A very tiny nit; I believe the correct term for this context is 'master key' (singular), not 'master keys' (plural). As I understand things so far: Each domain has only one master key. A given LPAR can use only one domain at a time. LPARs in a sysplex can share key clusters by having the same master key loaded in each LPAR's respective domain.
As I recall the relevant screens on the HMC, there were two entries. I can't remember the names but they were not intuitive. But it looks like one established the candidate domains and one established the designated (I avoid the word 'default') domain. I think you could select multiple domains from each list. I do recall IPL'ing an LPAR with the wrong domain specified the ICSF parms and I seem to recall that is failed on a master key issue as opposed to a domain access issue. But memory fails all too often these days :-) I suppose you could have multiple key clusters (each using a different master key) that would be used at different times by switching domains, but one would wonder why. To some it may not be too big of a deal, but we are following recommendations that we (the sysprogs) don't enter the master key, and the master key never flows in the open. Designated security officers enter key parts so even they do not know the whole key. And that goes for DR as well as BAU (business as usual). Most of that is in place and somewhat working. -----Original Message----- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Greg Boyd Sent: Wednesday, May 21, 2008 9:04 AM To: [email protected] Subject: Re: Display or view the Crypto Current domain index or Usage domain index I think you're trying to determine which domain ICSF should use programmatically, so that ICSF start-up can be automatic, even if multiple domains are available. Keep in mind that if ICSF won't start, because it doesn't know which domain to use, then you can't query ICSF to find out which domain its using :-( So, your solution has to determine which domain to use, completely outside of ICSF. If there was a control block with the list of domains available to that LPAR, how would you determine which one it should use? The goal is to have ICSF start pointing to a domain that contains the master keys (loaded in the secure hardware) which match the master keys used to create the CKDS and PKDS that ICSF is using. But since ICSF isn't started, you can't access the secure hardware, so you couldn't query the MKVP of the SYM-MK nor the hash of the ASYM-MK (to compare it to the MKVP/Hash patterns stored in the CKDS/PKDS). I can't think of any other way to programmatically determine that you're using the 'right' domain. As Rob Schramm and Mark Zelden have pointed out domain assignments are something best handled by planning and coordination with the DR provider. If your DR provider gives you a system with access to only a single domain, then ICSF will start just fine without the domain parm in the options data set. (And if that's how your system is configured, no changes will be required for the DR site.) If your DR provider gives you a system with multiple domains assigned, then I think you would want to manually verify the domain assignment. What is the likelihood that another customer is executing a DR exercise and happens to use the same domain assignment that you use? If you start ICSF pointing to someone else's domain, or they start ICSF pointing to your domain, no data will be compromised, but the master keys will be out of sync and you're going to have to stop ICSF and correct the problem before continuing. Unless the DR site is a hot site, you're also going to have to load your master keys, so manual intervention is required after IPLing the system. Before starting ICSF and the master key ceremony you should check the domain parms. The domain would have to have been assigned before the IPL, and hopefully communicated to you. Greg On Tue, 20 May 2008 09:31:12 -0500, Roberto Ibarra Magdaleno <[EMAIL PROTECTED]> wrote: >Greg, > >That's exactly what I'm looking for "a way to determine the Domain number" >it must be out there since the ICSF STC when started takes it, determines >it? if it's not coded in CSFPRMxx. > >Any ideas? > >Regards. > >Roberto. > >On Fri, May 16, 2008 at 3:06 PM, Greg Boyd <[EMAIL PROTECTED]> wrote: > >> <sniped text> > > >> I am not aware of a way to determine the Domain number, but its an >> interesting requirement. I would think that selecting/assigning a domain >> at >> the DR site would be covered in the planning phase. In most cases, they can >> probably assign the domain that you want. In the rare cases where they >> can't (another customer who uses the same domain is performing a DR at the >> same time on the same machine) then the DR provider should tell you that >> today you're using Domain 10, and you'll have to change the Options data >> set. Whether the DR provider tells you, or you query the environment, >> either >> way, you have to update the options data set. It might save you a false >> start on starting ICSF, but you wouldn't need to reIPL, simply update the >> options and start ICSF again. >> >> Greg Boyd >> IBM WSC, System z Crypto >> >> >> >> >> On Fri, 16 May 2008 13:07:01 -0500, Roberto Ibarra Magdaleno >> <[EMAIL PROTECTED]> wrote: >> >> >Good question David, is there any shop out there where they use multiple >> >domains per LPAR and how they use them if there is any? >> >Anyway, and maybe now is just a matter of curiosity, does anybody knows a >> >"place" or a method to extract such data from the system before starting >> >ICSF? >> > >> >On Fri, May 16, 2008 at 5:01 AM, Jousma, David <[EMAIL PROTECTED]> >> wrote: >> > >> >> I consider it a pretty unlikely situation where there are multiple >> >> domains per lpar in most shops. It is only a gut feeling on my part, >> >> however. >> >> >> >> >> >> _______________________________________________________ >> >> >> >> Dave Jousma >> >> Assistant Vice President >> >> Mainframe Services >> >> [EMAIL PROTECTED] >> >> 616.653.8429 >> >> >> >> >> >> -----Original Message----- >> >> From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On >> >> Behalf Of Roberto Ibarra Magdaleno >> >> Sent: Thursday, May 15, 2008 2:33 PM >> >> To: [email protected] >> >> Subject: Re: Display or view the Crypto Current domain index or Usage >> >> domain index >> >> >> >> Still the same question David, how to know if there is always only one >> >> domain without asking anyone, but the system? >> >> >> >> >> >> On Thu, May 15, 2008 at 1:12 PM, Jousma, David <[EMAIL PROTECTED]> >> >> wrote: >> >> >> >> > If there is ever only one domain assigned to a particular lpar, then >> >> > don't code anything, period. My understanding is that domain only >> >> > needs to be coded if you assign more than one to the same lpar. In >> >> > our shop, we have only one domain per lpar, and we don't code it in >> >> > the CSFPRMxx members >> >> > >> >> > >> >> > _______________________________________________________ >> >> > >> >> > Dave Jousma >> >> > Assistant Vice President >> >> > Mainframe Services >> >> > [EMAIL PROTECTED] >> >> > 616.653.8429 >> >> > >> >> > >> >> > -----Original Message----- >> >> >> >> >> >> >> >> This e-mail transmission contains information that is confidential and >> may >> >> be privileged. It is intended only for the addressee(s) named above. >> If >> >> you receive this e-mail in error, please do not read, copy or >> disseminate it >> >> in any manner. If you are not the intended recipient, any disclosure, >> >> copying, distribution or use of the contents of this information is >> >> prohibited. Please reply to the message immediately by informing the >> sender >> >> that the message was misdirected. After replying, please erase it from >> your >> >> computer system. Your assistance in correcting this error is >> appreciated. >> >> >> >> --------------------------------------------------------------------- - >> >> For IBM-MAIN subscribe / signoff / archive access instructions, >> >> send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO >> >> Search the archives at http://bama.ua.edu/archives/ibm-main.html >> >> >> >> >> > >> >---------------------------------------------------------------------- >> >For IBM-MAIN subscribe / signoff / archive access instructions, >> >send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO >> >Search the archives at http://bama.ua.edu/archives/ibm-main.html >> >> ---------------------------------------------------------------------- >> For IBM-MAIN subscribe / signoff / archive access instructions, >> send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO >> Search the archives at http://bama.ua.edu/archives/ibm-main.html >> >> > >---------------------------------------------------------------------- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO >Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
