Discussion:
SSL/TLS MSU usage
(too old to reply)
Munif Sadek
2018-08-14 03:08:47 UTC
Permalink
Raw Message
Hello All

We have zBC12 and z13s but no crypto cards. As we are moving all our IP communications to SSL/TLS, Is there a way to estimate additional MSU used in this encryption/decryption and key negotiations. IP traffic is CICS socket, HTTPS , FTPS, TN3270S, DB2 DDF , SSH etc..Its all over the place.

Is there a way we can simulate our MSU savings by having additional crypto Hardware.

regards
Munif

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Brian Westerman
2018-08-14 05:29:48 UTC
Permalink
Raw Message
The z13 (and I think b|ec12s) have CPACF built into each physical CPU, the older machines had CPACF but it was shared between multiple processors.

There is some extra CPU involved when you don't have a cryptoexpress (CEX), but you have to remember that not everything is or can be offloaded to the CEX either. I think the cryptoexpress has 8 processors, but depending on what you are doing SSL-wise you may not see any real measurable improvement over CPACF.

If you are going to use CPACF with System SSL or MQ, you have to turn on a feature code, (feature #3863).

In reality, some part of the key negotiation will be performed on the General Processor (and CPACF) regardless of CEX availability. Also certain SSLCIPH specs are not supported by the CEX cards (as per https://www.ibm.com/developerworks/community/blogs/c4142f9d-6cf1-44ef-a44a-b09428ad96d1/entry/is_my_ssl_channel_using_hardware_assist?lang=en ).

Brian

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Parwez Hamid
2018-08-14 09:18:02 UTC
Permalink
Raw Message
Mounif,

I am unable to comment on any 'increase' of the CP utilization. CPACF has been around for a very long time. Both the systems you mention have the CPACF function. You will need a no charge feature (not available for embargoed countries) for microcode to enable CPACF. The other key point to note is to check if CPACF will support all the en/decryption algorithms you want to use. If not supported by CPACF then you might need the Crypto Express feature for which there is a charge.

Parwez

BTW: I have just Googled for CPACF and Crypto Express performance etc. There are lots of hits (I haven't browsed the websites) on this subject including some SHARE presentations.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Loading...