subject:"ICSF crypto domain sharing"

Re: ICSF crypto domain sharing

2018-10-02 Thread Frank Swarbrick

We're sharing keys between dev and sandbox, not dev and prod.

Thanks for the info!

Frank

From: IBM Mainframe Discussion List  on behalf of 
R.S. 
Sent: Sunday, September 30, 2018 12:41 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: ICSF crypto domain sharing

Frank,
You did your job by entering same master keys. Now, different domain are
"compatible" - then can share CKDS/PKDS.
You wanted to share domain, which is impossible (and that's good IMHO).

Of course there another story behind,: should one share crypto between
prod and dev?
We just answered how it's possible, not is it recommended.

Regards

--
Radoslaw Skorupka
Lodz, Poland






W dniu 2018-09-28 o 20:34, Frank Swarbrick pisze:
> Let me explain a bit more what I was trying to ask.  We have 3 LPARs 
> (production, dev/test, sandbox) on the same CPC.  Sandbox up to this point 
> did not have master keys loaded.  We quickly needed to load some, so I 
> recommended we use the same keys as dev/test.  I had hoped that we could have 
> Sandbox use the same crypto domain as dev/test; thus the question.  I ended 
> up just loading the same keys, rather than attempting to "share" the same 
> domain.  But I still wondered if the latter could be done.  It sounds like 
> you are saying no.
>
> 
> From: IBM Mainframe Discussion List  on behalf of 
> R.S. 
> Sent: Friday, September 28, 2018 8:43 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: ICSF crypto domain sharing
>
> W dniu 2018-09-28 o 12:54, Jousma, David pisze:
>> Yes, they can be shared.   Our PROD lpars are all on the same domain.
> IMHO no, domains cannot be shared.
> Maybe your prod LPARs reside on different CPC each?
>
> Some remarks:
> 1. Single LPAR can have more than one domain, but z/OS ICSF can use only
> one at a time. However you can change domain number in PARMLIB and
> recycle ICSF.
>
> 2. Domain number cannot be assigned to more than one active LPAR.
> Deactivated LPARs could share domain id.
>
> 3. In the old days it was possible to have i.e. 40 LPARs and number of
> domains was 16. In that case More crypto engines were needed, for
> example Crypto 1 and 3 were assigned to LPARs 01-0F, Crypto engines 2
> and 4 were assigned to LPARs 10-1F and remaining LPARs had no access to
> Crypto engines (CPACF is not affected). In that case LPAR 01 and LPAR 11
> may have Domain Id 2 assigned, but on separated Crypto engines.
>
> 4. It is impossible to have i.e. Domain 12 on Crypto1 and Domain 07 on
> Crypto2 at a time.
>
> 5. It is also possible to have the same master keys on different domains
> (and even different CPCs) - in that case, CKDS/PKDS can be shared/copied
> between that systems.
>
>
> --
> Radoslaw Skorupka
> Lodz, Poland
>
>
>
>
> ==
>
> Jeśli nie jesteś adresatem tej wiadomości:
>
> - powiadom nas o tym w mailu zwrotnym (dziękujemy!),
> - usuń trwale tę wiadomość (i wszystkie kopie, które wydrukowałeś lub 
> zapisałeś na dysku).
> Wiadomość ta może zawierać chronione prawem informacje, które może 
> wykorzystać tylko adresat.Przypominamy, że każdy, kto rozpowszechnia 
> (kopiuje, rozprowadza) tę wiadomość lub podejmuje podobne działania, narusza 
> prawo i może podlegać karze.
>
> mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 
> Warszawa,www.mBank.pl, e-mail: kont...@mbank.pl. Sąd Rejonowy dla m. st. 
> Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, KRS 025237, 
> NIP: 526-021-50-88. Kapitał zakładowy (opłacony w całości) według stanu na 
> 01.01.2018 r. wynosi 169.248.488 złotych.
>
> If you are not the addressee of this message:
>
> - let us know by replying to this e-mail (thank you!),
> - delete this message permanently (including all the copies which you have 
> printed out or saved).
> This message may contain legally protected information, which may be used 
> exclusively by the addressee.Please be reminded that anyone who disseminates 
> (copies, distributes) this message or takes any similar action, violates the 
> law and may be penalised.
>


==

Jeśli nie jesteś adresatem tej wiadomości:

- powiadom nas o tym w mailu zwrotnym (dziękujemy!),
- usuń trwale tę wiadomość (i wszystkie kopie, które wydrukowałeś lub zapisałeś 
na dysku).
Wiadomość ta może zawierać chronione prawem informacje, które może wykorzystać 
tylko adresat.Przypominamy, że każdy, kto rozpowszechnia (kopiuje, rozprowadza) 
tę wiadomość lub podejmuje podobne działania, narusza prawo i może podlegać 
karze.

mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 
Warszawa,www.mBank.pl, e-mail: kont...@m

Re: ICSF crypto domain sharing

2018-09-30 Thread R.S.


Frank,
You did your job by entering same master keys. Now, different domain are 
"compatible" - then can share CKDS/PKDS.

You wanted to share domain, which is impossible (and that's good IMHO).

Of course there another story behind,: should one share crypto between 
prod and dev?

We just answered how it's possible, not is it recommended.

Regards

--
Radoslaw Skorupka
Lodz, Poland






W dniu 2018-09-28 o 20:34, Frank Swarbrick pisze:

Let me explain a bit more what I was trying to ask.  We have 3 LPARs (production, 
dev/test, sandbox) on the same CPC.  Sandbox up to this point did not have master keys 
loaded.  We quickly needed to load some, so I recommended we use the same keys as 
dev/test.  I had hoped that we could have Sandbox use the same crypto domain as dev/test; 
thus the question.  I ended up just loading the same keys, rather than attempting to 
"share" the same domain.  But I still wondered if the latter could be done.  It 
sounds like you are saying no.


From: IBM Mainframe Discussion List  on behalf of R.S. 

Sent: Friday, September 28, 2018 8:43 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: ICSF crypto domain sharing

W dniu 2018-09-28 o 12:54, Jousma, David pisze:

Yes, they can be shared.   Our PROD lpars are all on the same domain.

IMHO no, domains cannot be shared.
Maybe your prod LPARs reside on different CPC each?

Some remarks:
1. Single LPAR can have more than one domain, but z/OS ICSF can use only
one at a time. However you can change domain number in PARMLIB and
recycle ICSF.

2. Domain number cannot be assigned to more than one active LPAR.
Deactivated LPARs could share domain id.

3. In the old days it was possible to have i.e. 40 LPARs and number of
domains was 16. In that case More crypto engines were needed, for
example Crypto 1 and 3 were assigned to LPARs 01-0F, Crypto engines 2
and 4 were assigned to LPARs 10-1F and remaining LPARs had no access to
Crypto engines (CPACF is not affected). In that case LPAR 01 and LPAR 11
may have Domain Id 2 assigned, but on separated Crypto engines.

4. It is impossible to have i.e. Domain 12 on Crypto1 and Domain 07 on
Crypto2 at a time.

5. It is also possible to have the same master keys on different domains
(and even different CPCs) - in that case, CKDS/PKDS can be shared/copied
between that systems.


--
Radoslaw Skorupka
Lodz, Poland




==

Jeśli nie jesteś adresatem tej wiadomości:

- powiadom nas o tym w mailu zwrotnym (dziękujemy!),
- usuń trwale tę wiadomość (i wszystkie kopie, które wydrukowałeś lub zapisałeś 
na dysku).
Wiadomość ta może zawierać chronione prawem informacje, które może wykorzystać 
tylko adresat.Przypominamy, że każdy, kto rozpowszechnia (kopiuje, rozprowadza) 
tę wiadomość lub podejmuje podobne działania, narusza prawo i może podlegać 
karze.

mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 
Warszawa,www.mBank.pl, e-mail: kont...@mbank.pl. Sąd Rejonowy dla m. st. 
Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, KRS 025237, 
NIP: 526-021-50-88. Kapitał zakładowy (opłacony w całości) według stanu na 
01.01.2018 r. wynosi 169.248.488 złotych.

If you are not the addressee of this message:

- let us know by replying to this e-mail (thank you!),
- delete this message permanently (including all the copies which you have 
printed out or saved).
This message may contain legally protected information, which may be used 
exclusively by the addressee.Please be reminded that anyone who disseminates 
(copies, distributes) this message or takes any similar action, violates the 
law and may be penalised.




==

Jeśli nie jesteś adresatem tej wiadomości:

- powiadom nas o tym w mailu zwrotnym (dziękujemy!),
- usuń trwale tę wiadomość (i wszystkie kopie, które wydrukowałeś lub zapisałeś 
na dysku).
Wiadomość ta może zawierać chronione prawem informacje, które może wykorzystać 
tylko adresat.Przypominamy, że każdy, kto rozpowszechnia (kopiuje, rozprowadza) 
tę wiadomość lub podejmuje podobne działania, narusza prawo i może podlegać 
karze.

mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 
Warszawa,www.mBank.pl, e-mail: kont...@mbank.pl. Sąd Rejonowy dla m. st. 
Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, KRS 025237, 
NIP: 526-021-50-88. Kapitał zakładowy (opłacony w całości) według stanu na 
01.01.2018 r. wynosi 169.248.488 złotych.

If you are not the addressee of this message:

- let us know by replying to this e-mail (thank you!),
- delete this message permanently (including all the copies which you have 
printed out or saved).
This message may contain legally protected information, which may be used 
exclusively by the addressee.Please be reminded that anyone who disseminates 
(copies, distributes) this message or takes any similar action, violates the 
law and may

Re: ICSF crypto domain sharing

2018-09-28 Thread Carmen Vitullo

I did have a process years ago, not sure its still valid ...not sure this is 
what you need? 



Clone the ICSF CKDS from one system to another 
1) allocate a new CKDS 
2) generate a random number and then get the checksum for it 
(write the key part down and save it) 
3) enter this key part as the FIRST key part 
4) generate another random number and then get the checksum for it 
(write the key part down and save it) 
5) enter this key part as the FINAL key part 
6) reencipher the current CKDS into the new CKDS 
the new CKDS is now the active CKDS and the master key is now changed 
now take this new CKDS and the master key parts to the other system. 
on the other system do the following: 
stop ICSF 
repro the new CKDS into a new CKDS, ensure the CSFPRMxx member has 
the new CKDS name in it. 
1) enter the DES key parts (first and final) 
2) set the master key (option 2.2 from the ICSF panel) 
the master key is now set and the new CKDS is now the active CKDS. 



Carmen Vitullo 

- Original Message -

From: "Frank Swarbrick"  
To: IBM-MAIN@LISTSERV.UA.EDU 
Sent: Friday, September 28, 2018 1:41:02 PM 
Subject: Re: ICSF crypto domain sharing 

We unfortunately have opted to not (yet?) purchase a TKE. While it's "too late" 
for this time, does anyone know if there is a method to "copy" master keys from 
one domain to another? 

 
From: IBM Mainframe Discussion List  on behalf of 
Jousma, David <01a0403c5dc1-dmarc-requ...@listserv.ua.edu> 
Sent: Friday, September 28, 2018 9:03 AM 
To: IBM-MAIN@LISTSERV.UA.EDU 
Subject: Re: ICSF crypto domain sharing 

Radoslaw. 

OK, you made me go look at the IMAGE profiles for my PROD systems. We have 3 
PROD systems on a single CPC. My recollection was incorrect, and should have 
looked before I replied. We have 3 domains, one for each prod lpar assigned 
USAGE on each, with 4 crypto engines online. All 3 prod lpars have Control 
access to all 3 domains, and was the source of my mis-information and are set 
that way, so that when we do TKE key ceremony, we can load the PROD master keys 
for all PROD domains in one operation. 

My apologies for spreading FAKE NEWS. :) 

-Original Message- 
From: IBM Mainframe Discussion List  On Behalf Of 
R.S. 
Sent: Friday, September 28, 2018 10:43 AM 
To: IBM-MAIN@LISTSERV.UA.EDU 
Subject: Re: ICSF crypto domain sharing 

**CAUTION EXTERNAL EMAIL** 

**DO NOT open attachments or click on links from unknown senders or unexpected 
emails** 

W dniu 2018-09-28 o 12:54, Jousma, David pisze: 
> Yes, they can be shared. Our PROD lpars are all on the same domain. 

IMHO no, domains cannot be shared. 
Maybe your prod LPARs reside on different CPC each? 

Some remarks: 
1. Single LPAR can have more than one domain, but z/OS ICSF can use only one at 
a time. However you can change domain number in PARMLIB and recycle ICSF. 

2. Domain number cannot be assigned to more than one active LPAR. 
Deactivated LPARs could share domain id. 

3. In the old days it was possible to have i.e. 40 LPARs and number of domains 
was 16. In that case More crypto engines were needed, for example Crypto 1 and 
3 were assigned to LPARs 01-0F, Crypto engines 2 and 4 were assigned to LPARs 
10-1F and remaining LPARs had no access to Crypto engines (CPACF is not 
affected). In that case LPAR 01 and LPAR 11 may have Domain Id 2 assigned, but 
on separated Crypto engines. 

4. It is impossible to have i.e. Domain 12 on Crypto1 and Domain 07 on 
Crypto2 at a time. 

5. It is also possible to have the same master keys on different domains (and 
even different CPCs) - in that case, CKDS/PKDS can be shared/copied between 
that systems. 


-- 
Radoslaw Skorupka 
Lodz, Poland 




== 

Jeśli nie jesteś adresatem tej wiadomości: 

- powiadom nas o tym w mailu zwrotnym (dziękujemy!), 
- usuń trwale tę wiadomość (i wszystkie kopie, które wydrukowałeś lub zapisałeś 
na dysku). 
Wiadomość ta może zawierać chronione prawem informacje, które może wykorzystać 
tylko adresat.Przypominamy, że każdy, kto rozpowszechnia (kopiuje, rozprowadza) 
tę wiadomość lub podejmuje podobne działania, narusza prawo i może podlegać 
karze. 

mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 
Warszawa,www.mBank.pl, e-mail: kont...@mbank.pl. Sąd Rejonowy dla m. st. 
Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, KRS 025237, 
NIP: 526-021-50-88. Kapitał zakładowy (opłacony w całości) według stanu na 
01.01.2018 r. wynosi 169.248.488 złotych. 

If you are not the addressee of this message: 

- let us know by replying to this e-mail (thank you!), 
- delete this message permanently (including all the copies which you have 
printed out or saved). 
This message may contain legally protected information, which may be used 
exclusively by the addressee.Please be reminded that anyone who disseminates 
(copies, distributes) t

Re: ICSF crypto domain sharing

2018-09-28 Thread Frank Swarbrick

We unfortunately have opted to not (yet?) purchase a TKE.  While it's "too 
late" for this time, does anyone know if there is a method to "copy" master 
keys from one domain to another?

From: IBM Mainframe Discussion List  on behalf of 
Jousma, David <01a0403c5dc1-dmarc-requ...@listserv.ua.edu>
Sent: Friday, September 28, 2018 9:03 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: ICSF crypto domain sharing

Radoslaw.

OK, you made me go look at the IMAGE profiles for my PROD systems.   We have 3 
PROD systems on a single CPC.   My recollection was incorrect, and should have 
looked before I replied.  We have 3 domains, one for each prod lpar assigned 
USAGE on each, with 4 crypto engines online.   All 3 prod lpars have Control 
access to all 3 domains, and was the source of my mis-information and are set 
that way, so that when we do TKE key ceremony, we can load the PROD master keys 
for all PROD domains in one operation.

My apologies for spreading FAKE NEWS.   :)

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of R.S.
Sent: Friday, September 28, 2018 10:43 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: ICSF crypto domain sharing

**CAUTION EXTERNAL EMAIL**

**DO NOT open attachments or click on links from unknown senders or unexpected 
emails**

W dniu 2018-09-28 o 12:54, Jousma, David pisze:
> Yes, they can be shared.   Our PROD lpars are all on the same domain.

IMHO no, domains cannot be shared.
Maybe your prod LPARs reside on different CPC each?

Some remarks:
1. Single LPAR can have more than one domain, but z/OS ICSF can use only one at 
a time. However you can change domain number in PARMLIB and recycle ICSF.

2. Domain number cannot be assigned to more than one active LPAR.
Deactivated LPARs could share domain id.

3. In the old days it was possible to have i.e. 40 LPARs and number of domains 
was 16. In that case More crypto engines were needed, for example Crypto 1 and 
3 were assigned to LPARs 01-0F, Crypto engines 2 and 4 were assigned to LPARs 
10-1F and remaining LPARs had no access to Crypto engines (CPACF is not 
affected). In that case LPAR 01 and LPAR 11 may have Domain Id 2 assigned, but 
on separated Crypto engines.

4. It is impossible to have i.e. Domain 12 on Crypto1 and Domain 07 on
Crypto2 at a time.

5. It is also possible to have the same master keys on different domains (and 
even different CPCs) - in that case, CKDS/PKDS can be shared/copied between 
that systems.

--
Radoslaw Skorupka
Lodz, Poland

==

Jeśli nie jesteś adresatem tej wiadomości:

- powiadom nas o tym w mailu zwrotnym (dziękujemy!),
- usuń trwale tę wiadomość (i wszystkie kopie, które wydrukowałeś lub zapisałeś 
na dysku).
Wiadomość ta może zawierać chronione prawem informacje, które może wykorzystać 
tylko adresat.Przypominamy, że każdy, kto rozpowszechnia (kopiuje, rozprowadza) 
tę wiadomość lub podejmuje podobne działania, narusza prawo i może podlegać 
karze.

mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 
Warszawa,www.mBank.pl, e-mail: kont...@mbank.pl. Sąd Rejonowy dla m. st. 
Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, KRS 025237, 
NIP: 526-021-50-88. Kapitał zakładowy (opłacony w całości) według stanu na 
01.01.2018 r. wynosi 169.248.488 złotych.

If you are not the addressee of this message:

- let us know by replying to this e-mail (thank you!),
- delete this message permanently (including all the copies which you have 
printed out or saved).
This message may contain legally protected information, which may be used 
exclusively by the addressee.Please be reminded that anyone who disseminates 
(copies, distributes) this message or takes any similar action, violates the 
law and may be penalised.

mBank S.A. with its registered office in Warsaw, ul. Senatorska 18, 00-950 
Warszawa,www.mBank.pl, e-mail: kont...@mbank.pl. District Court for the Capital 
City of Warsaw, 12th Commercial Division of the National Court Register, KRS 
025237, NIP: 526-021-50-88. Fully paid-up share capital amounting to PLN 
169,248,488 as at 1 January 2018.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
**CAUTION EXTERNAL EMAIL**

**DO NOT open attachments or click on links from unknown senders or unexpected 
emails**

This e-mail transmission contains information that is confidential and may be 
privileged.   It is intended only for the addressee(s) named above. If you 
receive this e-mail in error, please do not read, copy or disseminate it in any 
manner. If you are not the intended recipient, any disclosure, copying, 
distribution or use of the contents of this information is prohibited. Please 
reply to the message immediately by informing the sender that the me

Re: ICSF crypto domain sharing

2018-09-28 Thread Frank Swarbrick

Let me explain a bit more what I was trying to ask.  We have 3 LPARs 
(production, dev/test, sandbox) on the same CPC.  Sandbox up to this point did 
not have master keys loaded.  We quickly needed to load some, so I recommended 
we use the same keys as dev/test.  I had hoped that we could have Sandbox use 
the same crypto domain as dev/test; thus the question.  I ended up just loading 
the same keys, rather than attempting to "share" the same domain.  But I still 
wondered if the latter could be done.  It sounds like you are saying no.


From: IBM Mainframe Discussion List  on behalf of 
R.S. 
Sent: Friday, September 28, 2018 8:43 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: ICSF crypto domain sharing

W dniu 2018-09-28 o 12:54, Jousma, David pisze:
> Yes, they can be shared.   Our PROD lpars are all on the same domain.

IMHO no, domains cannot be shared.
Maybe your prod LPARs reside on different CPC each?

Some remarks:
1. Single LPAR can have more than one domain, but z/OS ICSF can use only
one at a time. However you can change domain number in PARMLIB and
recycle ICSF.

2. Domain number cannot be assigned to more than one active LPAR.
Deactivated LPARs could share domain id.

3. In the old days it was possible to have i.e. 40 LPARs and number of
domains was 16. In that case More crypto engines were needed, for
example Crypto 1 and 3 were assigned to LPARs 01-0F, Crypto engines 2
and 4 were assigned to LPARs 10-1F and remaining LPARs had no access to
Crypto engines (CPACF is not affected). In that case LPAR 01 and LPAR 11
may have Domain Id 2 assigned, but on separated Crypto engines.

4. It is impossible to have i.e. Domain 12 on Crypto1 and Domain 07 on
Crypto2 at a time.

5. It is also possible to have the same master keys on different domains
(and even different CPCs) - in that case, CKDS/PKDS can be shared/copied
between that systems.


--
Radoslaw Skorupka
Lodz, Poland




==

Jeśli nie jesteś adresatem tej wiadomości:

- powiadom nas o tym w mailu zwrotnym (dziękujemy!),
- usuń trwale tę wiadomość (i wszystkie kopie, które wydrukowałeś lub zapisałeś 
na dysku).
Wiadomość ta może zawierać chronione prawem informacje, które może wykorzystać 
tylko adresat.Przypominamy, że każdy, kto rozpowszechnia (kopiuje, rozprowadza) 
tę wiadomość lub podejmuje podobne działania, narusza prawo i może podlegać 
karze.

mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 
Warszawa,www.mBank.pl, e-mail: kont...@mbank.pl. Sąd Rejonowy dla m. st. 
Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, KRS 025237, 
NIP: 526-021-50-88. Kapitał zakładowy (opłacony w całości) według stanu na 
01.01.2018 r. wynosi 169.248.488 złotych.

If you are not the addressee of this message:

- let us know by replying to this e-mail (thank you!),
- delete this message permanently (including all the copies which you have 
printed out or saved).
This message may contain legally protected information, which may be used 
exclusively by the addressee.Please be reminded that anyone who disseminates 
(copies, distributes) this message or takes any similar action, violates the 
law and may be penalised.

mBank S.A. with its registered office in Warsaw, ul. Senatorska 18, 00-950 
Warszawa,www.mBank.pl, e-mail: kont...@mbank.pl. District Court for the Capital 
City of Warsaw, 12th Commercial Division of the National Court Register, KRS 
025237, NIP: 526-021-50-88. Fully paid-up share capital amounting to PLN 
169,248,488 as at 1 January 2018.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: ICSF crypto domain sharing

2018-09-28 Thread R.S.


W dniu 2018-09-28 o 17:03, Jousma, David pisze:

Radoslaw.

OK, you made me go look at the IMAGE profiles for my PROD systems.   We have 3 
PROD systems on a single CPC.   My recollection was incorrect, and should have 
looked before I replied.  We have 3 domains, one for each prod lpar assigned 
USAGE on each, with 4 crypto engines online.   All 3 prod lpars have Control 
access to all 3 domains, and was the source of my mis-information and are set 
that way, so that when we do TKE key ceremony, we can load the PROD master keys 
for all PROD domains in one operation.

My apologies for spreading FAKE NEWS.   :)


...and I forgot to mention there is domain usage and domain control in 
LPAR profile.
Domain usage means ICSF can use this domains, simple. There is no 
sharing of domain id in that sense (usage)
Domain control means TKE connected to that LPAR can control (i.e. change 
master keys) on those domains. Many LPARs can have control over domains, 
overlapping is allowed.


BTW: We also have fake news. However we have politicians for that 
purpose ;-)


--
Radoslaw Skorupka
Lodz, Poland




==

Jeśli nie jesteś adresatem tej wiadomości:

- powiadom nas o tym w mailu zwrotnym (dziękujemy!),
- usuń trwale tę wiadomość (i wszystkie kopie, które wydrukowałeś lub zapisałeś 
na dysku).
Wiadomość ta może zawierać chronione prawem informacje, które może wykorzystać 
tylko adresat.Przypominamy, że każdy, kto rozpowszechnia (kopiuje, rozprowadza) 
tę wiadomość lub podejmuje podobne działania, narusza prawo i może podlegać 
karze.

mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 
Warszawa,www.mBank.pl, e-mail: kont...@mbank.pl. Sąd Rejonowy dla m. st. 
Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, KRS 025237, 
NIP: 526-021-50-88. Kapitał zakładowy (opłacony w całości) według stanu na 
01.01.2018 r. wynosi 169.248.488 złotych.

If you are not the addressee of this message:

- let us know by replying to this e-mail (thank you!),
- delete this message permanently (including all the copies which you have 
printed out or saved).
This message may contain legally protected information, which may be used 
exclusively by the addressee.Please be reminded that anyone who disseminates 
(copies, distributes) this message or takes any similar action, violates the 
law and may be penalised.

mBank S.A. with its registered office in Warsaw, ul. Senatorska 18, 00-950 
Warszawa,www.mBank.pl, e-mail: kont...@mbank.pl. District Court for the Capital 
City of Warsaw, 12th Commercial Division of the National Court Register, KRS 
025237, NIP: 526-021-50-88. Fully paid-up share capital amounting to PLN 
169,248,488 as at 1 January 2018.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: ICSF crypto domain sharing

2018-09-28 Thread Jousma, David

Radoslaw.

OK, you made me go look at the IMAGE profiles for my PROD systems.   We have 3 
PROD systems on a single CPC.   My recollection was incorrect, and should have 
looked before I replied.  We have 3 domains, one for each prod lpar assigned 
USAGE on each, with 4 crypto engines online.   All 3 prod lpars have Control 
access to all 3 domains, and was the source of my mis-information and are set 
that way, so that when we do TKE key ceremony, we can load the PROD master keys 
for all PROD domains in one operation.

My apologies for spreading FAKE NEWS.   :)

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of R.S.
Sent: Friday, September 28, 2018 10:43 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: ICSF crypto domain sharing

**CAUTION EXTERNAL EMAIL**

**DO NOT open attachments or click on links from unknown senders or unexpected 
emails**

W dniu 2018-09-28 o 12:54, Jousma, David pisze:
> Yes, they can be shared.   Our PROD lpars are all on the same domain.

IMHO no, domains cannot be shared.
Maybe your prod LPARs reside on different CPC each?

Some remarks:
1. Single LPAR can have more than one domain, but z/OS ICSF can use only one at 
a time. However you can change domain number in PARMLIB and recycle ICSF.

2. Domain number cannot be assigned to more than one active LPAR. 
Deactivated LPARs could share domain id.

3. In the old days it was possible to have i.e. 40 LPARs and number of domains 
was 16. In that case More crypto engines were needed, for example Crypto 1 and 
3 were assigned to LPARs 01-0F, Crypto engines 2 and 4 were assigned to LPARs 
10-1F and remaining LPARs had no access to Crypto engines (CPACF is not 
affected). In that case LPAR 01 and LPAR 11 may have Domain Id 2 assigned, but 
on separated Crypto engines.

4. It is impossible to have i.e. Domain 12 on Crypto1 and Domain 07 on
Crypto2 at a time.

5. It is also possible to have the same master keys on different domains (and 
even different CPCs) - in that case, CKDS/PKDS can be shared/copied between 
that systems.


--
Radoslaw Skorupka
Lodz, Poland




==

Jeśli nie jesteś adresatem tej wiadomości:

- powiadom nas o tym w mailu zwrotnym (dziękujemy!),
- usuń trwale tę wiadomość (i wszystkie kopie, które wydrukowałeś lub zapisałeś 
na dysku).
Wiadomość ta może zawierać chronione prawem informacje, które może wykorzystać 
tylko adresat.Przypominamy, że każdy, kto rozpowszechnia (kopiuje, rozprowadza) 
tę wiadomość lub podejmuje podobne działania, narusza prawo i może podlegać 
karze.

mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 
Warszawa,www.mBank.pl, e-mail: kont...@mbank.pl. Sąd Rejonowy dla m. st. 
Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, KRS 025237, 
NIP: 526-021-50-88. Kapitał zakładowy (opłacony w całości) według stanu na 
01.01.2018 r. wynosi 169.248.488 złotych.

If you are not the addressee of this message:

- let us know by replying to this e-mail (thank you!),
- delete this message permanently (including all the copies which you have 
printed out or saved).
This message may contain legally protected information, which may be used 
exclusively by the addressee.Please be reminded that anyone who disseminates 
(copies, distributes) this message or takes any similar action, violates the 
law and may be penalised.

mBank S.A. with its registered office in Warsaw, ul. Senatorska 18, 00-950 
Warszawa,www.mBank.pl, e-mail: kont...@mbank.pl. District Court for the Capital 
City of Warsaw, 12th Commercial Division of the National Court Register, KRS 
025237, NIP: 526-021-50-88. Fully paid-up share capital amounting to PLN 
169,248,488 as at 1 January 2018.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
**CAUTION EXTERNAL EMAIL**

**DO NOT open attachments or click on links from unknown senders or unexpected 
emails**


This e-mail transmission contains information that is confidential and may be 
privileged.   It is intended only for the addressee(s) named above. If you 
receive this e-mail in error, please do not read, copy or disseminate it in any 
manner. If you are not the intended recipient, any disclosure, copying, 
distribution or use of the contents of this information is prohibited. Please 
reply to the message immediately by informing the sender that the message was 
misdirected. After replying, please erase it from your computer system. Your 
assistance in correcting this error is appreciated.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: ICSF crypto domain sharing

2018-09-28 Thread R.S.


W dniu 2018-09-28 o 12:54, Jousma, David pisze:

Yes, they can be shared.   Our PROD lpars are all on the same domain.


IMHO no, domains cannot be shared.
Maybe your prod LPARs reside on different CPC each?

Some remarks:
1. Single LPAR can have more than one domain, but z/OS ICSF can use only 
one at a time. However you can change domain number in PARMLIB and 
recycle ICSF.


2. Domain number cannot be assigned to more than one active LPAR. 
Deactivated LPARs could share domain id.


3. In the old days it was possible to have i.e. 40 LPARs and number of 
domains was 16. In that case More crypto engines were needed, for 
example Crypto 1 and 3 were assigned to LPARs 01-0F, Crypto engines 2 
and 4 were assigned to LPARs 10-1F and remaining LPARs had no access to 
Crypto engines (CPACF is not affected). In that case LPAR 01 and LPAR 11 
may have Domain Id 2 assigned, but on separated Crypto engines.


4. It is impossible to have i.e. Domain 12 on Crypto1 and Domain 07 on 
Crypto2 at a time.


5. It is also possible to have the same master keys on different domains 
(and even different CPCs) - in that case, CKDS/PKDS can be shared/copied 
between that systems.



--
Radoslaw Skorupka
Lodz, Poland




==

Jeśli nie jesteś adresatem tej wiadomości:

- powiadom nas o tym w mailu zwrotnym (dziękujemy!),
- usuń trwale tę wiadomość (i wszystkie kopie, które wydrukowałeś lub zapisałeś 
na dysku).
Wiadomość ta może zawierać chronione prawem informacje, które może wykorzystać 
tylko adresat.Przypominamy, że każdy, kto rozpowszechnia (kopiuje, rozprowadza) 
tę wiadomość lub podejmuje podobne działania, narusza prawo i może podlegać 
karze.

mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 
Warszawa,www.mBank.pl, e-mail: kont...@mbank.pl. Sąd Rejonowy dla m. st. 
Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, KRS 025237, 
NIP: 526-021-50-88. Kapitał zakładowy (opłacony w całości) według stanu na 
01.01.2018 r. wynosi 169.248.488 złotych.

If you are not the addressee of this message:

- let us know by replying to this e-mail (thank you!),
- delete this message permanently (including all the copies which you have 
printed out or saved).
This message may contain legally protected information, which may be used 
exclusively by the addressee.Please be reminded that anyone who disseminates 
(copies, distributes) this message or takes any similar action, violates the 
law and may be penalised.

mBank S.A. with its registered office in Warsaw, ul. Senatorska 18, 00-950 
Warszawa,www.mBank.pl, e-mail: kont...@mbank.pl. District Court for the Capital 
City of Warsaw, 12th Commercial Division of the National Court Register, KRS 
025237, NIP: 526-021-50-88. Fully paid-up share capital amounting to PLN 
169,248,488 as at 1 January 2018.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: ICSF crypto domain sharing

2018-09-28 Thread Jousma, David

Yes, they can be shared.   Our PROD lpars are all on the same domain.

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Frank Swarbrick
Sent: Thursday, September 27, 2018 5:38 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: ICSF crypto domain sharing

**CAUTION EXTERNAL EMAIL**

**DO NOT open attachments or click on links from unknown senders or unexpected 
emails**

Can two different LPARs share the same domain (and obviously the same keys), or 
do the keys have to be loaded for each LPAR separately, even when they are the 
same?

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN **CAUTION EXTERNAL 
EMAIL**

**DO NOT open attachments or click on links from unknown senders or unexpected 
emails**

This e-mail transmission contains information that is confidential and may be 
privileged.   It is intended only for the addressee(s) named above. If you 
receive this e-mail in error, please do not read, copy or disseminate it in any 
manner. If you are not the intended recipient, any disclosure, copying, 
distribution or use of the contents of this information is prohibited. Please 
reply to the message immediately by informing the sender that the message was 
misdirected. After replying, please erase it from your computer system. Your 
assistance in correcting this error is appreciated.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: ICSF crypto domain sharing

2018-09-27 Thread Mark Jacobs - Listserv

Looks like it;


  *   Greater than 16 Domain support

 *   –  Support to allow a cryptographic coprocessor to be shared across 
more than 16 domains, up to

the maximum number of LPARs on the system.

 *   –  This support relies on enhanced firmware available with a minimum 
microcode level for the Crypto Express4S and Crypto Express5S coprocessors. 
With the adjunct processor (AP) extended addressing (APXA) facility installed, 
the z Systems crypto architecture can support greater than 16 domains in an AP.

 *   –  Customers will have the flexibility of mapping individual LPARs to 
unique crypto domains or continuing to share crypto domains across LPARs.

Mark Jacobs

Frank Swarbrick wrote on 9/27/18 5:37 PM:

Can two different LPARs share the same domain (and obviously the same keys), or 
do the keys have to be loaded for each LPAR separately, even when they are the 
same?

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with 
the message: INFO IBM-MAIN



Please be alert for any emails that may ask you for login information or 
directs you to login via a link. If you believe this message is a phish or 
aren't sure whether this message is trustworthy, please send the original 
message as an attachment to 
'phish...@meredith.com'.



This electronic message, including any attachments, may contain proprietary, 
confidential or privileged information for the sole use of the intended 
recipient(s). You are hereby notified that any unauthorized disclosure, 
copying, distribution, or use of this message is prohibited. If you have 
received this message in error, please immediately notify the sender by reply 
e-mail and delete it.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

ICSF crypto domain sharing

2018-09-27 Thread Frank Swarbrick

Can two different LPARs share the same domain (and obviously the same keys), or 
do the keys have to be loaded for each LPAR separately, even when they are the 
same?

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: ICSF crypto domain sharing

Re: ICSF crypto domain sharing

Re: ICSF crypto domain sharing

Re: ICSF crypto domain sharing

Re: ICSF crypto domain sharing

Re: ICSF crypto domain sharing

Re: ICSF crypto domain sharing

Re: ICSF crypto domain sharing

Re: ICSF crypto domain sharing

Re: ICSF crypto domain sharing

ICSF crypto domain sharing

11 matches

Site Navigation

Mail list logo

Footer information