Default role contents
Read about the purpose and characteristics of the default role.
You can use the default role from a CEX*C coprocessor to access a certain domain in order to process the appropriate verbs that are allowed by the ACP list assigned to that role. Using the TKE, you can adapt the default role according to your needs for each domain that you want to access and thus use one role for each domain. The name that you apply to a default role for a domain depends on the domain number.
There are two variants for naming the default role for a domain on an S390 system:
DEFALTXX and DFLTXXXX, where the XX or
XXXX stand for a multi-digit decimal number indicating the domain number. The
DFLTXXXX naming scheme was introduced for z13® machines.
DFLT0052is the default role ID for domain 52 on a z13 (CEX5C) or on a z14 (CEX6C).
The role ID names are always 8 characters, ASCII. Role names on some platforms and through some interfaces may end with ASCII space characters (0x20), therefore every input mechanism is designed to explicitly allow space characters.
# panel.exe --list-roles
The default role has the following characteristics:
- The required authentication strength level is zero.
- The role is valid at all times and on all days of the week.
- The only functions that are permitted are those related to access control initialization. This guarantees that the owner initializes the coprocessor before any cryptographic work can be done. This requirement prevents security accidents in which unrestricted default authority might accidentally be left intact when the system is put into service.