Creating a domain group

You can create a domain group containing domains on one or more crypto modules configured with CCA firmware, or else containing domains on one or more crypto modules configured with EP11 firmware. A domain group cannot contain a mixture of CCA crypto module domains and EP11 crypto module domains.

To create a new domain group:
  1. Right-click the mouse button in the Domain Groups container.

    A popup menu displays.

  2. To create a domain group containing domains from CCA crypto modules, select the Create New CCA Domain Group menu item. To create a domain group containing domains from EP11 crypto modules, select the Create New EP11 Domain Group menu item.

    The “Create New Group” window opens.

    Note: For CCA domain groups, the supported crypto module types are CEX2C, CEX3C, CEX4C, and CEX5C. For EP11 domain groups, the supported crypto module types are CEX4P and CEX5P.
    Figure 1. Create Domain Group
    Create Domain Group
  3. Enter your information in the following fields:
    1. Group ID - Name of the domain group (mandatory)
    2. Description - Optional free text description
    3. Select the crypto module domains to be in the domain group. In the Host tree structure, select the domains from each host you want to include in the domain group by selecting the checkbox associated with the domain. You will be prompted to log on to the selected host or hosts if you are not currently logged on.
      Note: Only domains defined as control domains on the crypto module will be available for inclusion in the domain group.
    4. Select the crypto module domain to be the Master Domain by right-clicking on the domain and selecting Make this the Master Domain. The Master Domain information field of the Create New Group window changes to represent the Master Domain information.
    5. When finished, press OK.
Notes:
  1. Crypto modules at different CCA levels may support different features. For example, ECC (APKA) master keys were introduced with the CEX3C crypto module and restricted PIN support was introduced with the CEX4C crypto module. Domain groups can be created using crypto modules at different CCA levels. The notebook for the domain group will reflect the features supported on the crypto module containing the master domain.
  2. If the crypto module containing the master domain has capabilities that other crypto modules in the group do not have, what happens during a group operation depends on the specific command executed. Commands to clear and load the AES and ECC (APKA) master keys are ignored on crypto modules that do not support those master key types. All other commands, such as commands to manage decimalization tables and restricted PINs, are attempted on all domains in the group and will fail on crypto modules that do not support those operations.
Parent topic: Working with domain groups