Running FTP-Proxy on a z10 with z/OS 1.11 & zIIP processors
Running FTP-Proxy on a z10 with z/OS 1.11 & zIIP processors
We're looking at securitizing our ftp traffic and this product caught our eye. With the backdrop that encryption is typically CPU intensive and that we own a pair of under-utilized zIIP processors (but no zAAPs) we have the following question: has anyone confirmed that this product will take advantage of zIIP processors when running at z/OS level 1.11 or higher? As this product is written in Java which should make it zAAP processor eligible and starting with z/OS 1.11 IBM states that zIIPs may be used for zAAP processor eligible work that leads us to believe it would work as well with zIIPs. Also, is there any preferences or caveats regarding the Java level (e.g., 6.0,6.0.1 or 7.0) to utilize? Thanks!
Re: Running FTP-Proxy on a z10 with z/OS 1.11 & zIIP process
Yes, Java processing can be offloaded to zIIPs if they are configured correctly.
See "zIIP on zAAP Capability" here: http://www-03.ibm.com/systems/z/hardwar ... about.html
I am not aware of any caveats with 6.0 vs 6.01 vs 7.0
You may wish to enable the "IBMJCECCA" security provider so that the ciphers and message digest processing done by SSH are offloaded to ICSF. For more information, see: http://www-03.ibm.com/systems/z/os/zos/ ... cecca.html
Also, there is nothing that says that you have to run the Co:Z FTP SSH Proxy on z/OS... you could run it on any server that supports Java. You would want to have the server belong to a secure network with z/OS, since the FTP traffic between z/OS and the Co:Z FTP SSH Proxy would be unencrypted. But a zBX blade or zLinux guest in the same ensemble would be good.
Of course, another option would be to use Co:Z SFTP.
See "zIIP on zAAP Capability" here: http://www-03.ibm.com/systems/z/hardwar ... about.html
I am not aware of any caveats with 6.0 vs 6.01 vs 7.0
You may wish to enable the "IBMJCECCA" security provider so that the ciphers and message digest processing done by SSH are offloaded to ICSF. For more information, see: http://www-03.ibm.com/systems/z/os/zos/ ... cecca.html
Also, there is nothing that says that you have to run the Co:Z FTP SSH Proxy on z/OS... you could run it on any server that supports Java. You would want to have the server belong to a secure network with z/OS, since the FTP traffic between z/OS and the Co:Z FTP SSH Proxy would be unencrypted. But a zBX blade or zLinux guest in the same ensemble would be good.
Of course, another option would be to use Co:Z SFTP.
Re: Running FTP-Proxy on a z10 with z/OS 1.11 & zIIP process
To clarify: does using CoZ:SFTP under z/OS 1.11 offer the prospect of offloading the encryption effort to available zIIP processors or is ICSF still necessary for offloading?
Thanks!
Thanks!
Re: Running FTP-Proxy on a z10 with z/OS 1.11 & zIIP process
There are two separate things:
- Java processing can be offloaded to zIIP.
- encryption functions can be offloaded to ICSF by using the IBMJCECCA provider. ICSF will use a coprocessor card and CPAC-F,
From http://www-03.ibm.com/systems/z/os/zos/ ... cecca.html
- Java processing can be offloaded to zIIP.
- encryption functions can be offloaded to ICSF by using the IBMJCECCA provider. ICSF will use a coprocessor card and CPAC-F,
From http://www-03.ibm.com/systems/z/os/zos/ ... cecca.html
To use IBMJCECCA, you must be running a system at the z/OS V1R6 level or higher, and ICSF must be running. IBMJCECCA will exploit cryptographic hardware capabilities where available, via the CP Assist hardware (CPACF) and/or PCI-X adapter crypto processors available on z800 or z900 and later generation processors.