Setting up secure, protected servers and network environments has become vital as companies seek to comply with regulations from governments and other organizations to implement specific levels of security compliance, including protection of network data traffic.
Common access methods for Linux servers such as Telnet, or other protocols for file transfer such as File Transfer Protocol (FTP), aren’t adequate in Internet environments and internal company networks because sensitive information such as passwords is transferred over the network in the clear. Using Secure Shell (SSH), Secure Copy (SCP), and Secure File Transfer Protocol (SFTP) increases security because encryption protects both passwords and data. Although data encryption is expensive and can severely impact system performance, the IBM System z provides hardware encryption facilities that can reduce these adverse effects.
OpenSSH is a free version of the SSH connectivity tools included in the Linux on System z distributions. Starting with OpenSSH version 4.4, OpenSSL dynamic engine loading is supported; it lets OpenSSH benefit from System z cryptographic hardware support if a specific option is used during the OpenSSH package build. This article describes experiences with such an OpenSSH package and demonstrates the value of hardware encryption support for SSH sessions and SCP file transfers. In our testing, we used a System z10 Enterprise Class (EC) with Novell SUSE Linux Enterprise Server (SLES) 11 for IBM System z Service Pack 1 (SP1), as this version of Linux contains the updated OpenSSH package.
Hardware Cryptographic Support of System z
System z provides two different types of hardware support for cryptographic operations: Central Processor Assist for Cryptographic Function (CPACF) and Crypto Express features.
The first type, CPACF, is incorporated into the central processors shipped with the System z, and was introduced with System z990 and System z890. CPACF supports several symmetric encryption algorithms:
- Data Encryption Standard (DES) and Triple DES (TDES)
- Hashing algorithms SHA-1 and SHA-256
- Advanced Encryption Standard (AES) with a key length of 128; with the z10, AES-192 and AES-256
- Pseudo Random Number Generator (PRNG).
CPACF algorithms execute synchronously and are for clear key operation (i.e., the calling application provides cryptographic keys in unencrypted format).
The second type uses installable Crypto Express features, either Crypto Express2 (z9 and z10 up to GA2) or Crypto Express3 (z10 GA3). A Crypto Express feature can be configured either as a cryptographic accelerator to perform clear key RSA operations at high speed or as a cryptographic coprocessor to perform symmetric and asymmetric operations (RSA) in clear key and secure key mode. Crypto Express operations are performed asynchronously outside the central processor; work is partially off-loaded, and CPU cycles for cryptographic operations are reduced compared with the equivalent execution of a pure software implementation.
To benefit from CPACF, you must install the free of charge LIC internal feature 3863 (Crypto Enablement); this isn’t installed on the machine by default at delivery, but can be later installed without disrupting system operation. There’s no downside to installing CPACF, so it’s recommended for all systems.
To verify that CPACF is enabled, use the Support Element (SE) or Hardware Management Console (HMC) and look for “CP Assist for Crypto functions: Installed” in the CPC details panel (see Figure 1). Or, if you’re a Linux on System z user, you can easily check whether the feature is installed and which algorithms are supported. The icainfo command of library libica displays which CPACF functions are supported (see Figure 2).