Management Of Crypto Express5S - IBM z13s Technical Manual

6.5.5 Management of Crypto Express5S

With zEC12 and older servers, each cryptographic coprocessor has 16 physical sets of
registers or queue registers. With z13, this number is raised to 85. This amount corresponds
to the maximum number of LPARs running on a z13, which is also 85. Therefore, with z13s
servers, the number of register sets for a Crypto Express5S card is 40. Each of these 40 sets
belongs to a domain as follows:
A cryptographic domain index, in the range of 0 - 39, is allocated to a logical partition in its
image profile. The same domain must also be allocated to the ICSF instance that runs in
the logical partition that uses the Options data set.
Each ICSF instance accesses only the Master Keys or queue registers corresponding to
the domain number specified in the logical partition image profile at the SE and in its
Options data set. Each ICSF instance sees a logical cryptographic coprocessor that
consists of the physical cryptographic engine and the unique set of registers (the domain)
allocated to this logical partition
The installation of the CP Assist for Cryptographic Functions (CPACF) DES/TDES
enablement, Feature Code #3863, is required to use the Crypto Express5S feature.
Each Crypto Express5S feature contains one PCI-X adapter. The adapter can be in the
following configurations:
IBM Enterprise Common Cryptographic Architecture (CCA) Coprocessor (CEX5C)
IBM Enterprise Public Key Cryptography Standards#11 (PKCS) Coprocessor (CEX5P)
IBM Crypto Express5S Accelerator (CEX5A)
During the feature installation, the PCI-X adapter is configured by default as the CCA
coprocessor.
The configuration of the Crypto Express5S adapter as EP11coprocessor requires a Trusted
Key Entry (TKE) tower workstation (FC 0847) or a TKE rack mounted workstation (FC 0097)
with TKE 8.0 (FC 0877) or 8.1 (FC 0878) Licensed Internal Code.
The Crypto Express5S feature does not use CHPIDs from the channel subsystem pool.
However, the Crypto Express5S feature requires one slot in a PCIe I/O drawer, and one
PCHID for each PCIe cryptographic adapter.
When enabling an LPAR to use a Crypto Express5S card, define the following cryptographic
resources in the image profile for each partition:
Usage domain index
Control domain index
PCI Cryptographic Coprocessor Candidate List
PCI Cryptographic Coprocessor Online List
Chapter 6. Cryptography
219