Re: ICSF - will "deactivate"op Lpar 'A' affect other lpars? and does it remain "deactivated"across IPLs?

[R.S.]

W dniu 2012-03-29 10:03, Francis van Zutphen pisze:
Hello fellow ICSF/crypto supporters,
We currently define our co-processor cards(CEX3) to  all our 10 lpars.
We are now in the process of outsourcing 2 lpars ( I will call these lpar "A" and 
"B").

We do not have Masterkeys defined in the CKDS for Lpar "A" and lpar "B".
We are also certain that although the co-processors are available (ONLINE 
status), they are not used.
We want to make sure that they are not used  by doing a "deactivate" via the TSO "ICSF Coprocessor 
Management panel"  on "A" and "B"

Question:  1.  Will the "deactivate" operation on lpar "A"and lpar "B"  affect 
the other lpars?
Question:  2.  Will the "deactivate" status remain across IPLs?

At a later stage we will use the support element to remove domain definitions for 
"A"and B"


CEX3 cards have domains - comparable to logical partitions. You should 
assign unique domain to each active LPAR. Domains are independent, so 
LPAR A ICSF has no influence on LPAR B, LPAR C, etc. Every LPAR use his 
own domain.
You can also decide not to assign any domain at all to given LPAR. In 
such case LPAR without domain cannot use CEX3 at all.

Everything is managed on HMC, "Customization Reset Profiles", last tab 
called Crypto or so. It's NOT tab "Security".
You decide what crypto engines should be online to the LPAR and which 
domain should be used.

Side remarks:
- each configuration have a least 2 crypto engines (redundant)
- there are 16 domains (32 for CEX3?), LESS than possible maximum for 
LPARs.
- domains cannot be shared between concurrently active LPARs.
- you cannot assign domain 1 on crypto 1, domain 8 on crypto 2, etc. You 
can assign one domain # on each crypto engine configured online.
- it is wrong to say "master key in CKDS". Master key is kept in the 
crypto card, CKDS is initialized using this key (some operational keys 
are encrypted using the master key).

--
Radoslaw Skorupka
Lodz, Poland


--
Tre tej wiadomoci moe zawiera informacje prawnie chronione Banku 
przeznaczone wycznie do uytku subowego adresata. Odbiorc moe by jedynie 
jej adresat z wyczeniem dostpu osób trzecich. Jeeli nie jeste adresatem 
niniejszej wiadomoci lub pracownikiem upowanionym do jej przekazania 
adresatowi, informujemy, e jej rozpowszechnianie, kopiowanie, rozprowadzanie 
lub inne dziaanie o podobnym charakterze jest prawnie zabronione i moe by 
karalne. Jeeli otrzymae t wiadomo omykowo, prosimy niezwocznie 
zawiadomi nadawc wysyajc odpowied oraz trwale usun t wiadomo 
wczajc w to wszelkie jej kopie wydrukowane lub zapisane na dysku.

This e-mail may contain legally privileged information of the Bank and is intended solely for business use of the addressee. This e-mail may only be received by the addressee and may not be disclosed to any third parties. If you are not the intended addressee of this e-mail or the employee authorised to forward it to the addressee, be advised that any dissemination, copying, distribution or any other similar activity is legally prohibited and may be punishable. If you received this e-mail by mistake please advise the sender immediately by using the reply facility in your e-mail software and delete permanently this e-mail including any copies of it either printed or saved to hard drive. 

BRE Bank SA, 00-950 Warszawa, ul. Senatorska 18, tel. +48 (22) 829 00 00, fax 
+48 (22) 829 00 33, www.brebank.pl, e-mail: i...@brebank.pl
Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, nr rejestru przedsibiorców KRS 0000025237, NIP: 526-021-50-88. 
Wedug stanu na dzie 01.01.2012 r. kapita zakadowy BRE Banku SA (w caoci wpacony) wynosi 168.410.984 zotych.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN