Security parameter descriptions
The following logical partition reset or image profile security options can be defined.
Partition security options:
- Global performance data control
- Select this option to allow the LP to view the CPU utilization
data and the Input/Output Processor (IOP) data for all LPs in the
configuration. Not selecting this option only allows the LP to view
its own CPU utilization data. Additionally, gathering of FICON® channel measurements requires
selection of this parameter. The default is selected. Note: An LP running a level of RMF that supports FICON requires control authority even if no FICON is installed.
- Input/output (I/O) configuration control
- Select this option to allow the LP to read or write any IOCDS in the configuration and to make dynamic I/O changes. Additionally, this parameter allows the OSA Support Facility for z/OS®, z/VM®, and 21CS VSEn to control OSA configuration for other LPs. Access to certain STP data is also managed by this option. The default is selected. If a z/VM guest image is managed as a virtual server in an ensemble, you must enable the Input/Output (I/O) configuration control option.
- Cross partition authority
- Select this option to allow the LP to issue control program commands that affect other LPs; for example, perform a system reset of another LP, deactivate an LP, or provide support for the automatic reconfiguration facility. The default is not selected.
- Logical partition isolation
- Select this option to reserve unshared reconfigurable channel paths for the exclusive use of the LP. The default is not selected.
BCPii Permissions:
- Enable the partition to send commands
- Select this option enable the selected partition to send BCPii commands. When selected, the active logical partition can send BCPii commands to other active logical partitions.
- Enable the partition to receive commands from other partitions
- Select this option to enable the selected partition to receive BCPii commands from other
partitions. When selected, the active logical partition can receive BCPii commands from other active
logical partitions.
- All partitions
- Select this option if you want the selected logical partition to receive BCPii commands from all the active logical partitions.
- Selected partitions
- Select this option if you want to remove or add selected logical partitions to receive BCPii
commands from the logical partition.
- Add
- To add a system and logical partition to receive BCPii commands from the logical partition, click Add.
- Remove
- To remove a selected logical partition to receive BCPii commands from the logical partition, click Remove.
Counter facility security options:
- Basic counter set authorization control
- Select this option to authorize the use of the basic counter set. This set includes counts of central processing unit cycles, instructions executed, and directory-write and penalty cycles for level-1 instruction and data caches.
- Problem state counter set authorization control
- Select this option to authorize the use of the problem state counter set. This set includes counts of central processing unit cycles, instructions executed, and directory-write and penalty cycles for level-1 instruction and data caches only when the processor is in problem state.
- Crypto activity counter set authorization control
- Select this option to authorize the use of the crypto activity counter set. This set includes counters for a central processing unit related to PRNG, SHA, DEA, AES, and ECC function counts.
- Extended counter set authorization control
- Select this option to authorize the use of the extended counter set. The extended counters provide information about hardware facilities and structures that are specific to a machine family. The extended counters are designed to expand upon information provided by the Basic Counter Set.
Sampling facility security options:
- Basic sampling authorization control
- Select this option to authorize the use of the basic sampling function. Samples are taken and stored at the end of each sampling interval.
- Diagnostic sampling authorization control
- Select this option to authorize the use of the diagnostic sampling function. Samples are taken and stored at the end of each diagnostic interval.
CPACF key management operations:
- Permit AES key functions
- If the CPACF feature is installed, this option displays. Select this option to allow an Advanced Encryption Standard (AES) key to be wrapped using the CPACF TDES wrapping key.
- Permit DEA key functions
- If the CPACF feature is installed, this option displays. Select this option to allow a Data Encryption Algorithm (DEA) key to be wrapped using the CPACF TDES wrapping key.
- Permit ECC key functions
- If the CPACF feature is installed, this option displays. Select this option to allow a Elliptical Curve Cryptography (ECC) key to be wrapped using the CPACF TDES wrapping key.
- Permit HMAC key functions
- If the CPACF feature is installed, this option displays. Select this option to allow a Hash-Based Message Authentication Code (HMAC) key to be wrapped using the CPACF TDES wrapping key.