Crypto Express Network API for Secure Execution Enclaves

With Crypto Express Network API for Secure Execution Enclaves, you can use REST API to configure the c16 server, which provides gRPC API to access Crypto Express cards and domains that are assigned to the LPAR. After the configuration, your applications can access the c16 gRPC API through the IBM GREP11 interface, which is provided by the GREP11 server, to securely connect from a Secure Execution virtual machine to Crypto Express cards.

You can also enable the c16 server to send logs to a configured Rsyslog server to view logs.

The following diagram is an architecture overview of Crypto Express Network API for Secure Execution Enclaves.

Architecture overview Figure 1. Architecture overview

Security considerations

  • Crypto Express Network API for Secure Execution Enclaves' REST API

    The API is critical for configuring and managing the c16 server so it must never be accessed by any untrusted person or system. Users are responsible for controlling access to the API to keep it secure.

  • c16 API

    Invoke the c16 API to perform crypto operations on Crypto Express card domains that are made accessible by the Crypto Express Network API for Secure Execution Enclaves. Therefore, the c16 API must be kept secure and it is not recommended to expose the c16 API over public network. The c16 API is protected through mTLS with the certificate authority (CA) configured through the Crypto Express Network API. Anyone with a valid certificate that the CA issues can access the API. Users are responsible for controlling access to the CA and issue client certificates only to trusted clients.