Wed, Jan 24, 2024, 6:44 PM Eric D Rossman <[email protected]> wrote: > Responding to a bunch of questions/comments in one reply. > > Tom Brennan: > > I thought I heard that you can start ICSF without a crypto > > card and it will use CPACF for some of the heavier encryption > > processing (maybe like generating prime numbers) and save > > individual tasks some CP time. > > ICSF will use CPACF for RNG, hashing (SHA-1, 2, 3), DES, AES, and ECC > operations. It will also use it for ECC key pair generation if you use PKCS > #11 interfaces. > > Lennie Dymoke-Bradshaw: > > ... ICSF without a Crypto Express card. ... However, this only > > supports clear keys in the CKDS. The CKDS ... is different in > > some way and cannot be converted to a secure key CKDS. > > True. There is an unsupported way to convert from clear key only > CKDS to secure key (and clear key) CKDS but it's not for the > faint of heart (since you are messing directly with your KDS). > > Lennie Dymoke-Bradshaw: > > I don't know if there is a way of using the PKDS or TKDS in > > this configuration. > > PKDS, no. TKDS, yes. The TKDS existed before EP11 existed. > > Lennie Dymoke-Bradshaw: > > I have been told it is possible to run Data set encryption > > with CPACF only and a clear key CKDS > > This is possible, but less secure since the keys are not protected by a > master key. > > Timothy Sipples: > > ICSF supports many, many cryptography-dependent features in > > z/OS. Even many business applications that just need a simple > > API to get a random number rely on ICSF. ICSF is > > “darn important.” > > Thank you! I might be biased but I think everyone should have ICSF. > > Timothy Sipples: > > And if persistent TLS connections are an option then they’d > > dramatically reduce the number of network roundtrips, > > eliminating a lot of network latency. > > Agreed. Also, System SSL session caching is also quite helpful. > > Eric Rossman > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
