Since I design some of this stuff, I can help clarify - but others have already done a pretty good job of explaining the various alternatives.
What I'd like to ask is what you are actually trying to do? What is the reason for installing the Crypto Express and trying to use it instead of or in addition to the CPACF? The reason I'd expect is that you want additional security for your keys, but I don't think you've confirmed that. If you use ICSF as the interface, it automatically selects the most appropriate crypto to use - for example, if you are doing clear-key encryption, it will automatically use CPACF because it knows that will be faster than the CEX, but if you want to do PIN block translation it knows it has to use the CEX because the relevant standards mandate that keys can't be in the clear and that the entire translation operation has to be done atomically. Most people find that CEX performance is not good enough for disk encryption applications, so they either use clear-key CPACF or protected-key CPACF, depending on their security requirements on the keys. Performance for protected-key operations is only slightly less than for clear-key ones with CPACF - you can see some performance information in this paper: https://public.dhe.ibm.com/common/ssi/ecm/zs/en/zsw03283usen/ZSW03283USEN.PDF ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN