Dynamically adding and removing cryptographic adapters
You can add or remove cryptographic adapters from a running Linux® instance.
Before you begin
About this task
Linux attempts to detect new cryptographic adapters and set them online every time a configuration timer expires. Read or modify the expiration time with the lszcrypt and chzcrypt commands.
Adding or removing of cryptographic adapters to or from an LPAR is transparent to applications that use clear key functions. If a cryptographic adapter is removed while cryptographic requests are being processed, zcrypt automatically resubmits lost requests to the remaining adapters. Special handling is required for secure key.
Secure key requests are submitted to a dedicated cryptographic coprocessor. If this coprocessor is removed or lost, new requests cannot be submitted to a different coprocessor. Therefore, dynamically adding and removing adapters with a secure key application requires support within the application. For more information about secure key cryptography, see Secure Key Solution with the Common Cryptographic Architecture Application Programmer's Guide, SC33-8294. You can obtain this publication at www.ibm.com/support/knowledgecenter/linuxonibm/liaaf/lnz_r_cca.html .
Alternatively, you can read or set the
configuration timer through the config_time sysfs attribute. This read-write
attribute can be found at the AP bus level. Valid values for the config_time
sysfs attribute are in the range 5 - 120 seconds.
Procedure
Examples
- To use the lszcrypt and chzcrypt commands to find out the
current configuration timer setting, issue:
# lszcrypt -b ... config_time=30 (seconds) ...
In the example, the timer is set to 30 seconds. - To set the configuration timer to 60 seconds, issue:
# chzcrypt -c 60
-
To read the configuration timer setting, issue:
# cat /sys/bus/ap/config_time
- To set the configuration timer to 60 seconds, issue:
# echo 60 > /sys/bus/ap/config_time