Skip to Main Content
IBM Z Hardware and Operating Systems Ideas Portal


This is the public portal for all IBM Z Hardware and Operating System related offerings. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Status Not under consideration
Categories Crypto HW
Created by Guest
Created on Mar 9, 2022

simplify repair actions of broken crypto cards

If a crypto card has broken in zHW, it is very complex to bring a replaced card in production again. Two or more people has to be at TKE to do that. Usually, this people are not at standby, so it could last a couple of days to be fully redundant again.

Although their are usually some additional cards with the same config activ. So why don't mirror, copy or whatever a working card to the repaired card. For example a HMC-Operator could do that. We would be back in business again within minutes not days.

For me this is not a security issue, if the mirror will be done only between this two cards within a CEC. So anyone can't see the data moved between this cards.

Idea priority Medium
  • Guest
    Reply
    |
    May 24, 2022
    We understand the issue of bringing people into the secure room. But these are the most important keys on any system - perhaps for the business as a whole. Protecting them is of utmost importance - and bypassing the highest security is not in anyone's best interest. As a result, we must reject the request to support automatic population of the keys into the crypto express cards. We do not support population of keys to a factory-fresh card by automatic process, or by HMC admin level capability when dual control is required. The back-up process is simplified with TKE using the migration wizard.
    --for TKE-managed (audited) workloads, you cannot populate a factory fresh card without the correct personnel signing off due to the dual control requirements. For maximum resilience, back-up cards should be prepared in advance when the authorized personnel are available. Using the TKE is the most secure way to load the keys. This will provide cryptographic assurance that the intended information is loaded into the new card.
    --for non-TKE/non-audited workloads, use panel.exe (Linux) / ISPF panels (z/OS). In this case you would need to have the MK parts available in the clear.
  • Guest
    Reply
    |
    Apr 11, 2022
    Anne Dames and Team taking a look at the request on broken crypto cards