I think there may be some confusion regarding "protected". Perhaps OA29193 will shed some light on the High Performance ICSF Secure key.
ftp://ftp.software.ibm.com/s390/zos/racf/pdf/oa29193.pdf Of course routines coded to directly exploit CPACF are pretty much always going to run circles around ICSF+CEX3. Even adding ICSF into the mix of CPACF is still going to be extremely fast. Phil's point about the amount of data is extremely important. Any CEX# related stuff is effectively a queuing mechanism. The high performance gives you the benefits of ICSF with the benefits of storing the wrapped keys in HSA. AFAIK CPACF by itself will never give you keys that are truly secure... but it is fast and is worthy of the trade-off ... specially for things like SSL / TLS. Personally, I think using the High Performance is a stellar idea... a nice blend that should give some very real performance benefits for symmetric key users without sacrificing the key material. Now.. if someone wants to correct me. I am all for it. Just site the relevant documentation... and I will happily join you in your understanding. Rob Schramm Senior Systems Consultant Imperium Group On Fri, Jul 6, 2012 at 4:14 PM, R.S. <r.skoru...@bremultibank.com.pl> wrote: > W dniu 2012-07-06 21:49, Lloyd Fuller pisze: > >> Consider the cost of a CEX operation as ((ICSF call CPU)+I/O) and the > cost of a > >> CPACF operation as ((ICSF call)+(some >CPU cycles for the operation)). > So the > >> difference is I/O vs. CPACF cycles. The I/O cost doesn't change (much) > with > >> larger >blocks; the CPACF cycles do. > > > > This statement implies that CPACF REQUIRES ICSF. That is NOT true. > > ICSF services do require ICSF. CPACF facilities can be called as > assembler statements. However this require changes in the application. > Not to mention, it's easier to call ICSF services from high level > language (my opinion). > > > > You can > > happily do CPACF operations yourself without ICSF even configured on the > > system. IBM's white papers about CPACF performance indicate that ICSF > imposes a > > big performance hit on CPACF. > No, it depends! For some cases the difference between ICSF and assembler > calls are not significant. > > > Last but not least: Crypto Express facilities are available (officially) > only as ICSF services, so if you want to compare CPACF and CryptoExpress > performance, it's quite good idea to have all remaining circumstances > the same. Otherwise you analyze ICSF code overhead. > > -- > Radoslaw Skorupka > Lodz, Poland > > > > > > > > > -- > Tre tej wiadomo ci mo e zawiera informacje prawnie chronione Banku > przeznaczone wy cznie do u ytku s u bowego adresata. Odbiorc mo e by > jedynie jej adresat z wy czeniem dost pu osób trzecich. Je eli nie jeste > adresatem niniejszej wiadomo ci lub pracownikiem upowa nionym do jej > przekazania adresatowi, informujemy, e jej rozpowszechnianie, kopiowanie, > rozprowadzanie lub inne dzia anie o podobnym charakterze jest prawnie > zabronione i mo e by karalne. Je eli otrzyma e t wiadomo omy kowo, > prosimy niezw ocznie zawiadomi nadawc wysy aj c odpowied oraz trwale > usun t wiadomo w czaj c w to wszelkie jej kopie wydrukowane lub > zapisane na dysku. > > This e-mail may contain legally privileged information of the Bank and is > intended solely for business use of the addressee. This e-mail may only be > received by the addressee and may not be disclosed to any third parties. If > you are not the intended addressee of this e-mail or the employee > authorised to forward it to the addressee, be advised that any > dissemination, copying, distribution or any other similar activity is > legally prohibited and may be punishable. If you received this e-mail by > mistake please advise the sender immediately by using the reply facility in > your e-mail software and delete permanently this e-mail including any > copies of it either printed or saved to hard drive. > > BRE Bank SA, 00-950 Warszawa, ul. Senatorska 18, tel. +48 (22) 829 00 00, > fax +48 (22) 829 00 33, www.brebank.pl, e-mail: i...@brebank.pl > S d Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego > Rejestru S dowego, nr rejestru przedsi biorców KRS 0000025237, NIP: > 526-021-50-88. > Wed ug stanu na dzie 01.01.2012 r. kapita zak adowy BRE Banku SA (w ca o > ci wp acony) wynosi 168.410.984 z otych. > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
