Configuring the Crypto Express Feature for Linux on System z
The Crypto Express2 and Crypto Express3 features add hardware support for SSH session “handshake” acceleration. To benefit from this, you must enable Linux guests under z/VM for access to Crypto Express. The Logical Partition (LPAR) activation profile must contain at least one processor of a Crypto Express feature in the cryptographic candidate list and at least one usage domain index. Starting with System z10, LPAR activation profiles can be modified without deactivating the LPAR.
Linux Cryptographic Architecture Used by OpenSSH
OpenSSH uses OpenSSL to perform cryptographic operations. If the OpenSSH package is built using the “--with-ssl-engine” option, the OpenSSL library will use the ibmca cryptographic engine, if installed, to perform encryption operations. The ibmca engine uses the libica library to handle the requests; this library is aware of which algorithms the available hardware supports and passes requests to the hardware as appropriate, instead of performing the operation in software. Running under z/VM has no impact on the cryptographic architecture inside the Linux server other than requiring access to installed Crypto Express hardware via the z/VM directory for the Linux guest. Figure 3 shows the architecture.
Enabling OpenSSH hardware cryptographic support from Linux on System z requires installing the following software and driver packages. These are all part of the Linux on System z distribution and may be installed by default:
Preparing OpenSSL for ibmca Engine Use
The OpenSSH package shipped with SLES 11 SP1 automatically uses hardware cryptographic support, if OpenSSL is configured for dynamic loading of the ibmca engine.