Changing LPAR cryptographic controls

Use the Change LPAR Cryptographic Controls task to make changes to the crypto configuration of an active partition without affecting the operating status of the partition. This allows you to update your crypto configuration without reactivating the logical partition. You can add cryptos to a partition, delete cryptos from a partition, and/or move a crypto from one partition to another using the following task:

Figure 1. Change LPAR Cryptographic Controls task
Change LPAR cryptographic controls
There are requirements for adding, removing and moving a crypto:
  • The crypto that is assigned to this partition must be configured offline before the removal of the crypto from the partition can be done. If the crypto was operating as a coprocessor, and a removal of a crypto is being done, the user is given the opportunity to remove the cryptographic keys from the partition associated with the selected usage domain, using the usage domain zeroize function.
  • If the crypto is not online to the partition, but the associated PCHID is online and operating, the usage domain zeroize action can immediately be done. If the crypto assigned to the partition and the PCHID are both offline, the usage domain zeroize action will be pending until the next time this crypto is brought online.
  • To move a crypto from one partition to another requires you to perform two steps.
    • Remove the crypto from the first partition.
    • Then, add it to the second partition.
  • After a crypto is added to a partition, the crypto needs to be brought online using the Configure On/Off task.
Note: Changes made using the Change LPAR Cryptographic Controls task can be made to both active and inactive partitions. When performed on an inactive partition, the changes are made to the image activation profile, since the partition is not active.

The cryptographic assigned domains table displays the current settings of the usage domain indexes and control domain indexes which can be modified in the logical partition and the image profile.

Control Domain
A logical partition's control domains are those cryptographic domains for which remote secure administration functions can be established and administered from this logical partition. This logical partition's control domains must include its usage domains. For each index selected in the usage domain index list, you must select the same index in the control domain index list.
Control and Usage Domain
A logical partition's usage domains are domains in the cryptos that can be used for cryptographic functions. The usage domains cannot be removed if they are in use by the partition. The usage domains you select for this logical partition must also be selected in the control domain index.

The assigned crypto table displays the current settings of the cryptographic candidate list and cryptographic online list settings which can be modified in the logical partition and/or the image profile:

Candidate
The candidate list identifies which cryptos are eligible to be assigned to the active logical partition. If a card is not installed in the slot, it will not be available to the logical partition. However, if a card is installed in a slot specified in the candidate list, it can immediately be made available to the logical partition.
Candidate and Online
The online list identifies which cryptos will be brought online at the next activation. Changes to the online list do not affect the running system.

To commit your changes, use one of the following:

Save to Profiles
Select this if you want new settings to take effect whenever the logical partition is activated with the modified profile. This changes the cryptographic settings in the logical partition's image profile. The settings take effect whenever the logical partition is activated with its image profile.
Change Running System
Select this if you want the new settings to take effect in the active logical partition immediately. This changes the cryptographic settings in the logical partition without reactivating the partition. The new settings remain in effect for the logical partition until you either dynamically change the settings again or reactivate the partition.
Note: This button can be used for an active logical partition only. For an inactive partition, this button is disabled.
Save and Change
Select this if you want the new settings to take effect immediately and whenever the logical partition is activated with the modified profile. Save and Change:
  • Saves a logical partition's cryptographic control settings in its image profile. The settings take effect whenever the logical partition is activated with its image profile.
  • Changes the cryptographic settings in the logical partition without reactivating the partition. The new settings remain in effect for the logical partition until you either dynamically change the settings again or reactivate the partition.
Note: This button can be used for an active logical partition only. For an inactive partition, this button is disabled.
Reset
Select this to revert the settings back to their original values.

When a crypto with it's associated usage domains are removed from a partition, this partition no longer has access to the cryptographic keys. But if this crypto is then assigned to a different partition utilizing the same usage domains as before, then this new partition will have access, possibly unintentional access, to the cryptographic keys. Therefore, when a crypto is removed from an active partition, the Usage Domain Zeroize window is displayed, providing the opportunity to clear the cryptographic keys associated with the given usage domain(s).

Figure 2. Usage domain zeroize
Usage domain zeroize
Figure 3. Message received from change LPAR cryptographic controls
Message received from change LPAR cryptographic controls
Note: If the crypto device you remove is the last remaining one, a caution displays that all cryptographic candidates have been removed from the partition, which removes the partition's access to all cryptos.