AP queues on IBM Z

On IBM Z®, you assign cryptographic adapter resources in the form of AP queues.

IBM Z cryptographic adapters are partitioned into multiple cryptographic domains, each with its own state, including its own master key. A specific domain on a specific adapter is called an AP queue. In effect, an AP queue is a virtual cryptographic adapter.

AP queues are usually identified by expressions of the form <adapter_ID>.<domain_ID>, where <adapter_ID> is a two-digit ID for the cryptographic adapter in hexadecimal notation and <domain_ID> is a four-digit ID for the domain in hexadecimal notation. For example, 0a.001b denotes domain 27 on adapter 10.

The number of available AP queues in a particular mainframe environment depends on the number of installed cryptographic adapters and on the number of domains that are supported by each adapter. To provide for redundancy and workload balancing, typical environments include multiple adapters.

Generally, AP queues are assigned as a matrix of intersecting adapters and domains. You use the Support Element (SE) to assign adapters and domains to an LPAR. For example, configuring adapters 00, 01, and 0a and usage domains 0001, 0002, 0004, and 001b assigns 12 AP queues to the LPAR, as illustrated in Figure 1.

Figure 1. Matrix of adapters and domains with AP queues as intersections
Selecting 3 adapters and 4 domains results in a matrix of 3x4=12 AP queues; one queue for each of the selected domains for each of the selected adapters
Use the lszcrypt command to list the available AP queues.
# lszcrypt
CARD.DOMAIN TYPE    MODE         STATUS  REQUESTS
-------------------------------------------------
00          CEX6A   Accelerator  online         0
00.0001     CEX6A   Accelerator  online         0
00.0002     CEX6A   Accelerator  online         0
00.0004     CEX6A   Accelerator  online         0
00.001b     CEX6A   Accelerator  online         0
01          CEX6C   CCA-Coproc   online        31
01.0001     CEX6C   CCA-Coproc   online        10
01.0002     CEX6C   CCA-Coproc   online         7
01.0004     CEX6C   CCA-Coproc   online         9
01.001b     CEX6C   CCA-Coproc   online         5
0a          CEX6P   EP11-Coproc  online         0
0a.0001     CEX6P   EP11-Coproc  online         0
0a.0002     CEX6P   EP11-Coproc  online         0
0a.0004     CEX6P   EP11-Coproc  online         0
0a.001b     CEX6P   EP11-Coproc  online         0

The adapter mode is an LPAR setting that is configured on the SE, along with the assignment of adapters and domains to the LPAR. Adapters can be configured as CCA or EP11 coprocessors, or as accelerators. The mode of an adapter applies to all domains of the adapter.

The configuration scenario in Setup on the KVM host is based on the LPAR configuration of Figure 1. For the scenario, only the 12 AP queues that are available to the LPAR require consideration.
Figure 2. Matrix of AP queues configured for an LPAR
The image illustrates how a matrix of 3 adapters and 4 domains results in 12 AP queues