Hal, Actually, it is both true and false. There is a single master key for Symmetric key storage (CKDS), and a single key for Asymmetric key storage (PKDS). Of course when I say single I really mean a single three slot entity that represents storage for NEW-CURRENT-OLD keys.
I have not read up on the TKDS yet and how it depends on the CEX2C. Additionally, I thought that there is also a way to generate an additional MK on-board, but without the ability to recover the key. Of course there are always the UDX routines that can be designed to do all sorts of interesting things. I know the DKMS product makes good use of UDX in the quest to properly and easily manage all keys. As for the HMC it is Control Domain and Useage Domain. One sets the scope from the lpar of what other domains can be controlled/affected, the other sets the domain for use of the lpar. Control Domain is specifically useful when using a TKE (although I am sure that there are other possible uses). Control Domain becomes important if you are running Test and Production TKE's with Test and Production LPARs in the same physical box. Rob Schramm Sirius Computer Solutions <snip> ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
