IBM Support

GSKit Version 8's Support for PKCS#11 Device Integration and On-CPU Acceleration

General Page

This article outlines the testing statements for GSKit v8 exploitation of PKCS#11 devices, and the cryptographic acceleration features offered by more modern CPU architectures.
PKCS#11 Device Integration
Version 8 of the IBM Global Security Toolkit (GSKit) component can integrate with, and leverage, hardware cryptographic devices that support the PKCS#11 industry standard. This section outlines the PKCS#11 devices that GSKit version 8 has been tested against.
Hardware PKCS#11 devices offer a various features across operating system platforms. Refer to the PKCS#11 device vendor for specific details of their offering. Some of the most common features include:
  • More secure key storage and protected usage (some with tamper detection).
  • Offloading of CPU intensive operations to device hardware. For example, most devices support asymmetric key operations.
  • Some devices are capable of load sharing when more than one of them is installed.
GSKit's use of PKCS#11 is limited to those functions (where available) required for secure communication via TLS:
  • Asymmetric key generation and secure storage
  • Certificate storage
  • Asymmetric key operations (Sign & Verify, and Decryption during SSL key-exchange)
  • Random number generation
  • Hash functions (for example, digest calculation)
  • Symmetric key operations
Trust Anchor Certificates (Root Certificates) should only be stored on the device where the device offers Certificate modification and replacement protection by the setting of the PKCS#11 CKA_TRUSTED attribute. The support and setting of this attribute is vendor-specific. If in doubt, do not use the PKCS#11 device for
Trust Anchor Certificate storage but rather use a GSKit keystore.

The GSKit component team performs interoperability testing on specific hardware, firmware, and driver levels for each device. IBM product teams typically test on a subset of these devices. If an integration problem is found, the IBM product team, IBM GSKit component team, and the PKCS#11 device vendor will work together on defect resolution. All IBM product defects should be reported through the standard IBM product support channels.
 
Operating system platforms

This article does not cover z/OS® or OS/400® variants of GSKit. In general, the list of platforms an IBM product integrates with a PKCS#11 device, is the intersection of the IBM product's supported platforms and the PKCS#11 device's supported platforms. Known exceptions are noted in the section “Card observations” or in IBM product documentation.

Offloading Symmetric Encryption and Digest operations to a PKCS#11 device

While it is rarely of value to do so, GSKit can be configured to offload Symmetric Encryption and Digest operations to a PKCS#11 enabled device that support it. However, it must be noted, few devices support concurrent cryptographic operations needed for GSKit operation. Testing before production usage is advised.

PKCS#11 cryptographic devices tested with GSKit, Version 8

Refer issues regarding installation and configuration of these cards and software to the device vendor.
  • Gemalto (formerly SafeNet)
    • PSG PCI HSM 600
    • LunaSA HSM
  • nCipher (formerly Thales)
    • nShield Solo
    • nShield Edge
    • nShield Connect
    • nShield Connect+
    • nShield Connect XC
  • IBM
    • Crypto Express3 (CEX3)
    • Crypto Express4 (CEX4)
    • Crypto Express5 (CEX5)
    • Crypto Express6 (CEX6)
    • 4765 PCI Cryptographic card
  • Utimaco
    • SecurityServer HSM
Observations on specific cards

nShield 6000e F2 PCI-Express (Solo) and nShield Edge

Set the environment variable CKNFAST_OVERRIDE_SECURITY_ASSURANCES to "import;silent". This setting is required when using an nCipher device for symmetric key operations when enabled with GSKit. In this mode of operation, GSKit directly creates the SSL Session Key as a PKCS#11 Session Object during the SSL handshake. Despite the security override being required, no security issue is caused as the SSL Session Key is created by GSKit as part of the SSL handshake. nCipher devices do not provide
Symmetric Key acceleration and as such, GSKit should not be enabled for the mode of operation when using nCipher devices unless absolutely required.

IBM CEX3/CEX4

The GSKit testing statement is restricted to Linux on System z, and GSKit 8.0.14.12 or later must be used. Refer to SystemSSL documentation for z/OS cryptographic device information.
nShield Connect

The GSKit testing statement is restricted to cipher suites that include the RSA algorithm and 8.0.14.21 or later must be used.
IBM 4765 PCI cryptographic card

The GSKit testing statement is restricted such that only asymmetric operations may be used. So GSKit SSL environment setting GSK_PKCS11_ACCELERATOR_MODE must not be set to either GSK_PKCS11_SYMMETRIC_CIPHER_ON or GSK_PKCS11_DIGEST_ON.
Utimaco SafeGuard Security Server HSM

GSKit 8.0.50.58 or higher must be used.
On-CPU cryptographic features

Version 8 of the IBM Global Security Toolkit (GSKit) will automatically leverage on-CPU cryptographic function without the need for any specific configuration. That is, GSKit will detect the hardware it is running on, and regardless of the operating system in use, leverage these features automatically.
On-CPU cryptographic features leveraged by GSKit version 8
  • IBM
    • POWER8. AES (Vcipher), SHA-2 (Vshasigma)
    • POWER9. AES (Vcipher), SHA-2 (Vshasigma), RNG (DARN)
    • zSeries CP-ACF. Various AES modes, SHA hashes
  • x86_64
    • AES (AESNI),
    • RNG (RdRand)
    • RNG (RdSeed)
  • Oracle
    • The on-chip cryptography within the Oracle Ultra-SPARC T1 and T2 CMT processor (Solaris 10 on Sparc)
    • Oracle SPARC T4, T5, and M7. RSA, AES, SHA-1, SHA-2, CAMELLIA (Solaris 11 on Sparc)
Observations on specific CPUs
x86_64
  • RdRand and RdSeed are not leveraged by default. They need to be enabled by GSKit config.
  • RdSeed is only available in non-FIPS mode from GSKit build 8.0.50.54 and higher.
Oracle
  • Note that SPARC support does not include the Fujitsu manufactured SPARC64 variant.

[{"Business Unit":{"code":"BU051","label":"N\/A"},"Product":{"code":"SUPPORT","label":"IBM Worldwide Support"},"Component":"GSKit","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF017","label":"Mac OS"},{"code":"PF033","label":"Windows"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB33","label":"N\/A"}}]

Document Information

Modified date:
02 November 2020

UID

ibm11283248

Page Feedback