IBM Crypto Express2 feature configuration

Edit online

These instructions were used to set up the IBM® Crypto Express2 feature on the IBM System z10™ for the JSSE study.

The IBM Crypto Express2 feature provides two PCI-X processors, that are also referred to as adapters. These two processors can be configured in one of three modes:
  • Coprocessors
  • Accelerators
  • One coprocessor and one accelerator
With Linux®, the accelerator mode provides the best performance. See this Web page:

http://www.ibm.com/developerworks/linux/linux390/perf/tuning_res_security_crypto.html

Selecting the mode is done from the Hardware Management Console (HMC) using the Single Object Operations mode, when configuring the cryptographic feature on the CEC level:
  1. From the HMC, click System Management > Servers.
  2. Select the name of your server.
  3. Click Single Object Operations.
  4. Enter the Support Element (SE).
  5. In the SE, click System Management > CPC Configuration > Cryptographic Configuration > Crypto Type Configuration.
A sample displayed in Figure 1 shows the configuration used for the testing.
Figure 1. Cryptographic hardware configuration: Definition of cryptographic configuration mode
Screen capture of HMC cryptographic configuration mode. Every cryptographic device is listed, with its status, type, serial number, UDX status, and TKE Commands.

The system used for the testing has two cryptographic features. All four processors are set in accelerator mode. The two processors from one feature are assigned to one LPAR with the HMC, by selecting processors and domains for that LPAR. Select Partition > CPC Configuration > Customize/Delete Activation Profiles > Crypto.

Figure 2 shows the IBM Crypto Express2 configuration for an LPAR.
Figure 2. HMC: IBM Crypto Express2 configuration for an LPAR
Screen capture of the IBM Crypto Express2 configuration for an LPAR.

There are 16 possible Control and Usage domains. The Hardware Management Console (HMC) requires the selection of these domains to configure the Linux LPAR to use a cryptographic processor. The processors are then selected from the Cryptographic Candidate list on the HMC Cryptographic configuration panel. The same two are selected on the Cryptographic Online list. The configuration is repeated for the other IBM System z® LPAR. The two processors from each IBM Crypto Express2 feature were accessed using the same control and usage domains (see Figure 2). The Linux devices drivers handle only one active domain.

These steps reserve an entire IBM Crypto Express2 feature with its two processors for each LPAR. The two cryptographic processors are managed from the openCryptoki function in one slot, and the workload is balanced automatically from the driver.

The entire IBM Crypto Express2 feature is reserved exclusively for one LPAR due to the requirements of the performance test. This setup ensures that no other workloads influence the results. This setup does not necessarily represent a best practice for a production environment.