The Cryptographic Coprocessor Feature can include up to two cryptographic coprocessors, each of which is attached to a central processor within the central processor complex. Each cryptographic coprocessor has sixteen master key register sets, referred to as domains. ICSF uses the domain usage index to access each domain. You can configure the complex to run in one of these modes:

• Single image mode
• Logical partition mode

Single Image Mode

In single image mode, the processor complex has access to the same domain on both Crypto CP 0 and Crypto CP 4. The domain is specified in the installation options data set. The DOMAIN parameter is optional. It is required if more than one domain is specified as the usage domain on the PR/SM panels or if running in native mode. See z/OS Cryptographic Services ICSF System Programmer’s Guide for additional information on the DOMAIN parameter. The accessed domain on both coprocessors must have the same master key. Figure 3 shows an example single image mode configuration.

Figure 3. Two Crypto CPs on a Processor Complex Running in Single Image Mode

Logical Partition (LPAR) Mode

You can divide your processor complex into PR/SM logical partitions (LPARs). When you create logical partitions on your processor complex, you use the usage domain index on the Support Element Customize Image Profile page to enable access to a Crypto CP domain. The number that is specified for the usage domain index must correspond to the domain number you specify with the DOMAIN(n) keyword in the installation options data set. The DOMAIN parameter is optional. It is required if more than one domain is specified as the usage domain on the PR/SM panels or if running in native mode. See z/OS Cryptographic Services ICSF System Programmer’s Guide for additional information on the DOMAIN parameter.

You can assign more than one domain to an LPAR, but you must use a unique installation options data set to define each domain. Assigning more than one domain to an LPAR makes it possible to have separate master keys for different purposes. For example, you might have one master key for production operations and a different master key for test operations.

The PCI Cryptographic Coprocessor can be configured like a Cryptographic Coprocessor Feature. It can be dedicated or shared across multiple partitions with each card supporting up to 16 domains.

The PCI Cryptographic Accelerator can be configured like a Cryptographic Coprocessor Feature. It can be dedicated or shared across multiple partitions with each card supporting up to 16 domains.

When using logical partitions, there is no domain sharing unless TKE is being used. The 'HOST' LPAR can control the domains of the other LPARS if the control domain for the first LPAR is setup for it. The example in Figure 4 shows that LPAR 1 has access to Domain 0 on Crypto CP 0, Crypto CP 1, and PCICC. LPAR 2 has access to Domain 1 and Domain 2 on both Crypto CPs and on the PCICC. LPAR 1 cannot access Domain 1 or Domain 2 on the PCICC or on either of the Crypto CPs. Likewise, LPAR 2 cannot access Domain 0 on either Crypto CP or the PCICC. The ICSF system running on the operating system in LPAR 2 has access to only one domain at any particular time, as specified in the installation options data set.

Figure 4. Two Crypto Coprocessors and one PCICC on a Processor Complex Running in LPAR Mode