CRYPTO Directory Statement

First (or only) CRYPTO statement

Read syntax diagramSkip visual syntax diagram CRYPto DOMAINdomainsAPDEDicatedapsAPVIRTual
Subsequent CRYPTO statements
Read syntax diagramSkip visual syntax diagram1 CRYPto DOMAINdomainsAPDEDicatedapsAPDEDicatedaps
Notes:
  • 1 Use subsequent CRYPTO statements only if a previous CRYPTO statement specified a DOMAIN operand. See explanations of the DOMAIN, APDEDICATED, and APVIRTUAL operands.

Purpose

The CRYPTO statement provides the virtual machine access to crypto resources.

How to Specify

The CRYPTO statement is allowed in user, identity, and subconfiguration entries. If specified, it must appear before any device statements. (For a list of device statements, see Table 1.)

A CRYPTO APVIRTUAL statement in a profile is allowed as long as APVIRTUAL is not specified on CRYPTO statements in the user or identity entry. In this case, the APVIRTUAL specified in the profile is added to the CRYPTO definition in the user or identity entry. However, when a subconfiguration entry includes CRYPTO statements, the CRYPTO APVIRTUAL statement in the profile is ignored and does not modify the CRYPTO definition in the subconfiguration entry.

A CRYPTO statement in a subconfiguration entry completely overrides one in the identity entry.

You can specify more than one CRYPTO directory statement to assign dedicated crypto resources to the virtual machine. After an initial DOMAIN value is specified, more domains and dedicated adapters (APDEDICATED) can be specified on additional CRYPTO directory statements.

You can assign dedicated (APDEDICATED) or shared (APVIRTUAL) crypto resources but not both to a virtual machine.

If you specify a dedicated (APDEDICATED) resource, you cannot specify shared (APVIRTUAL) resources on any CRYPTO directory statements. If you specify a shared (APVIRTUAL) resource, you cannot specify dedicated (APDEDICATED) resources on any CRYPTO directory statements.

In order for a virtual machine to obtain dedicated access to crypto resources, every specified domain on a specified adapter must be available for dedicated use by this virtual machine at logon time. If one or more domains on an adapter are not available for dedicated use by this virtual machine, then none of the domains on the adapter are assigned to the virtual machine.

Operands

DOMAIN domains
specifies up to 256 domains that the virtual machine can use. Valid domain numbers are 0-255, specified in decimal format. The domain numbers can be specified in any order, but must not be duplicated. The DOMAIN operand can be specified on more than one CRYPTO statement.

If the DOMAIN and APVIRTUAL operands are specified, the DOMAIN operand yields no dedicated crypto resource. See usage note 5.

APDEDicated aps
specifies up to 256 crypto adapters that the virtual machine can use for dedicated access. Valid adapter numbers are 0-255, specified in decimal format. The adapter numbers can be specified in any order, but must not be duplicated.

An APDEDICATED operand cannot be specified before a DOMAIN operand is specified. A DOMAIN operand can be specified on the same CRYPTO statement as the APDEDICATED statement or on a previous CRYPTO statement.

The APDEDICATED operand cannot be specified if the APVIRTUAL operand is specified.

All domains that are specified on all valid CRYPTO statements are assigned to the virtual machine for all crypto adapters that are specified on all valid CRYPTO statements.

The specified crypto adapters must be selected from the set of cryptos that are selected on the Cryptographic Online List. The Cryptographic Online List must be on the Crypto Image Profile Page for the logical partition in which z/VM® is running. The specified DOMAIN values must be selected from the set of domains that are selected on the Usage Domain Index selections on the Crypto Image Profile Page for the Logical Partition. For more information about the Crypto Image Profile Page, see the Processor Resource/Systems Manager Planning Guide, SB10-7169.

APVIRTual
tells CP that this virtual machine can access the system's shared crypto resources. If APVIRTUAL is specified, then it must be the only crypto statement in the user's directory.

If the DOMAIN and APVIRTUAL operands are specified, the DOMAIN operand yields no dedicated crypto resource, and the APVIRTUAL operand might be processed. See usage note 5.

Usage Notes

  1. A specific crypto resource is identified with a crypto adapter number and a domain number.
  2. A domain is dedicated to a user on all APs that are assigned to the user.
    For example, assume that a virtual machine uses the following CRYPTO user directory statements:
    CRYPTO DOMAIN 3 4 APDEDICATED 1
CRYPTO DOMAIN 2
CRYPTO APDEDICATED 9
    If all the specified domains are available on all the specified crypto adapters, then the following crypto resources are assigned to the virtual machine for dedicated use:
    AP 1 Domain 2
AP 1 Domain 3
AP 1 Domain 4
AP 9 Domain 2
AP 9 Domain 3
AP 9 Domain 4

    See also the examples in ATTACH.

  3. Only one virtual machine should be given dedicated access to a specific crypto resource at a time. It might be useful to have more than one virtual machine with the same crypto definition in the user directory in order to provide backup configurations. In this case, the first virtual machine who logs on receives use of the crypto resources specified. Virtual machines which could be logged on at the same time should not be defined with overlapping crypto definitions. The combination of the APDEDICATED number with the DOMAIN number should be unique across all active crypto users in the user directory.
  4. It is recommended that multiple CRYPTO statements for a user be specified contiguously in the virtual machine definition.
  5. When APVIRTUAL and DOMAIN operands are both specified , the following results can occur:
    • If the DOMAIN operand includes a domain number, then the user gets the APVIRTUAL capability and the DOMAIN operand is ignored. The DOMAIN operand is tolerated but ignored to provide compatibility with earlier versions of z/VM.
    • If the DOMAIN operand does not include a domain number, then an error message is issued. If the DOMAIN operand with no domain number is on a CRYPTO statement that also includes an APVIRT operand, then the APVIRT operand on that statement is not processed.
  6. The crypto adapters specified must be installed on the real processor. If a specified crypto adapter is not installed on the real processor at LOGON time, a message is issued that the adapter is not available.
  7. Although the CSU, KEYENTRY, SPECIAL, and MODIFY operands are not shown in the syntax for this statement, they are accepted for compatibility with previous versions. Such statements are ignored and do not update the user directory.
  8. Only a z/Architecture® virtual machine can use a crypto resource on a CEX adapter that is configured in EP11 coprocessor mode (CEX*P).
  9. In an SSI-enabled directory, CRYPTO APDEDICATED and DOMAIN statements can be specified in a SUBCONFIG entry. When used along with BUILD statements, this allows the specified domains on the specified APs to be attached to the virtual machine depending on which member of an SSI cluster the user logs onto. The crypto resources specified for APDEDICATED statements in all SUBCONFIG entries are treated as reserved for dedication on all members of an SSI cluster. Typically, the crypto APs and domains which are available on the processor will be different on each SSI member. However, if more than one member of the SSI cluster has crypto hardware with the same AP numbers and domain numbers that are specified in a SUBCONFIG entry, these members will see these adapters as reserved for dedication or dedicated and they will not be used for crypto sharing.
  10. If the crypto resources to be included in the shared pool are not specified on a CRYPTO APVIRTUAL statement in the system configuration file, CP will choose up to two shared crypto resources at CP initialization time. If CP chooses the shared crypto resources, it will not include resources that have been specified on a CRYPTO APDEDICATED directory statement. Crypto resources that are planned for dedication will not be included in the shared pool at CP initialization unless they are specified on a CRYPTO system config statement, overriding the CRYPTO APDED statements in the directory.
  11. For more information on planning and managing crypto resources on a z/VM system, see Crypto Planning and Management.

Examples

  1. To specify that the virtual machine can have access to the shared crypto resources on the system, use the following CRYPTO statement in the virtual machine's definition: 
      Crypto Apvirt
  2. To specify that a virtual machine can use crypto domains 3 and 7 on adapters 0, 2, and 3, use the following CRYPTO statement in the virtual machine's definition: 
      Crypto Domain 3 7 Apded 0 2 3
  3. To specify that a virtual machine can use crypto domains 2, 10, 11, 12, and 13 on adapter 4 use the following CRYPTO statement in the virtual machine's definition: 
      Crypto Domain 2 10 11 12 13 Apded 4
  4. This example shows how CP will process conflicting crypto resource specifications.
    • When the system configuration file contains the following CRYPTO APVIRTUAL statement:
       CRYPTO APVIRT AP 2 DOMAIN 15 52
      CP assigns the following crypto resources for shared use:
       AP 2 Domain 15
 AP 2 Domain 52
      For details on assigning a crypto resource for shared use, see CRYPTO APVIRTUAL Statement.
    • In addition, when a user's directory entry contains the following statements:
       CRYPTO DOMAIN 53 APDED 2       
 CRYPTO DOMAIN 15 APDED 0 1 3 4
      CP will attempt to assign the following crypto resources to the virtual machine for dedicated use:
       AP 0 Domain 15
 AP 0 Domain 53
 AP 1 Domain 15
 AP 1 Domain 53
 AP 2 Domain 15
 AP 2 Domain 53
 AP 3 Domain 15
 AP 3 Domain 53
 AP 4 Domain 15
 AP 4 Domain 53
    • Because adapter 2 Domain 15 was already assigned for shared use in the system configuration file, it is not reserved for dedicated use and the following message is issued at system initialization time.
       HCP1721I Crypto AP 002 Domain 015 cannot be dedicated because it is 
          reserved for shared use.
      See message HCP1721I in z/VM: CP Messages and Codes for more information.
    • Also, because all requested domains on adapter 2 cannot be assigned for dedicated use, the virtual machine is not assigned any of the domains on adapter 2 at logon time. In this example, adapter 2, Domains 15 and 52 are assigned for shared use, so none of the requested domains on adapter 2 are assigned to this virtual machine for dedicated use. The following messages are issued at logon time:
       HCP1718I AP 2 Domain 15 is not available for dedicated use.
 HCP1718I AP 2 Domain 53 is not available for dedicated use.
      See message HCP1718I in z/VM: CP Messages and Codes for more information.
    The following is the result of a Q CRYPTO DOMAIN command for that particular z/VM configuration, with the USER logged on:
    AP 000 CEX7P Domain 015 operational  online  attached to USER 
AP 000 CEX7P Domain 052 operational  online  free 
AP 000 CEX7P Domain 053 operational  online  attached to USER 
AP 001 CEX7A Domain 015 operational  online  attached to USER 
AP 001 CEX7A Domain 052 operational  online  free 
AP 001 CEX7A Domain 053 operational  online  attached to USER 
AP 002 CEX7C Domain 015 operational  online  shared 
AP 002 CEX7C Domain 052 operational  online  shared 
AP 002 CEX7C Domain 053 operational  online  free, dedication planned
AP 003 CEX7A Domain 015 operational  online  attached to USER 
AP 003 CEX7A Domain 052 operational  online  free 
AP 003 CEX7A Domain 053 operational  online  attached to USER 
AP 004 CEX8C Domain 015 operational  online  attached to USER 
AP 004 CEX8C Domain 052 operational  online  free  
AP 004 CEX8C Domain 053 operational  online  attached to USER