Prerequisites

Before you configure Crypto Express Network API for Secure Execution Enclaves, ensure that you check with your system administrator if the master key is initialized. For more information, see Trusted Key Entry (TKE) EP11 Playlist Introduction, and the "Reviewing and changing current logical partition cryptographic controls" topic from the Processor Resource/Systems Manager Planning Guide.

Make sure that the following hardware requirements are met and the configuration is taken care of on Secure Service Container partition.

Hardware requirements for Secure Service Container partition

You can configure Secure Service Container partitions on the following IBM Z and LinuxONE systems:

  • IBM z16 (z16) (machine type 3931 or 3932)
  • IBM z15 (z15) (machine type 8561 or 8562)
  • IBM z14 (z14) (machine type 3906 or 3907)
  • IBM LinuxONE III (LinuxONE III)
  • IBM LinuxONE Emperor II (Emperor II), or IBM LinuxONE Rockhopper II (Rockhopper II)

This topic describes the prerequisites for using the version of Secure Service Container that is available starting with the Hardware Management Console (HMC) / Support Element (SE) Version 2.15.0. For information about Secure Service Container for the previous version of the HMC/SE, see Secure Service Container User's Guide, SC28-6978.

It is suggested to use the latest available firmware for Secure Service Container, which is identified by the service bundle in the table, see Table 1. Service bundles by machine type. To find the latest available service bundle, use the instructions for hardware updates from Where to find hardware planning and corequisite software information.

Table 1. Service bundles by machine type

Machine Type Version / Driver Bundle
3931 or 3932 Version 2.16.0
Driver 51
S04a or later
8561 or 8562 Version 2.15.0
Driver 41
S20b or later
3906 Version 2.14.1
Driver 36
S12 or later
3907 Version 2.14.0
Driver 32
S53 or later

The following list shows the minimal requirements of Crypto Express Network API for Secure Execution Enclaves partition:

  • 1 IFL
  • 6 GB RAM
  • 50 GB data storage

Configuring crypto express card/domain on Secure Service Container partition

For configuring crypto express card/domain on Secure Service Container partition, you can use specific tasks(crypto) on the Hardware Management Console (HMC) for a host system. For more information about the host system, see the appropriate overview, for example, for z15, see "IBM z15 Technical Introduction, SG24-8850" on the IBM Redbooks website.

To configure crypto express card/domain on Secure Service Container partition,

  1. Open the Customize/Delete Activation Profiles task.
  2. On the Customize Image Profiles page, select SSC mode.
  3. On the Crypto page, provide or modify any cryptographic controls (crypto express domain in EP11 mode).

Note: Confirm whether the crypto express domain is configured in the EP11 mode. For more information, see "Chapter 8 - Using the Crypto Module Notebook to administer EP11 crypto modules" from the Cryptographic Services ICSF Trusted Key Entry Workstation (TKE) User's Guide.