Before you configure Crypto Express Network API for Secure Execution Enclaves, ensure that you check with your system administrator if the master key is initialized. For more information, see Trusted Key Entry (TKE) CCA Playlist Introduction, and the "Reviewing and changing current logical partition cryptographic controls" topic from the Processor Resource/Systems Manager Planning Guide.

Hardware requirements for Secure Service Container partition

You can configure Secure Service Container partitions on the following IBM Z and LinuxONE systems.

  • IBM z15 (z15) (machine type 8561 or 8562)
  • IBM z14 (z14) (machine type 3906 or 3907)
  • IBM LinuxONE III (LinuxONE III)
  • IBM LinuxONE Emperor II (Emperor II), or IBM LinuxONE Rockhopper II (Rockhopper II)

It is suggested to use the latest available firmware for Secure Service Container, which is identified by the engineering changes (ECs) in the following table. To find the latest available EC microcode control levels (MCLs) for Secure Service Container, use the instructions for hardware updates in "Chapter 2. Prerequisites for using Secure Service Container" in the Secure Service Container User's Guide, SC28-6978-02a.

Machine Type Version / Driver Bundle Engineering Changes
8561 or 8562 Version 2.15.0
Driver 41
S49a or later - SE-BCBASE P46639
- SE-BCBOOT P46640
- SE-BCINST P46655
3906 Version 2.14.1
Driver 36
S64b or later - SE-BCBASE P41454
- SE-BCBOOT P41454
- SE-BCINST P41467
3907 Version 2.14.1
Driver 36
S53 or later - SE-BCBASE P41453
- SE-BCBOOT P41454
- SE-BCINST P41467

Table 1. Engineering changes by machine type

The following list shows the minimal requirements of Crypto Express Network API for Secure Execution Enclaves partition.

  • 1 IFL
  • 6 GB RAM
  • 50 GB data storage

Configuring crypto express card/domain on Secure Service Container partition

To configure crypto express card/domain on Secure Service Container partition, you can use specific tasks(crypto) on the Hardware Management Console (HMC) for a host system. For more information about the host system, see the appropriate overview on the IBM Redbooks website. For example, for the z15, see the "IBM z15 Technical Introduction, SG24-8850".

  1. Open the Customize/Delete Activation Profiles task, and then select SSC mode on the Customize Image Profiles page.
  2. Provide or modify any cryptographic controls (crypto express domain in EP11 mode) on the Crypto page.

Note: Confirm whether the crypto express domain is configured in the EP11 mode. For more information, see "Chapter 8 - Using the Crypto Module Notebook to administer EP11 crypto modules" in the Cryptographic Services ICSF Trusted Key Entry Workstation (TKE) User's Guide.