crypto-configuration object properties

The crypto configuration of a partition represents the elements that are required to enable the partition to make use of crypto adapters. The configuration is a nested structure, containing two pieces of information:

  • A set of crypto adapters that will be used by this partition, and
  • A set of Crypto Domain Configuration objects. (See Table 2.)

A crypto configuration that contains no crypto adapters and no crypto domain configurations is valid and is known as an empty crypto configuration. A non-empty configuration must contain at least 1 crypto adapter and at least 1 crypto domain configuration with an access-mode of "control-usage".

Table 1. crypto-configuration nested object properties
Name Type Description
crypto-adapter-uris Array of String/ URI Array of URIs listing all crypto adapters that this partition can use.
crypto-domain-configurations Array of crypto-domain-configuration objects Array listing all crypto-domain-configuration objects for this partition. See Table 2.
Table 2. crypto-domain-configuration nested object properties
Name Type Description
domain-index Integer Index value that identifies the domain to which this configuration applies.

Minimum index is 0, maximum index depends on the CPC model.

access-mode String Enum Specifies the way in which the partition can use this domain. Valid values are:
  • "control" - The partition can load cryptographic keys into the domain, but it may not use the domain to perform cryptographic operations.
  • "control-usage" - The partition can load cryptographic keys into the domain, and it can use the domain to perform cryptographic operations.

Crypto configuration conflicts

A crypto configuration conflict occurs when the crypto configuration of two (or more) partitions:
  1. Have one (or more) adapter(s) in common, and
  2. Specified "control-usage" for one (or more) identical domain index(es).

No more than one of the partitions involved in a given crypto configuration conflict may be active or have reserved resources at any one point in time.

According to this definition, the crypto configuration of two partitions can have multiple conflicts (regarding different adapters and/or different domains).

It is also possible for a partition to be involved in conflicts with multiple other partitions. For example, Partition A has 3 crypto adapters in its configuration. Partition B has 2 of those and Partition C has the other one. Assuming they all have a control-usage domain in common, Partition A is now involved in a conflict with Partition B and a separate conflict with Partition C.

Such conflicts are only allowed for partitions that are in "stopped" state, and without reserved resources. That means the system will prevent the creation of conflicting crypto configuration for the set of active partitions, and the set of "stopped" partitions that have reserve-resources enabled.