3 min read

Why IBM z/OS Needs a Banking-grade KMS for Hybrid Cloud

Why IBM z/OS Needs a Banking-grade KMS for Hybrid Cloud

The IBM mainframe series (“z-series”) has become a backbone for security, privacy and resilience in a large share of payment and banking related applications across the globe. This article explains why a cryptographic key management system (KMS) that supports the hybrid-cloud is a prerequisite to effective and compliant security management of these mainframes.

IBM Key Management

IBM has developed a series of software components to load and manage cryptographic operations in its mainframes and especially in any attached HSM or crypto cards. Here we list these components and detail their abilities.


Read White Paper

ICSF - or  Integrated Cryptographic Service Facility is a software component of z/OS. It is strongly interconnected with the IBM Common Cryptographic Architecture (CCA):

it interacts with the hardware cryptographic engine and the Security Server. That service provides, therefore, secure, high-speed cryptographic functions in the z/OS environment.

ICSF is closely related to the API layer of the IBM CCA. It is also the means for how secure cryptographic features are loaded with master key values that allow applications to use hardware features.

It is possible to use ICSF for key management, but this is usually a complicated process and acts only as a ‘primitive’ key management system. 

ICSF will work with other components to allow management of the most important keys, the master keys of a mainframe: loading, initializing, updating, and changing of the master keys. 

IBM Security Key Lifecycle Manager

IBM Enterprise Key Management Foundation (EKMF) is a complex product that groups several other products, such as the IBM Guardium Security Key LifeCycle Manager (ISKLM/SKLM), formerly known as the Tivoli Key Lifecycle Manager (TKLM). 

IBM’s EKMF is KMIP-compliant, which allows a lot of key operations to be performed. Nevertheless this is proprietary to IBM and requires additional IBM components to work. 

What a Banking-grade Key Management System (KMS) Must Do

Cryptographic Key Management is a vital part of cryptographic technology. The scalability of the methods used to distribute keys and its usability is especially crucial for a KMS.

As financial institutions move more applications to the cloud (public and private), a ‘real / comprehensive’ KMS must provide key management for the complete key life-cycle, which delivers full usability of cryptographic technology, provides scalability across cryptographic technologies and supports a global cryptographic key management infrastructure across the hybrid cloud.

New Call-to-actionHere are a few things a real KMS must be able to control: 

  • Where/how the key is generated;
  • Where/how the key is stored and used;
  • Metadata elements;
  • Entities where the key is distributed;
  • How the key is protected in distribution;
  • How the key is protected at the endpoint ;
  • Archives;
  • Accountability/ auditability;
  • Serve a particular application or entire enterprise.

Key management systems allow for key material to be easily shared and transferred between mainframes, conventional servers, and even cloud-based services. It must provide a central and universal repository of the most critical cryptographic keys. 

There are many requirements and checks when considering using a KMS. Here are some examples to consider: 

  • How are cryptographic functions performed by humans designed for ease of use? 
  • How is human error detected and corrected by a KMS? 
  • What are the required performance characteristics of the KMS? 
  • How can the KMS be scaled to exceed the peak performance characteristics if necessary? 
  • How are keys revoked?

Besides these examples, many other norms are interacting with a ‘real’ KMS, such as KMIP or the ANSI X9.24 standard.

A Banking-grade KMS for z/OS and the Z Platform

Banks and financial organizations use a lot of mainframes, notably IBM mainframes. On the other hand, the same organizations need an interoperable life-cycle KMS for their daily cryptographic and security operations across the various public clouds as well as their on-premise data centres and applications. 

Key management tools from IBM, e.g., EKMF and others do not bring all the features needed by a unified and flexible banking-grade KMS. Because their functionalities are often complementary, they are split into different tools. Therefore, there actually is not a single IBM software that provides exhaustive key management functions. 

The process of importing keys is usually a manual process when using IBM’s key management tools, and as such, it is incredibly time-consuming and can become a real hassle.

Therefore, a modern and banking-grade KMS that supports hybrid cloud architectures is necessary for the IBM platform when deployed in the context of financial services. Banks that primarily use IBM systems can experience the agility and automation required by modern business processes. 

Cryptomathic's Crypto Key Management System (CKMS) is a centralized banking-grade key management system that delivers automated key updates and distribution to a broad range of applications. CKMS manages the entire lifecycle of all keys (symmetric and asymmetric), supports robust business processes and allows you to confidently comply with and pass internal & external audits.

CKMS supports full life-cycle key management for hybrid cloud infrastructures and is now fully integrated with IBM mainframes. The z/OS integration extends the benefits of CKMS to a new class of applications: for the first time an independent and well-trusted KMS can programmatically deliver keys to applications running in the cloud and on a mainframe, without altering the application. Using IBM’s standard REST API, CKMS securely updates keys in a data-set, supporting the IBM CCA key-format.


Read White Paper