Cryptographic hardware

The way in which IBM MQ provides support for cryptographic hardware depends on which platform you are using.

On UNIX, Linux , and Windows systems, IBM MQ provides support for a variety of cryptographic hardware using the PKCS #11 interface.

On IBM i and z/OS®, the operating system provides the cryptographic hardware support.

For a list of currently supported cryptography cards, see Cryptography Card List for IBM MQ.

On all platforms, cryptographic hardware is used at the TLS handshaking stage and at secret key reset.

On IBM i, when we use DCM to create or renew certificates, we can choose to store the key directly in the coprocessor or to use the coprocessor master key to encrypt the private key and store it in a special keystore file.

On z/OS, when we use RACF® to create certificates, we can choose to store the key using ICSF (Integrated Cryptographic Service Facility) to obtain improved performance and more secure key storage. During the TLS handshake, and secret key negotiations, a crypto express card, (if available) is used to do RSA operations. After the handshake completes and data begins to flow, data is decrypted in the CPACF and the crypto express card is not used.

On UNIX, Linux, and Windows systems, IBM MQ support is also provided for TLS cryptographic hardware symmetric cipher operations. When using TLS cryptographic hardware symmetric cipher operations, data sent across a TLS connection is encrypted/decrypted by the cryptographic hardware product.

On the queue manager, this is enabled by setting the SSLCryptoHardware queue manager attribute appropriately (see ALTER QMGR and Change Queue Manager ). On the WebSphere MQ MQI client, equivalent variables are provided (see SSL stanza of the client configuration file ). The default setting is off.

If this attribute is enabled, IBM MQ attempts to use symmetric cipher operations whether the cryptographic hardware product supports them for the encryption algorithm specified in the current CipherSpec or not. If the cryptographic hardware product does not provide this support, IBM MQ performs the encryption and decryption of data itself, and no error is reported. If the cryptographic hardware product supports symmetric cipher operations for the encryption algorithm specified in the current CipherSpec, this function is activated and the cryptographic hardware product performs the encryption and decryption of the data sent.

In a situation of low processor usage it is often quicker to perform the encryption/decryption in software, rather than copying the data onto the card, encrypting/decrypting it, and copying it back to the TLS protocol software. Hardware symmetric cipher operations become more useful when the processor usage is high.

On z/OS with cryptographic hardware, support is provided for symmetric cipher operations. This means that the user's data is encrypted and decrypted by the hardware if the hardware has this capability for the CipherSpec chosen, and is configured to support data encryption and decryption.

On IBM i, cryptographic hardware is not used for encryption and decryption of the user's data, even if the hardware has the capability of performing such encryption for the encryption algorithm specified in the current CipherSpec.