You can create a domain group containing domains on one or more
crypto modules configured with CCA firmware, or else containing domains
on one or more crypto modules configured with EP11 firmware. A domain
group cannot contain a mixture of CCA crypto module domains and EP11
crypto module domains.
To create a new domain group:
- Right-click the mouse button in the Domain Groups container.
A
popup menu displays.
- To create a domain group containing domains from CCA crypto modules,
select the Create New CCA Domain Group menu
item. To create a domain group containing domains from EP11 crypto
modules, select the Create New EP11 Domain Group menu
item.
The “Create New Group” window opens.
Note: For
CCA domain groups, the supported crypto module types are CEX2C, CEX3C, CEX4C, and CEX5C. For EP11 domain
groups, the supported crypto module types are CEX4P
and CEX5P.
Figure 1. Create
Domain Group
- Enter your information in the following fields:
- Group ID - Name of the domain group (mandatory)
- Description - Optional free text description
- Select the crypto module domains to be in the domain group. In
the Host tree structure, select the domains from each host you want
to include in the domain group by selecting the checkbox associated
with the domain. You will be prompted to log on to the selected host
or hosts if you are not currently logged on.
Note: Only domains defined
as control domains on the crypto module will be available for inclusion
in the domain group.
- Select the crypto module domain to be the Master Domain by right-clicking
on the domain and selecting Make this the Master Domain.
The Master Domain information field of the Create New Group window
changes to represent the Master Domain information.
- When finished, press OK.
Notes: - Crypto modules at different CCA levels may support different features.
For example, ECC (APKA) master keys were introduced with the CEX3C
crypto module and restricted PIN support was introduced with the CEX4C
crypto module. Domain groups can be created using crypto modules at
different CCA levels. The notebook for the domain group will reflect
the features supported on the crypto module containing the master
domain.
- If the crypto module containing the master domain has capabilities
that other crypto modules in the group do not have, what happens during
a group operation depends on the specific command executed. Commands
to clear and load the AES and ECC (APKA) master keys are ignored on
crypto modules that do not support those master key types. All other
commands, such as commands to manage decimalization tables and restricted
PINs, are attempted on all domains in the group and will fail on crypto
modules that do not support those operations.