Hi, a few comments on what was in an earlier Mail by Alan:
to set a master key in an EP11 adapter you always need a TKE, even if you want to do it via z/OS, in which case a TKE must be connected to a z/OS image. Unless a domain of an adapter has been configured by the TKE to be only manageble using signed commands, you can use panel.exe to manage the master keys of adapter domains of which the adapter id and usage + control domain id is attached to the guest. On z/VM guests, attaching a (usage) domain to a guest with APDED always implies to also attache the control domain to the guest. The CCA tool panel.exe is meant as a simple key admin tool with limited functionality that works best when operating on the default adapter and default domain. It is described here: https://www.ibm.com/support/knowledgecenter/linuxonibm/com.ibm.linux.z.wskc.doc/wskc_c_utilities.html You can provide arguments to address specific adapters but be aware that this may be tricky because the way the tools from the CCA host package counts adapters and the way the kernel identifies adapters may differ. There is no easy way to define the domain to which a panel.exe command shall be addressed. Some tricks are possible (e.g. setting the environment variables CSU_DEFAULT_DOMAIN, or or setting the /sys/bus/ap/ap_domain) but panel.exe cannot address a control domain that is not equal to the usage domain. In general, when you need to do master key management in more complex (> single node) environments the TKE is the tool of choice. Besides being more secure (access control via smart cards) and master key parts being stored on smart cards, the smart cards with key parts allow you to restore a master key (in case an crypto card got lost/zeroized/damaged). In addition, the TKE can manage multiple crypto adapters connected to multiple LPARs/guests, located on multiple CECs. TKE simplifies some complex functions like distributing the same master key to a set of adapter domains as needed for redundant/HA/DR set ups. -Reinhard (sorry for late replays but I am having some trouble with my mail account or mailer :-( ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www2.marist.edu/htbin/wlvindex?LINUX-390
