111 lines
8.1 KiB
HTML
111 lines
8.1 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<!DOCTYPE html
|
||
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
<html lang="en-us" xml:lang="en-us">
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
<meta name="security" content="public" />
|
||
|
<meta name="Robots" content="index,follow" />
|
||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
<meta name="DC.Type" content="concept" />
|
||
|
<meta name="DC.Title" content="Manage multiple Cryptographic Coprocessors" />
|
||
|
<meta name="abstract" content="You can have up to eight Cryptographic Coprocessors per partition. The maximum number of Cryptographic Coprocessors supported per server is dependent the system mode. Read this topic if you are using multiple coprocessors with SSL." />
|
||
|
<meta name="description" content="You can have up to eight Cryptographic Coprocessors per partition. The maximum number of Cryptographic Coprocessors supported per server is dependent the system mode. Read this topic if you are using multiple coprocessors with SSL." />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzajcworking.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzajcprereqssl.htm" />
|
||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
|
||
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
|
||
|
<meta name="DC.Format" content="XHTML" />
|
||
|
<meta name="DC.Identifier" content="multiplecoprocessors" />
|
||
|
<meta name="DC.Language" content="en-us" />
|
||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
<!-- US Government Users Restricted Rights -->
|
||
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
||
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
||
|
<title>Manage multiple Cryptographic Coprocessors</title>
|
||
|
</head>
|
||
|
<body id="multiplecoprocessors"><a name="multiplecoprocessors"><!-- --></a>
|
||
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
||
|
<h1 class="topictitle1">Manage multiple Cryptographic Coprocessors</h1>
|
||
|
<div><p>You can have up to eight Cryptographic Coprocessors per partition.
|
||
|
The maximum number of Cryptographic Coprocessors supported per server is dependent
|
||
|
the system mode. Read this topic if you are using multiple coprocessors with
|
||
|
SSL.</p>
|
||
|
<p>Spreading the work across multiple Cryptographic Coprocessors and multiple
|
||
|
jobs gives you better performance provided that they are all configured the
|
||
|
same. Only one Coprocessor (cryptographic device description) may be allocated
|
||
|
to a job at one time. However, the job can switch between Coprocessors by
|
||
|
deallocating the current Coprocessor and allocating a new one. For the i5/OS™ SSL
|
||
|
user, the allocation and deallocation of the Coprocessors is managed by the
|
||
|
system if the SSL configuration in DCM indicates that more than one Coprocessor
|
||
|
is to be used for SSL session establishment.</p>
|
||
|
<p>If you configure all of the Coprocessors the same, then all operational
|
||
|
keys will work identically on all of the Coprocessors. Any data encrypted
|
||
|
on one Coprocessor can be decrypted on a different Coprocessor. All key store
|
||
|
files will work interchangeably with any of the Coprocessors. The most important
|
||
|
part of configuring the Coprocessors identically is the master keys. If you
|
||
|
entered the master key in parts for one Coprocessor, you must enter the same
|
||
|
master key parts for all of the other Coprocessors if you want them to work
|
||
|
interchangeably. If a random master key was generated inside of the Coprocessor,
|
||
|
then you must clone the master key to the other Coprocessors if you want all
|
||
|
of the Coprocessors to work interchangeably.</p>
|
||
|
<p>There may be certain situations where you do not want all of the Coprocessors
|
||
|
to be configured the same. They could all have different configurations or
|
||
|
they could be set up in groups where the configuration within a group is the
|
||
|
same but between groups is different. For these cases, all operational keys
|
||
|
may not work identically on all of the Coprocessors. Data encrypted on one
|
||
|
Coprocessor may not be able to be recovered on a different Coprocessor. Also,
|
||
|
the keystore files may not work interchangeably among Coprocessors. For these
|
||
|
situations, you must keep track of which keystore files and operational keys
|
||
|
will work for a given Coprocessor. While configuring the Coprocessors differently
|
||
|
may limit the scalability of cryptographic applications, it can provide more
|
||
|
granularity in terms of security. For example, you can grant different object
|
||
|
authorities to different cryptographic device descriptions.</p>
|
||
|
<p>If you use retained PKA keys then the Coprocessors are also not interchangeable.
|
||
|
Retained keys can not be exported in any manner outside of the Coprocessor.
|
||
|
Therefore, any cryptographic request that uses that retained key must be
|
||
|
sent to the Coprocessor that stores the retained key.</p>
|
||
|
<p>The following material is only applicable if you are using i5/OS applications:</p>
|
||
|
</div>
|
||
|
<div>
|
||
|
<div class="familylinks">
|
||
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzajcworking.htm" title="After you set up your Cryptographic Coprocessor, you can begin writing programs to make use of your Cryptographic Coprocessor's cryptographic functions.">Manage the Cryptographic Coprocessor</a></div>
|
||
|
</div>
|
||
|
<div class="relconcepts"><strong>Related concepts</strong><br />
|
||
|
<div><a href="rzajcprereqssl.htm" title="Read this information to make the Cryptographic Coprocessor ready for use with SSL.">Configure the Cryptographic Coprocessor for use with DCM and SSL</a></div>
|
||
|
</div>
|
||
|
</div><div class="nested1" xml:lang="en-us" id="allocating"><a name="allocating"><!-- --></a><h2 class="topictitle2">Allocating a device</h2>
|
||
|
<div><p>The Cryptographic_Resource_Allocate (CSUACRA) API verb is used to explicitly
|
||
|
allocate a cryptographic device to your job so that the system can determine
|
||
|
how to route all subsequent cryptographic requests. If you use any of the
|
||
|
CCA API verbs without first explicitly using the Cryptographic_Resource_Allocate
|
||
|
(CSUACRA) API verb, the system will attempt to allocate the default cryptographic
|
||
|
device. The default device is the cryptographic device named CRP01. It must
|
||
|
be created by either using the Basic Configuration wizard or the Create Device
|
||
|
Crypto (CRTDEVCRP) CL command. You only need to use CSUACRA when you wish
|
||
|
to use a device other than the default cryptographic device. A device allocated
|
||
|
to a job, either explicitly or implicitly, remains allocated until either
|
||
|
the job ends or the device is deallocated using the Cryptographic_Resource_Deallocate
|
||
|
(CSUACRD) API verb.</p>
|
||
|
</div>
|
||
|
<div><div class="relref"><strong>Related reference</strong><br />
|
||
|
<div><a href="rzajccrpallocc.htm" title="Change this program example to suit your needs for allocating a Coprocessor.">Example: ILE C program for allocating a Coprocessor</a></div>
|
||
|
<div><a href="rzajccrpallocrpg.htm" title="Change this program example to suit your needs for allocating a Coprocessor.">Example: ILE RPG program for allocating a Coprocessor</a></div>
|
||
|
</div>
|
||
|
</div></div>
|
||
|
<div class="nested1" xml:lang="en-us" id="deallocating"><a name="deallocating"><!-- --></a><h2 class="topictitle2">Deallocating a device</h2>
|
||
|
<div><p>When you have finished using a Cryptographic Coprocessor, you should deallocate
|
||
|
the Cryptographic Coprocessor by using the Cryptographic_Resource_Deallocate
|
||
|
(CSUACRD) API verb. A cryptographic device description can not be varied
|
||
|
off until all jobs using the device have deallocated it.</p>
|
||
|
</div>
|
||
|
<div><div class="relref"><strong>Related reference</strong><br />
|
||
|
<div><a href="rzajccrpdeallocc.htm" title="Change this program example to suit your needs for deallocating a Coprocessor.">Example: ILE C program for deallocating a Coprocessor</a></div>
|
||
|
<div><a href="rzajccrpdeallocrpg.htm" title="Change this program example to suit your needs for deallocating a Coprocessor.">Example: ILE RPG program for deallocating a Coprocessor</a></div>
|
||
|
</div>
|
||
|
</div></div>
|
||
|
|
||
|
</body>
|
||
|
</html>
|