IBM Hyper Protect Virtual Servers GREP11 Overview¶
You will be working with the GREP11 feature of the Hyper Protect Virtual Servers on-premises offering.
GREP11 is a shorthand term for gRPC protocol-based Enterprise PKCS#11.
PKCS #11 refers to the Public Key Cryptography Standard #11 Cryptographic Token Interface, which is a standard for devices that hold cryptographic information and perform cryptographic functions.
gRPC stands for Google Remote Procedure Call, which is a protocol developed by Google, and contributed to open source. gRPC uses HTTP/2 for its transport protocol.
Enterprise PKCS#11, often referred to as EP11, refers to IBM's library, designed for enterprise usage, that is very similar to the PKCS #11 standard.
The PKCS #11 standard covers the following cryptographic categories, and the GREP11 library provides functions in each of these categories:
- Encryption
- Decryption
- Message digests (also known as hashes)
- Signing and MACing (Message Authentication Codes)
- Verifying signatures and MACs
- Key Management- creating symmetric keys, creating asymmetric keys, wrapping and unwrapping keys, and deriving keys from other keys
- Random number generation - strictly speaking not a cryptographic operation unto itself, but random numbers are often used in cryptographic operations
Environment¶
You will be working with the Hyper Protect Virtual Servers command line interface (CLI) running on an x86_64 virtual machine running the Ubuntu 18.04.4 Linux distribution. You will also be using this virtual machine to run programs, written in the Go programming language, that will communicate with the GREP11 server.
The GREP11 server runs as a Docker container running in a Hyper Protect Virtual Servers LPAR that runs as a Secure Service Container (SSC) LPAR on an IBM z15 server in the IBM Washington Systems Center in Herndon, Virginia, USA.
The Hyper Protect Virtual Servers LPAR is in a private network at the IBM Washington Systems Center and your Ubuntu virtual machine communicates with it through a VPN connection. The details about how you can connect by using the VPN will be shared with you by email
Note
The client program code used here could also be run on the s390x architecture. IBM provides sample client code, which connects to a GREP11 Server, in two programming languages - Go and JavaScript, both of which are supported on s390x. The client code is written in Go.
What has been done for you already¶
Our starting point is having the GREP11 servers running on our Hyper Protect Virtual Servers LPAR. Each GREP11 server is connected to a single domain on an IBM Crypto Express 7S card that is configured to our LPAR. Our Hyper Protect Virtual Servers LPAR has two Crypto Expess 7S cards configured to it, with one domain on each card dedicated to our LPAR. The GREP11 servers are already provisioned.
We will describe the process of setting this up so that you will have a reference.
Detailed Process¶
-
Read about how we configured the GREP11 servers.
-
Issue relevant Hyper Protect Virtual Servers CLI commands.
-
Clone the GitHub repository.
-
Run Hyper Protect Virtual Servers commands to inspect the GREP11 setup.
-
Run the GREP11 samples that IBM documentation points to.
-
Run custom exercises that go into greater depth.