Specifications

ManualsBrandsAdaptec ManualsAdapterAMM-1510M

141

142

143

144

145

146

147

148

149

150

Chapter 13. Cryptographic adapter 137

You can easily verify CSF operation by going to omvs and issuing the following command:

od -An -N4 -td /dev/random

If CSF (or the emulated cryptographic coprocessor) is not working, the result is an internal

error message. If these functions are working, a random number is displayed.

The zPDT cryptographic coprocessor emulation functions are intended for use by developers

who require these functions. It should be clearly understood that these emulated functions

are not intended to produce a secure system or to function as a secure peer when dealing

with private data.

The zPDT system stores the coprocessor internal data in the ~/z1090/srdis directory. There

is a subdirectory here for each defined coprocessor; the master keys and other functional

data are stored in the subdirectory. The data formats in these records are not documented,

but they should not be considered cryptographically secure.

If you used a pass phrase for initialization, you should record the exact characters used

(including upper or lower case, spaces, and punctuation). You would need this to recreate the

same master keys if you reinitialize the cryptographic functions or want to create duplicate

keys on another System z.

13.4.1 Multiple zPDT instances

zPDT may have multiple instances in operation. These instances may have shared facilities,

such as shared DASD. If shared facilities are used, then a zPDT controller instance

must be

present as described in Chapter 6, “Multiple zPDT instances” on page 75. Coprocessors

defined in the controller instance may be shared by all zPDT instances. A maximum of 16

coprocessors may be present in a “normal” zPDT instance. A maximum of 64 coprocessors

may be defined for a controller instance.

An additional devmap statement:

domain <member name> a y #(a is a coprocessor number, y is a domain number)

is used in the devmap of a zPDT instance that is using coprocessors defined in the controller

instance. The member name is required if the domain statement appears in the controller

instance; it is used if the domain statement is in an operational instance devmap. The domain

number (y in the statement above) can be a single number, a list of numbers separated by

commas, or a range of numbers separated by a dash. The angle brackets around the member

name are not part of the syntax; they indicate an optional parameter here. Remember that the

domain numbers must be specified in the ICSF startup parameters and will be different for

each z/OS instance/

Three shared cryptographic coprocessors, used by three zPDT instances, might be defined

as follows:

#-------------- controller instance ----------------------

[system] #no processor is defined for the controller

...

[adjunct-processors]

crypto 0

crypto 1

crypto 2

Very briefly, a controller instance is a zPDT instance (with a separate devmap and started with an awsstart

command) that does not contain any System z processors.