Cryptographic hardware
- Symmetric cipher operations (see below for a definition of this term) are only supported on cards where this is explicitly stated.
- On i5/OS and z/OS, the operating system provides the cryptographic hardware support.
- On 64-bit enabled UNIX platforms, testing was carried out using GSKit in 32-bit mode
On i5/OS, when you use DCM to create or renew certificates, we can choose to store the key directly in the coprocessor or to use the coprocessor master key to encrypt the private key and store it in a special key store file.
On z/OS, when you use RACF to create certificates, we can choose to store the key using ICSF (Integrated Cryptographic Service Facility) to obtain improved performance and more secure key storage.
On UNIX and Windows systems, WebSphere MQ currently provides support for the following cryptographic hardware:
- IBM 4758-002
- Interface: PKCS #11
Platforms:
- i5/OS OS/400 V5R3
- IBM 4758-023
- Interface: PKCS #11
Platforms:
- Windows 2000 Pro SP4
- AIX R5V2 64bit
- IBM e-business Cryptographic Accelerator (#4960)
- Interface: PKCS #11
Platforms:
- Linux (x86)
- Linux (zSeries)
- IBM PCICA
- Interface: PKCS #11
Platforms:
- Linux (zSeries)
- nCipher nForce 300
- Interface: PKCS #11
Platforms:
- Windows 2000 Pro SP4
- AIX R5V2 64bit
- HP11i
- Linux RedHat 3 Advanced Server
- Solaris 8
If SSL cryptographic hardware symmetric cipher operations are enabled within WebSphere MQ, the cryptography used on an SSL channel will be provided by nCipher. This card is currently supported for symmetric cipher operations using Triple DES encryption.
- nCipher nFast 300
- Interface: BHAPI plug-in under BSAFE 4.0
Platforms:
- Solaris 8
- nCipher netHSM 300, 800 and 1600
- Interface: PKCS#11
Platforms:
- AIX V5.2
- AIX V5.3
- Eracom Orange
- Interface: PKCS #11
Platforms:
- Windows 2000
If SSL cryptographic hardware symmetric cipher operations are enabled within WebSphere MQ, the cryptography used on an SSL channel will be provided by Eracom Orange. This card is currently supported for symmetric cipher operations using Triple DES encryption.
The following cards have not been confirmed to be working with IBM WebSphere V6.0 at the time of publication:
- IBM 4758-023 on Windows and AIX
- IBM 4758-002 on i5/OS
- Eracom Orange on Windows
- 4960 on Linux (x86) and Linux (zSeries)
- PCICA on Linux (zSeries)
The only support IBM offers on the Interface: BHAPI plug-in under BSAFE 4.0 is on the platform Solaris 2.8
On all platforms, cryptographic hardware is used at the SSL handshaking stage and at secret key reset.
On UNIX and Windows systems, WebSphere MQ support is also provided for SSL cryptographic hardware symmetric cipher operations. When using SSL cryptographic hardware symmetric cipher operations, data sent across an SSL or TLS connection is encrypted/decrypted by the cryptographic hardware product.
On the queue manager, this is switched on by setting the SSLCryptoHardware queue manager attribute appropriately (see the WebSphere MQ Script (MQSC) Command Reference and WebSphere MQ Programmable Command Formats and Administration Interface books). On the WMQ client, equivalent variables are provided (see the WebSphere MQ Clients book). The default setting is off.
If this attribute is switched on, WebSphere MQ attempts to use symmetric cipher operations whether the cryptographic hardware product supports them for the encryption algorithm specified in the current CipherSpec or not. If the cryptographic hardware product does not provide this support, WebSphere MQ performs the encryption and decryption of data itself, and no error is reported. If the cryptographic hardware product supports symmetric cipher operations for the encryption algorithm specified in the current CipherSpec, this function is activated and the cryptographic hardware product performs the encryption and decryption of the data sent.
In a situation of low CPU usage it is generally quicker to perform the encryption/decryption in software, rather than copying the data on to the card, encrypting/decrypting it, and copying it back to the SSL protocol software. Hardware symmetric cipher operations become more useful when the CPU usage is high.
On z/OS with cryptographic hardware, support is provided for symmetric cipher operations. This means that the user's data is encrypted and decrypted by the hardware if the hardware has this capability for the CipherSpec chosen, and is configured to support data encryption and decryption.
On i5/OS, cryptographic hardware is not used for encryption and decryption of the user's data, even if the hardware has the capability of performing such encryption for the encryption algorithm specified in the current CipherSpec.
Parent topic:
Security
sy12960_