ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzajc_5.4.0.1/rzajccustomapp4758.htm

122 lines
8.1 KiB
HTML

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Scenario: Write an i5/OS application to use the Cryptographic Coprocessor" />
<meta name="abstract" content="This scenario could help an i5/OS programmer reason through the process of writing a program that calls the Cryptographic Coprocessor to verify user data such as financial personal identification numbers (PINs), which are entered at automatic teller machines (ATMs)." />
<meta name="description" content="This scenario could help an i5/OS programmer reason through the process of writing a program that calls the Cryptographic Coprocessor to verify user data such as financial personal identification numbers (PINs), which are entered at automatic teller machines (ATMs)." />
<meta name="DC.Relation" scheme="URI" content="rzajcscen4758.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajcsecureaccess.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajcsetup.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="customapp4758" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Scenario: Write an i5/OS application to use the Cryptographic Coprocessor</title>
</head>
<body>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<div class="nested0" id="customapp4758"><a name="customapp4758"><!-- --></a><h1 class="topictitle1">Scenario: Write an i5/OS application to use the Cryptographic Coprocessor</h1>
<div><p>This scenario could help an i5/OS™ programmer reason through the process
of writing a program that calls the Cryptographic Coprocessor to verify user
data such as financial personal identification numbers (PINs), which are entered
at automatic teller machines (ATMs).</p>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzajcscen4758.htm" title="To give you some ideas of how you can use this cryptographic hardware with your system, read these usage scenarios.">Cryptographic Coprocessor scenarios</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzajcsecureaccess.htm" title="Access control restricts the availability of system resources to only those users you have authorized to interact with the resources. The server allows you to control authorization of users to system resources.">Secure access</a></div>
<div><a href="rzajcsetup.htm" title="Configuring your Cryptographic Coprocessor allows you to begin to use all of its cryptographic operations.">Configure the Cryptographic Coprocessor</a></div>
</div>
</div></div>
<div class="nested0" xml:lang="en-us" id="situation"><a name="situation"><!-- --></a><h1 class="sectionscenariobar">Situation</h1>
<div><p>Suppose you are a system programmer for a large financial Credit Union.
You have been assigned the task of getting a Cryptographic Coprocessor PCI
card that is installed in the Credit Union system to verify members' financial
personal identification numbers (PINs) when they are entered at automatic
teller machines (ATMs).</p>
<div class="p">You decide to write an i5/OS application program using the CCA CSP (cryptographic
service provider) APIs that are a part of Option 35 to access the cryptographic
services in the Cryptographic Coprocessors to verify members' PINs. i5/OS application
programs written for the Cryptographic Coprocessor utilize the coprocessor
to perform security-sensitive tasks and cryptographic operations. <div class="note"><span class="notetitle">Note:</span> Multiple
Cryptographic Coprocessors can be used via the CCA CSP. The application must
control access to individual Coprocessor by using the Cryptographic_Resource_Allocate
(CSUACRA) and Cryptographic_Resource_Deallocate (CSUACRD) CCA APIs.</div>
</div>
</div>
</div>
<div class="nested0" xml:lang="en-us" id="scenariodetails"><a name="scenariodetails"><!-- --></a><h1 class="sectionscenariobar">Details</h1>
<div><ol><li>A Credit Union member enters his or her PIN at an ATM.</li>
<li>The PIN is encrypted at the ATM, and then sent along the network to the
Credit Union's system.</li>
<li>The system recognizes the transaction request, and calls a program to
verify the member's PIN.</li>
<li>The program sends a request containing the encrypted PIN, member's account
number, PIN-generating key, and PIN encrypting key to the Cryptographic Coprocessor.</li>
<li>The Cryptographic Coprocessor confirms or denies the validity of the PIN.</li>
<li>The program sends the Cryptographic Coprocessor's results to the ATM. <ol type="a"><li>If the PIN is confirmed, the member can successfully complete a transaction
with the Credit Union.</li>
<li>If the PIN is denied, the member is unable to complete a transaction with
the Credit Union.</li>
</ol>
</li>
</ol>
</div>
<div class="nested1" xml:lang="en-us" id="prerequisites"><a name="prerequisites"><!-- --></a><h2 class="sectionscenariobar">Prerequisites and assumptions</h2>
<div><ol><li>Your company has a system with a properly installed and configured Cryptographic
Coprocessor. Refer to the following information: <ol type="a"><li><a href="rzajcplan4758.htm#plan4758">Plan for the Cryptographic Coprocessor</a></li>
<li><a href="rzajcsetup.htm#setup">Configure the Cryptographic Coprocessor</a></li>
<li><a href="rzajcprereqcustomapps.htm#prereqcustomapps">Configure the
Cryptographic Coprocessor for use with i5/OS applications</a></li>
</ol>
</li>
<li>You are familiar with Option 35: The Common Cryptographic Architecture
Cryptographic Service Provider (CCA CSP). It is packaged as i5/OS Option
35, and provides a security application programming interface (SAPI) to which
you can write applications that allow you to access the cryptographic services
of the Cryptographic Coprocessor.</li>
<li>You have access to the <a href="http://www-306.ibm.com/security/cryptocards/pdfs/CCA_Basic_Services_241_Revised_20030918.pdf" target="_blank">CCA Basic Services Guide</a> <img src="www.gif" alt="Link outside Information Center." />, where you can find Financial
Services Support verbs to use in your application.</li>
</ol>
</div>
</div>
</div>
<div class="nested0" xml:lang="en-us" id="configurationsteps"><a name="configurationsteps"><!-- --></a><h1 class="sectionscenariobar">Configuration steps</h1>
<div><div class="section"><p>One way to accomplish your objective of using the Cryptographic
Coprocessor to validate PINs is to write two i5/OS applications:</p>
</div>
<ol><li class="stepexpand"><span>Write a program that loads the both the PIN verification keys,
and PIN encrypting keys, and stores them in a key store file. Assuming that
clear key parts are used, you need to use the following APIs: </span> <ul><li>Logon_Control (CSUALCT)</li>
<li>Key_Part_Import (CSNBKPI)</li>
<li>Key_Token_Build (CSNBKTB)</li>
<li>Key_Record_Create (CSNBKRC)</li>
<li>Key_Record_Write (CSNBKRW)</li>
<li>Optional API: KeyStore_Designate (CSUAKSD)</li>
</ul>
</li>
<li class="stepexpand"><span>Write a second program that calls the Encrypted_PIN_Verify (CSNBPVR)
API to verify encrypted PINs, and then reports their valid or invalid status
back to the ATM.</span></li>
</ol>
</div>
</div>
</body>
</html>