You must have an IBM® 4765 Crypto
Express4 feature or higher that is configured as an EP11 coprocessor, and that is initialized and
personalized in your z/VM® guest or LPAR. Read
this topic to learn how to check for the existence of a suitably configured CEX*P adapter (starting with CEX4P, or higher), and
how to configure this adapter if it is missing yet.
About this task
A CEX*S Crypto Express card configured in the Enterprise PKCS #11 coprocessor mode (or shortly EP11 coprocessor mode) is also called a Crypto Express EP11 coprocessor (CEX*P). Such a coprocessor, which is installed in
your z/VM guest or LPAR, is a prerequisite for
using the functions of the EP11 library. This
procedure shows you how to configure a CEX*S Crypto Express adapter into a CEX*P adapter by enabling the installed EP11 firmware from the Support Element.
Procedure
Check whether you have already plugged in and enabled your CEX*S Crypto Express card, and
validate your model and type configuration (accelerator or coprocessor).
To check, enter the lszcrypt command and check the output:
If the output from the lszcrypt command in step 1 does not show one of
CEX<n>P, (where <n> can be 4, or higher), then check the
reason why this happened. If a CEX*S card is correctly assigned to the LPAR or z/VM guest, where the Linux is running in, but none of
CEX<n>P is shown, then you must activate the EP11 firmware on the CEX*S adapter.
For this purpose, log on to the Support Element with a user ID granted the appropriate access
rights. You can either go directly to the Support Element, or you can use its web interface.
In the System Management window, select the CPC that holds the CEX*S
adapter that you want to configure.
In the sample screen from Figure 1, the selected CPC is M35.Figure 1. System Management in the Support Element
Select Cryptos from the navigation area on the left of the dialog to get
a list of installed adapters as shown in Figure 2.
Figure 2. System Management - installed crypto adapters
Select the crypto card to be changed - in our scenario, a CEX6 coprocessor with PCHID 01DC and
ID 11 - and also select Configure On/Off from the Crypto Service
Operations to reach the view shown in Figure 3.
Figure 3. System Management - configure LPARs off
Select all LPARs, where this adapter is configured online (if any), as shown in Figure 3.
The Crypto Express adapter must be configured offline in all LPARs, before you can change the
configuration type. For this purpose, specify Toggle from the Select
Action pull-down to toggle to the desired state and then press
OK to apply the change. In the next dialog, you need to confirm your intended
action, because this could be disruptive for processes from the affected LPARs.
Finally, you
return to the view shown in Figure 2.
You see the selected adapter stopped now.
Navigate back to the System Management window (Figure 1). Now scroll down and select
Cryptographic Configuration from the Configuration
menu on the right hand side.
This leads you to the figure shown in Figure 4. Figure 4. System Management - Cryptographic Configuration
Now press Crypto Type Configuration from the dialog shown in
Figure 4. This selection brings you to
the dialog shown in Figure 5.Figure 5. System Management - Crypto Type Configuration
Select EP11 Coprocessor and press OK.
This action makes the adapter to become a CEX*P adapter that is upgraded with the EP11 firmware. Also note, that TKE commands are always
permitted for a CEX*P adapter, so that it
can communicate with the TKE daemon ep11TKEd.
You must now select those LPARs that you want to allow to access and use the reconfigured
adapter. For these LPARs, you need to configure back online the reconfigured adapter.
Therefore, go to the dialog shown in Figure 3, now toggling the status of the adapter for the LPAR back to online.
A restart of z/VM or the LPAR is required
to activate the reconfiguration.
For z/VM, check before, that the
correct definitions have been applied to the EP11 coprocessor card. Also for the LPARs, on z/VM
and on Linux, you must add the reconfigured
adapter to the activation profile. Now deactivate and activate the LPAR. Then perform an IPL of
Linux on that LPAR, respectively perform an IPL
of z/VM and then start the guests using the
reconfigured adapter.
Optionally, you can use the chzcrypt command to enable (online
state) and disable (offline state) the IBM crypto
adapter:
$ chzcrypt -e 0x06 // set card06 online
$ chzcrypt -d 0x06 // set card06 offline
For more information about the IBM
crypto adapter, see Device Drivers, Features, and
Commands, SC33-8411 available at
Now that the EP11 firmware has been
enabled on your cryptographic coprocessor, this card turned
into a so called CEX*P coprocessor which
can take advantage of the Linux on ZEP11 enablement. To check the capability of a
configured adapter, you can use the following lszcrypt -c <card-number>
command:
If you work with the available session modes (strict session mode or virtual HSM mode) as
described in Controlling access to cryptographic objects, a unique
EP11 session ID is generated for each session
and is stored as a pin-blob (binary large object) on the coprocessor domain. A Crypto Express EP11 coprocessor offers storage for up to 1024 nonces or
pin-blobs (binary large objects), shared among all defined domains on the
coprocessor.
If multiple EP11 cryptographic coprocessors in your
environment are configured with different levels of the EP11 firmware (module part of the EP11 library), then the EP11 token only provides those features that the lowest
CEX*P EP11 coprocessor provides.