By Eric Reid-ISV Engineering-Oracle on Dec 08, 2015
Oracle and IBM have a very close working relationship running IBM software on Oracle hardware. One of the recent results of this collaboration is the announcement by IBM that its GSKit v8 now supports SPARC M7 hardware encryption (as well as SPARC T4 and T5 processors). This, in turn, means that several IBM software products can now make use of on-chip SPARC hardware encryption today, automatically, without significant performance impact.
What Is GSKit?
The IBM Global Security Kit (aka GSKit) is not a product offering in itself, but instead a security framework used by many IBM software products for its cryptographic and SSL/TLS capabilities. Example IBM products making use of GSKit today include DB2, Informix, IBM HTTP Server and WebSphere MQ. This latest version of GSKit ( aka "IBM Crypto for C" ), version 8, was validated as a FIPS 140-2 Cryptographic Module within the past earlier this year.
Obtaining The Proper Version of GSKit
GSKit is bundled with each product that makes use of it; over time, new product releases will incorporate GSKit v8 by default. Until then, the latest GSKit v8 for SPARC/Solaris is available on IBM Fix Central, for download and upgrade into existing products. Installation instructions can be found here.
The support described above is available in GSKit v22.214.171.124 and later. As of this writing, the latest GSKit v126.96.36.199 is available for download from Fix Central.
IBM Products that currently make use of GSKit v8 on Solaris (and therefore could take advantage of SPARC on-chip data encryption automatically) include (but are not limited to):
- DB2: v9.7 Fix Pack 5+, v10.1, v10.5: Download and install "IBM DB2 Support Files for SSL Functionality" from IBM Passport Advantage
- IBM HTTP Server: v8.0 and v8.5 should work with GSKit v188.8.131.52 and later; most recent FixPacks that include v184.108.40.206 are available from Fix Central
- IBM Security Directory Server (aka Tivoli Directory Server): v6.3 and later certified with GSKit v220.127.116.11 and later, available from Fix Central
- Informix IDS: v11.70 and v12.10 should work with GSKit v18.104.22.168 and later, available from Fix Central
- Cognos BI Server: v10.2.2 should work with GSKit v22.214.171.124 and later, available from Fix Central
- Tivoli Storage Manager: v126.96.36.199 should work with GSKit v188.8.131.52 and later, available from Fix Central
- WebSphere MQ: v184.108.40.206 now available with this functionality
Determining Current GSKit Version
- $ /opt/ibm/gsk8/bin/gsk8ver # 32-bit version
- $ /opt/ibm/gsk8_64/bin/gsk8ver_64 # 64-bit version
What This Means
In many cases (such as SSL/TLS over-the-wire communication), products using the proper version of GSKit on Solaris/SPARC will automatically take advantage of hardware encryption. Situations with larger client-server packets will benefit more than those with small packet sizes.
This will allow these products to make use of the increased security that encryption offers with extremely low performance overhead (something that is not possible with software-only crypto or hardware crypto on other platforms).
Because each of these IBM products has specific use cases, we'll cover more details for each in future blogs.