Visit Citebite Deep link provided by Citebite
Close this shade
Skip to main content
    United States [change]      Terms of use
     Home      Products      Services & industry solutions      Support & downloads      My IBM     
IBM Systems > System z > About IBM mainframe > Security >

IBM System z cryptography for highly secure transactions

The best way to secure information over the Internet is to encrypt it. IBM System z provides exceptional performance and function via cryptography coprocessors and accelerators that are individually specialized to address various encryption needs. The z/OS operating system provides the infrastructure to exploit the strengths of each cryptographic feature, handling tasks transparently. The result? The performance advantages of hardware assisted cryptography are readily available to applications, such as banking and finance, via the cryptography interfaces of z/OS.

Cryptographic Features Available on the System z (z9 EC, z9 BC, z990, z890) 990 & 890
A third generation cryptographic feature, the Crypto Express2, combines the functions of the PCICA and the PCIXCC in a single feature that is expected to provide improved secure key and system throughput. The Crypto Express2 feature supports a mixture of both secure and clear key applications. Crypto Express2 also offers CVV generation and verification services for 19-digit PANs providing advanced anti-fraud security. In addition, Crypto Express2 supports applications that require clear key RSA operations using less than 512-bits. This capability is designed to enable easier migration of some additional cryptographic applications to System z servers without requiring the applications to be rewritten. The Crypto Express2 feature is available on System z models z9 EC, z9 BC, z890 and z990 servers.

The CP Assist for Cryptographic Function (CPACF) is incorporated into every central processor that ships with the IBM System server families. The CPACF feature delivers cryptographic support on every Central Processor (CP) with Data Encryption Standard (DES) and Triple DES (TDES) data encryption/decryption along with SHA-1 hashing. The CPACF integrated in every central processor of System z9 EC and z9 BC enhances cryptography by providing support for the Advanced Encryption Standard (AES), and SHA-256 hashing algorithm. As these cryptographic functions are implemented in each central processor (CP) the potential throughput scales with the number of processor units (PUs) ordered with each system.

With unprecedented scalability and data rates the System z processors provide a set of symmetric cryptographic functions, synchronously executed, which can enhance the performance of the en/decrypt function of SSL, VPN (Virtual Private Network) and data storing applications which do not require FIPS 140-2 Level 4 security.

The PCIX Cryptographic Coprocessor (PCIXCC) is a replacement for the PCICC and the CMOS Cryptographic Coprocessor Facility that was originally available for System z processors. PCIXCC provides support for all of the security related cryptographic functions available with its predecessor cryptograpic coprocessor features. In addition, PCIXCC also supports use of encrypted key values and user-defined extensions (UDX).

Optional cryptographic hardware features for System z servers include the System z PCI Cryptographic Coprocessor (PCICC) feature which has a tamper-proof design and supports symmetric encryption, as well as Public Key encryption. The PCI Cryptographic Coprocessor is scalable and programmable. PCICC is used throughout the financial sector.

The System z PCI Cryptographic Accelerator (PCICA) feature was designed to perform the computationally intensive public key cryptographic operations in hardware. Its aim was to provide cryptographic support for e-business. The PCI Cryptographic Accelerator Feature is available on z990 and supported on z900 servers. It may be carried forward on upgrades from z900 to z990 servers.

One focus area for System z has been encryption hardware certification. As encryption has become a key security tool, industry and country requirements have provided the motivation for IBM to work toward attaining higher levels of certification.

New FIPS Certification for Crypto Express2
Two of our cryptographic features are now certified at the highest level of Federal Information Processing Standard. Both the Crypto Express2 and the PCIX Cryptographic Coprocessor (PCIXCC) features now hold Industry's Top Hardware Rating—FIPS 140-2 Level 4. This certification means that the Crypto Express2 and the PCIX Cryptographic Coprocessor Security Modules satisfy the requirements for a cryptographic module utilized within a security system protecting Sensitive Information (United States) or Protected Information (Canada) within computer and telecommunications systems.

To achieve FIPS 140-2 Level 4 certification, an independent laboratory is permitted to attempt virtually any physical attack on the product and must verify the security of the internal software using a mechanical verification of a mathematical model. The PCIX Cryptographic Coprocessor Security Module is used in the Crypto Express2 and the PCIXCC features available on IBM z9 EC, z9 BC, z990 and z890. To find out more about FIPS certification, please visit,

SSL and security-rich Web commerce
Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocols are public key cryptography-based extensions to TCP/IP networking. SSL /TLS helps to ensure private communications between parties on the Internet with the intent of allowing information like the credit card number to be passed from customer to marketing application without the threat of interception.

System z servers provide the performance and scale you need to handle security-rich Web transactions. System z has focused on improving SSL/TLS encryption performance, and it shows. For example, z990 servers offer speed, with capabilities of greater than 11,000 SSL handshakes/second with z/OS 1.4 measured on a z990 with 16 CPs and 6 PCICA features. (To put that into some perspective, as recently as 1998, System z SSL performance was approximately 13 SSLs/second.) This ultra-fast and security-rich SSL comes courtesy of special hardware in the optional Crypto Express2 feature (when one or both of the two PCI-X adapters are configured as an accelerator) and the PCI Cryptographic Accelerator (PCICA) features.

IBM has also extended cryptography support and enabled the accelerator capability within the Crypto Express2 and PCICA features for Integrated Facility for Linux (IFL) engines available on System z servers. IFLs are engines dedicated to running Linux workloads. Accelerator support was previously made available for standard engines on System z servers running Linux.

Customers that do not need the high performance of the Crypto Express2 and PCICA features can use the PCICC or PCIXCC cryptographic features for SSL support.

Custom programming support
IBM will provide support for loading of customized cryptographic functions into the Crypto Express2 and PCIX Cryptographic Coprocessor (PCIXCC) features to perform User Defined Extensions (UDX). Select the 'Custom Programming' tab on this link for details.

Learn more
IBM eServer System z 990 raises the bar for security  
IBM to deliver key security features on IBM eServer z990  
Understanding Clear Key vs. Secure Key 
Frequently asked questions 
IBM System z9 Business Class Performance of Cryptographic Operations (Cryptographic Hardware: CPACF, CEX2C, CEX2A)
IBM System z9-109 Performance of Cryptographic Operations (Cryptographic Hardware: CPACF, CEX2C, CEX2A)
IBM eServer System z 990 Performance of Cryptographic Operations (Cryptographic Hardware: CPACF, PCICA, PCIXCC, CEX2C)
IBM eServer System z 890 Performance of Cryptographic Operations (Cryptographic Hardware: CPACF, PCICA, PCIXCC, CEX2C)

Cryptographic hardware
PCIX Cryptographic Coprocessor  
PCI Cryptographic Accelerator 
PCI Cryptographic Coprocessor 

Get Adobe® Reader® 

    About IBM Privacy Contact