I think youre trying to determine which domain ICSF should use programmatically, so that ICSF start-up can be automatic, even if multiple domains are available. Keep in mind that if ICSF won't start, because it doesn't know which domain to use, then you can't query ICSF to find out which domain its using :-( So, your solution has to determine which domain to use, completely outside of ICSF.
If there was a control block with the list of domains available to that LPAR, how would you determine which one it should use? The goal is to have ICSF start pointing to a domain that contains the master keys (loaded in the secure hardware) which match the master keys used to create the CKDS and PKDS that ICSF is using. But since ICSF isnt started, you cant access the secure hardware, so you couldnt query the MKVP of the SYM-MK nor the hash of the ASYM-MK (to compare it to the MKVP/Hash patterns stored in the CKDS/PKDS). I cant think of any other way to programmatically determine that youre using the right domain. As Rob Schramm and Mark Zelden have pointed out domain assignments are something best handled by planning and coordination with the DR provider. If your DR provider gives you a system with access to only a single domain, then ICSF will start just fine without the domain parm in the options data set. (And if thats how your system is configured, no changes will be required for the DR site.) If your DR provider gives you a system with multiple domains assigned, then I think you would want to manually verify the domain assignment. What is the likelihood that another customer is executing a DR exercise and happens to use the same domain assignment that you use? If you start ICSF pointing to someone elses domain, or they start ICSF pointing to your domain, no data will be compromised, but the master keys will be out of sync and youre going to have to stop ICSF and correct the problem before continuing. Unless the DR site is a hot site, youre also going to have to load your master keys, so manual intervention is required after IPLing the system. Before starting ICSF and the master key ceremony you should check the domain parms. The domain would have to have been assigned before the IPL, and hopefully communicated to you. Greg On Tue, 20 May 2008 09:31:12 -0500, Roberto Ibarra Magdaleno <[EMAIL PROTECTED]> wrote: >Greg, > >That's exactly what I'm looking for "a way to determine the Domain number" >it must be out there since the ICSF STC when started takes it, determines >it? if it's not coded in CSFPRMxx. > >Any ideas? > >Regards. > >Roberto. > >On Fri, May 16, 2008 at 3:06 PM, Greg Boyd <[EMAIL PROTECTED]> wrote: > >> <sniped text> > > >> I am not aware of a way to determine the Domain number, but its an >> interesting requirement. I would think that selecting/assigning a domain >> at >> the DR site would be covered in the planning phase. In most cases, they can >> probably assign the domain that you want. In the rare cases where they >> can't (another customer who uses the same domain is performing a DR at the >> same time on the same machine) then the DR provider should tell you that >> today you're using Domain 10, and you'll have to change the Options data >> set. Whether the DR provider tells you, or you query the environment, >> either >> way, you have to update the options data set. It might save you a false >> start on starting ICSF, but you wouldn't need to reIPL, simply update the >> options and start ICSF again. >> >> Greg Boyd >> IBM WSC, System z Crypto >> >> >> >> >> On Fri, 16 May 2008 13:07:01 -0500, Roberto Ibarra Magdaleno >> <[EMAIL PROTECTED]> wrote: >> >> >Good question David, is there any shop out there where they use multiple >> >domains per LPAR and how they use them if there is any? >> >Anyway, and maybe now is just a matter of curiosity, does anybody knows a >> >"place" or a method to extract such data from the system before starting >> >ICSF? >> > >> >On Fri, May 16, 2008 at 5:01 AM, Jousma, David <[EMAIL PROTECTED]> >> wrote: >> > >> >> I consider it a pretty unlikely situation where there are multiple >> >> domains per lpar in most shops. It is only a gut feeling on my part, >> >> however. >> >> >> >> >> >> _______________________________________________________ >> >> >> >> Dave Jousma >> >> Assistant Vice President >> >> Mainframe Services >> >> [EMAIL PROTECTED] >> >> 616.653.8429 >> >> >> >> >> >> -----Original Message----- >> >> From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On >> >> Behalf Of Roberto Ibarra Magdaleno >> >> Sent: Thursday, May 15, 2008 2:33 PM >> >> To: [email protected] >> >> Subject: Re: Display or view the Crypto Current domain index or Usage >> >> domain index >> >> >> >> Still the same question David, how to know if there is always only one >> >> domain without asking anyone, but the system? >> >> >> >> >> >> On Thu, May 15, 2008 at 1:12 PM, Jousma, David <[EMAIL PROTECTED]> >> >> wrote: >> >> >> >> > If there is ever only one domain assigned to a particular lpar, then >> >> > don't code anything, period. My understanding is that domain only >> >> > needs to be coded if you assign more than one to the same lpar. In >> >> > our shop, we have only one domain per lpar, and we don't code it in >> >> > the CSFPRMxx members >> >> > >> >> > >> >> > _______________________________________________________ >> >> > >> >> > Dave Jousma >> >> > Assistant Vice President >> >> > Mainframe Services >> >> > [EMAIL PROTECTED] >> >> > 616.653.8429 >> >> > >> >> > >> >> > -----Original Message----- >> >> >> >> >> >> >> >> This e-mail transmission contains information that is confidential and >> may >> >> be privileged. It is intended only for the addressee(s) named above. >> If >> >> you receive this e-mail in error, please do not read, copy or >> disseminate it >> >> in any manner. If you are not the intended recipient, any disclosure, >> >> copying, distribution or use of the contents of this information is >> >> prohibited. Please reply to the message immediately by informing the >> sender >> >> that the message was misdirected. After replying, please erase it from >> your >> >> computer system. Your assistance in correcting this error is >> appreciated. >> >> >> >> --------------------------------------------------------------------- - >> >> For IBM-MAIN subscribe / signoff / archive access instructions, >> >> send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO >> >> Search the archives at http://bama.ua.edu/archives/ibm-main.html >> >> >> >> >> > >> >---------------------------------------------------------------------- >> >For IBM-MAIN subscribe / signoff / archive access instructions, >> >send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO >> >Search the archives at http://bama.ua.edu/archives/ibm-main.html >> >> ---------------------------------------------------------------------- >> For IBM-MAIN subscribe / signoff / archive access instructions, >> send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO >> Search the archives at http://bama.ua.edu/archives/ibm-main.html >> >> > >---------------------------------------------------------------------- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO >Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
