The z890 and z990 support the PCI X Cryptographic Coprocessor (PCIXCC) and Crypto Express2 Coprocessor (CEX2C).

z9 EC and z9 BC support the Crypto Express2 Coprocessor (CEX2C).

z10 EC and z10 BC support the Crypto Express2 Coprocessor (CEX2C) and the Crypto Express3 Coprocessor (CEX3C).

z196 supports the Crypto Express3 Coprocessor (CEX3C).

The z900 support the Cryptographic Coprocessor Feature (CCF). The PCI Cryptographic Coprocessor (PCICC) is an optional feature.

When sharing a CKDS/PKDS between multiple LPARs, these need to be considered:

1. If mixing z990, z890, z9 EC, z9 BC, z10 EC, z10 BC, or z196 and legacy systems, the CKDS must have been initialized on the legacy (CCF) system. A CKDS initialized on a z990, z890, z9 EC, z9 BC, z10 EC, z10 BC, or z196 system cannot be shared with a CCF system; ICSF will not start.
2. The DES-MK on your PCIXCC, CEX2C, or CEX3C must match the DES master key on the CCF.
3. The ASYM-MK on your PCIXCC, CEX2C, or CEX3C system must match the SMK master key on the CCF system. If mixing different releases of ICSF, make sure service is up to date with regard to CKDS/PKDS toleration.

   If sharing a PKDS between z990, z890, z9 EC, z9 BC, z10 EC, z10 BC, or z196 and a legacy system, and the legacy system does NOT have the SMK=KMMK, then the PKDS needs to be initialized on the legacy system. If not, the KMMK hash will not be in the PKDS header and PKA Callable Services cannot be enabled.

4. Retained keys on the PCICC, PCIXCC, CEX2C, or CEX3C cannot be shared across LPARs. Retained keys are domain specific; they can only be used on the domain where they were generated.