Assigning adapters and domains to LPARs

After you set up the Crypto Express adapter in the Support Element, you must allow access to it from your LPAR. You achieve this by using the Hardware Management Console (HMC) or the Support Element (SE).

You can define a certain LPAR to use a domain (or multiple domains) as a usage domain and as a control domain, or as a control domain only. You can retrieve this information from the Support Element. Each adapter supports 16 domains (see Figure 1). The selected domains apply to all selected adapters. For a more detailed information about planning the cryptographic configuration, see IBM System z10 Enterprise Class Configuration Setup, SG24-7571.
Figure 1. Cryptographic configuration for LPAR A2A

Cryptographic configuration for LPAR A2A
In Figure 1, LPAR A2A is defined to use and control the cryptographic domain number 11. It is also allowed to access the crypto adapters numbers 0 and 7. They are brought online if they are present in the system, if the LPAR is activated, and if the zcrypt device driver is loaded.

Linux™ kernels earlier than version 4.9 can only use one crypto domain at a given time. In that case, if the LPAR contains multiple domains, the kernel selects the default domain. Also, if for these kernel versions you want to use a different default domain, you need to specify this domain as a parameter when loading the ap main module of the zcrypt device driver.