Security parameter descriptions

The following logical partition reset or image profile security options can be defined.

Partition security options:

Global performance data control
Select this option to allow the LP to view the CPU utilization data and the Input/Output Processor (IOP) data for all LPs in the configuration. Not selecting this option only allows the LP to view its own CPU utilization data. Additionally, gathering of FICON® channel measurements requires selection of this parameter. The default is selected.
Note: An LP running a level of RMF that supports FICON requires control authority even if no FICON is installed.
Input/output (I/O) configuration control
Select this option to allow the LP to read or write any IOCDS in the configuration and to make dynamic I/O changes. Additionally, this parameter allows the OSA Support Facility for z/OS®, z/VM®, and 21CS VSEn to control OSA configuration for other LPs. Access to certain STP data is also managed by this option. The default is selected. If a z/VM guest image is managed as a virtual server in an ensemble, you must enable the Input/Output (I/O) configuration control option.
Cross partition authority
Select this option to allow the LP to issue control program commands that affect other LPs; for example, perform a system reset of another LP, deactivate an LP, or provide support for the automatic reconfiguration facility. The default is not selected.
Logical partition isolation
Select this option to reserve unshared reconfigurable channel paths for the exclusive use of the LP. The default is not selected.

BCPii Permissions:

Enable the partition to send commands
Select this option enable the selected partition to send BCPii commands. When selected, the active logical partition can send BCPii commands to other active logical partitions.
Enable the partition to receive commands from other partitions
Select this option to enable the selected partition to receive BCPii commands from other partitions. When selected, the active logical partition can receive BCPii commands from other active logical partitions.
All partitions
Select this option if you want the selected logical partition to receive BCPii commands from all the active logical partitions.
Selected partitions
Select this option if you want to remove or add selected logical partitions to receive BCPii commands from the logical partition.
Add
To add a system and logical partition to receive BCPii commands from the logical partition, click Add.
Remove
To remove a selected logical partition to receive BCPii commands from the logical partition, click Remove.

Counter facility security options:

Basic counter set authorization control
Select this option to authorize the use of the basic counter set. This set includes counts of central processing unit cycles, instructions executed, and directory-write and penalty cycles for level-1 instruction and data caches.
Problem state counter set authorization control
Select this option to authorize the use of the problem state counter set. This set includes counts of central processing unit cycles, instructions executed, and directory-write and penalty cycles for level-1 instruction and data caches only when the processor is in problem state.
Crypto activity counter set authorization control
Select this option to authorize the use of the crypto activity counter set. This set includes counters for a central processing unit related to PRNG, SHA, DEA, AES, and ECC function counts.
Extended counter set authorization control
Select this option to authorize the use of the extended counter set. The extended counters provide information about hardware facilities and structures that are specific to a machine family. The extended counters are designed to expand upon information provided by the Basic Counter Set.

Sampling facility security options:

Basic sampling authorization control
Select this option to authorize the use of the basic sampling function. Samples are taken and stored at the end of each sampling interval.
Diagnostic sampling authorization control
Select this option to authorize the use of the diagnostic sampling function. Samples are taken and stored at the end of each diagnostic interval.

CPACF key management operations:

Permit AES key functions
If the CPACF feature is installed, this option displays. Select this option to allow an Advanced Encryption Standard (AES) key to be wrapped using the CPACF TDES wrapping key.
Permit DEA key functions
If the CPACF feature is installed, this option displays. Select this option to allow a Data Encryption Algorithm (DEA) key to be wrapped using the CPACF TDES wrapping key.
Permit ECC key functions
If the CPACF feature is installed, this option displays. Select this option to allow a Elliptical Curve Cryptography (ECC) key to be wrapped using the CPACF TDES wrapping key.
Permit HMAC key functions
If the CPACF feature is installed, this option displays. Select this option to allow a Hash-Based Message Authentication Code (HMAC) key to be wrapped using the CPACF TDES wrapping key.