ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzajc_5.4.0.1/rzajcmultiplecoprocessors.htm

111 lines
8.1 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Manage multiple Cryptographic Coprocessors" />
<meta name="abstract" content="You can have up to eight Cryptographic Coprocessors per partition. The maximum number of Cryptographic Coprocessors supported per server is dependent the system mode. Read this topic if you are using multiple coprocessors with SSL." />
<meta name="description" content="You can have up to eight Cryptographic Coprocessors per partition. The maximum number of Cryptographic Coprocessors supported per server is dependent the system mode. Read this topic if you are using multiple coprocessors with SSL." />
<meta name="DC.Relation" scheme="URI" content="rzajcworking.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajcprereqssl.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="multiplecoprocessors" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Manage multiple Cryptographic Coprocessors</title>
</head>
<body id="multiplecoprocessors"><a name="multiplecoprocessors"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Manage multiple Cryptographic Coprocessors</h1>
<div><p>You can have up to eight Cryptographic Coprocessors per partition.
The maximum number of Cryptographic Coprocessors supported per server is dependent
the system mode. Read this topic if you are using multiple coprocessors with
SSL.</p>
<p>Spreading the work across multiple Cryptographic Coprocessors and multiple
jobs gives you better performance provided that they are all configured the
same. Only one Coprocessor (cryptographic device description) may be allocated
to a job at one time. However, the job can switch between Coprocessors by
deallocating the current Coprocessor and allocating a new one. For the i5/OS™ SSL
user, the allocation and deallocation of the Coprocessors is managed by the
system if the SSL configuration in DCM indicates that more than one Coprocessor
is to be used for SSL session establishment.</p>
<p>If you configure all of the Coprocessors the same, then all operational
keys will work identically on all of the Coprocessors. Any data encrypted
on one Coprocessor can be decrypted on a different Coprocessor. All key store
files will work interchangeably with any of the Coprocessors. The most important
part of configuring the Coprocessors identically is the master keys. If you
entered the master key in parts for one Coprocessor, you must enter the same
master key parts for all of the other Coprocessors if you want them to work
interchangeably. If a random master key was generated inside of the Coprocessor,
then you must clone the master key to the other Coprocessors if you want all
of the Coprocessors to work interchangeably.</p>
<p>There may be certain situations where you do not want all of the Coprocessors
to be configured the same. They could all have different configurations or
they could be set up in groups where the configuration within a group is the
same but between groups is different. For these cases, all operational keys
may not work identically on all of the Coprocessors. Data encrypted on one
Coprocessor may not be able to be recovered on a different Coprocessor. Also,
the keystore files may not work interchangeably among Coprocessors. For these
situations, you must keep track of which keystore files and operational keys
will work for a given Coprocessor. While configuring the Coprocessors differently
may limit the scalability of cryptographic applications, it can provide more
granularity in terms of security. For example, you can grant different object
authorities to different cryptographic device descriptions.</p>
<p>If you use retained PKA keys then the Coprocessors are also not interchangeable.
Retained keys can not be exported in any manner outside of the Coprocessor.
Therefore, any cryptographic request that uses that retained key must be
sent to the Coprocessor that stores the retained key.</p>
<p>The following material is only applicable if you are using i5/OS applications:</p>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzajcworking.htm" title="After you set up your Cryptographic Coprocessor, you can begin writing programs to make use of your Cryptographic Coprocessor's cryptographic functions.">Manage the Cryptographic Coprocessor</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzajcprereqssl.htm" title="Read this information to make the Cryptographic Coprocessor ready for use with SSL.">Configure the Cryptographic Coprocessor for use with DCM and SSL</a></div>
</div>
</div><div class="nested1" xml:lang="en-us" id="allocating"><a name="allocating"><!-- --></a><h2 class="topictitle2">Allocating a device</h2>
<div><p>The Cryptographic_Resource_Allocate (CSUACRA) API verb is used to explicitly
allocate a cryptographic device to your job so that the system can determine
how to route all subsequent cryptographic requests. If you use any of the
CCA API verbs without first explicitly using the Cryptographic_Resource_Allocate
(CSUACRA) API verb, the system will attempt to allocate the default cryptographic
device. The default device is the cryptographic device named CRP01. It must
be created by either using the Basic Configuration wizard or the Create Device
Crypto (CRTDEVCRP) CL command. You only need to use CSUACRA when you wish
to use a device other than the default cryptographic device. A device allocated
to a job, either explicitly or implicitly, remains allocated until either
the job ends or the device is deallocated using the Cryptographic_Resource_Deallocate
(CSUACRD) API verb.</p>
</div>
<div><div class="relref"><strong>Related reference</strong><br />
<div><a href="rzajccrpallocc.htm" title="Change this program example to suit your needs for allocating a Coprocessor.">Example: ILE C program for allocating a Coprocessor</a></div>
<div><a href="rzajccrpallocrpg.htm" title="Change this program example to suit your needs for allocating a Coprocessor.">Example: ILE RPG program for allocating a Coprocessor</a></div>
</div>
</div></div>
<div class="nested1" xml:lang="en-us" id="deallocating"><a name="deallocating"><!-- --></a><h2 class="topictitle2">Deallocating a device</h2>
<div><p>When you have finished using a Cryptographic Coprocessor, you should deallocate
the Cryptographic Coprocessor by using the Cryptographic_Resource_Deallocate
(CSUACRD) API verb. A cryptographic device description can not be varied
off until all jobs using the device have deallocated it.</p>
</div>
<div><div class="relref"><strong>Related reference</strong><br />
<div><a href="rzajccrpdeallocc.htm" title="Change this program example to suit your needs for deallocating a Coprocessor.">Example: ILE C program for deallocating a Coprocessor</a></div>
<div><a href="rzajccrpdeallocrpg.htm" title="Change this program example to suit your needs for deallocating a Coprocessor.">Example: ILE RPG program for deallocating a Coprocessor</a></div>
</div>
</div></div>
</body>
</html>