>From the planning and admin:
Should I be able to run two guests using crypto with the same domain?
Only one virtual machine may use a domain at a time. If more than one
virtual machine has a CRYPTO statement for a given domain, only the first
virtual machine that logs on receives use of the domain.
Also, as a processor migration is mentioned, here is some info that is
within our hardware buckets:
1. 06/01/18 RUNNING Z/OS GUESTS ON Z/VM USING PCI CRYPTO CARDS ON Z890,
Z990, AND LATER PROCESSORS.
Changes in crypto set-up are necessary when migrating from
the Cryptographic Coprocessor Facility (CCF) on the zSeries
z800 and z900 servers to the PCI cryptographic cards on the
z890 (2086device), z990 (2084device), and later processors.
With the z990 and z890, the Cryptographic Coprocessor
Facility has been removed and replaced with the Central
Processor Assist for Cryptographic Functions (CPACF) and
the PCI cryptographic accelerators and coprocessors. This
requires changes to the z/VM CRYPTO directory control
statement.
For CCF, it was necessary to include the CRYPTO Directory
Control Statement with the following operands: DOMAIN,
CSU, KEYENTRY, SPECIAL, and MODIFY. For PCI crypto, the
CSU, KEYENTRY, SPECIAL, and MODIFY operands are no longer
needed and are ignored if specified. The operands used for
PCI crypto are DOMAIN, APDEDICATED, and APVIRT. The APVIRT
operand is intended to authorize hardware for SSL
acceleration for Linux and VSE guests and is not used for
z/OS guests. If the APVIRT operand is specified for z/OS
guests, the Integrated Cryptographic Services Facility
(ICSF) component of z/OS will not function properly.
An example of the CRYPTO directory control statement
authorizing a z/OS guest to access the PCI crypto cards is:
CRYPTO DOMAIN 1 APDEDICATED 2 3 This statement authorizes
the z/OS guest to have dedicated access to crypto queue 1
on both AP 2 and AP 3.
The APs specified on the above statement must be selected
from the set of APs selected on the PCI Cryptographic
Online List on the Crypto Image Profile Page for the VM
logical partition. The DOMAINs specified must be selected
from the set of domains specified on the Usage Domain Index
selections on the Crypto Image Profile Page for the logical
partition. For CCF, an additional required step was to
define a virtual crypto facility by using either the CRYPTO
operand on the CPU directory statement or the DEFINE CRYPTO
command. Neither of these are required for PCI crypto. It
is recommended that these no longer be used in orde to
avoid the following message at logon: HCP663E The crypto
cannot be defined because no real crypto facility is
installed.
An additional hardware requirement for z/OS guests is that
the CP Crypto Assist functions (CPACF) must be enabled on
the processor. Once CPACF is enabled on the hardware, no
z/VM set-up is required to authorize guests to access these
functions and they will be available to all guests.
Hopefully this helps answer things,
Kurt Acker
"Don W." <[EMAIL PROTECTED]>
Sent by: The IBM z/VM Operating System <IBMVM@LISTSERV.UARK.EDU>
03/01/2007 11:24 AM
Please respond to
The IBM z/VM Operating System <IBMVM@LISTSERV.UARK.EDU>
To
IBMVM@LISTSERV.UARK.EDU
cc
Subject
Re: Multiple Guests using the Same Crypto Domain
On Wed, 28 Feb 2007 20:06:52 -0500, Lloyd Fuller <[EMAIL PROTECTED]>
wrote:
>On Wed, 28 Feb 2007 15:06:48 -0600, Don W. wrote:
>
>>I am trying to define two z/OS guests that are using CRYPTO. The
mainframe
>>supposedly has two CRYPTO Coprocessors. The guests need to have the same
>>DOMAIN. I thought I should be able to dedicate a CRYPTO Coprocessor to
each
>>guest and use the same domain. When I bring up the first guest, it seems
to
>>reserve both CRYPTO processors. The first guest gets msg HCPAPJ1708I No
>>Processor is available to service virtual crypto unit (0/1). The second
>>guest gets a msg that the DOMAIN is in use and CRYPTO is not available.
>>Should I be able to run two guests using crypto with the same domain?
>
>To answer this we will need to know what type of processor. The
different
processors handle things different. In
>addition, if this is a z800/z900 or older, you can only bind them to CPU0
and CPU1.
>
>Lloyd
>=========================================================================
We are currently using a z900 but will soon have a z9.
