Handling of Random Number Generation and Validation of Entropy

Random Number Generation (RNG) in z/VM® is handled at the hardware level, via a special instruction set onto the CPUs of IBM Z® hardware. Validating the installation of these facilities can be accomplished via issuance of the CP command QUERY CRYPTO (Class A). This will also provide details regarding specialty cryptographic hardware which would fall outside the boundaries of z/VM's Common Criteria evaluations. Note that statements regarding entropy for z/VM are only valid when running on IBM Z z14 hardware or later, as previous generations of the hardware crypto processing only supported Pseudo-Random Number Generation on-chip.

Validating the entropy used by the z/VM TLS Server requires specific instructions, as it involves running traces against the underlying cryptographic library inside the instantiation of the z/VM TLS Server. The entropy pool's seeding, creation, and successful implementation can be viewed by including a GSKTRACE statement inside the DTCPARMS configuration for the TLS Server. Specifically, one would add the following line to the end of the configuration specified in Required VMSSL Command Operands, second configuration:

GSKTRACE 015

Note that enabling and disabling GSKTRACE can only be done via the configuration file, and is static; it cannot be disabled once initialized without bringing down the TLS Server. Similarly, the resultant GSKTRACE produced can only be gathered by stopping and restarting the TLS Server.

The instructions for gathering a GSKTRACE are documented on the z/VM web page and can be found at: System SSL (GSKTRACE) Tracing Information.

Once the GSKTRACE file has been processed, it must be transferred off-platform for sake of analysis or storage. Refer to Transfer of Audit Records for more information on how to move security-relevant data off-platform.