(C) Copyright IBM Corporation, 2005-2010, All Rights Reserved. =========================================================== README Description ========= --------------------- Package: IBM CEX3C Host Libraries and Tools Name: csulcca-version-arch.rpm Target* Arch: 64 Bit s390x *Please note that architectures/OS versions mentioned here represent a test and support statement: they were tested and are supported. Others (such as 31 bit) are not supported by this package. =========================================================== README Changelog ========= --------------------- 04/04/2006 Version 1.0 Updates for new pieces, release 02/14/2007 Version 1.1 Update some small details 03/21/2007 Version 1.2 Update more small details 01/27/2010 Version 1.3 Update for new release =========================================================== Release Documentation ========= -------------------------- Please refer to the reference manual for this release, available from IBM directly or by following this link: http://www-03.ibm.com/security/cryptocards/ At that link (1) click on the appropriate crypto card in the box at left (such as "PCI-X Cryptographic Coprocessor" or "PCI-E Cryptographic Coprocessor") (2) then select the "Library" sub-tab. The main window will update with a list of documents organized under headings. (3) In the main window refer to the heading "IBM CEX3C Common Cryptographic Architecture Support Program". (4) In the list following this heading will appear a description of a document intended for "Linux for System z(tm)" This is the correct document. ==================================================================== README ** FIXING csulcca rpm install ** ========= ** after over-install of xcryptolinzGA rpm ** ========= ==================================== If you have installed the csulcca rpm and then at some point installed the xcryptolinzGA rpm on top of it, you have disabled part of the configuration csulcca tools need to run. Take these steps (as root), and then reboot the system instance to make sure all user profiles are updated.: (1) run this command: /opt/IBM/CEX3C/bin/profile.perl delete --this will remove the environment variables added to /etc/profile by the xcryptolinzGA rpm. If you need those variables set in a particular application space, set them in startup scripts for the application that needs them. Because these variables are positioned at the end of /etc/profile they disable the csulcca rpm configuration. (2) delete startup file links with these commands: rm -f /etc/init.d/rc2.d/S16TKEcat rm -f /etc/init.d/rc3.d/S16TKEcat rm -f /etc/init.d/rc5.d/S16TKEcat these startup files cause the wrong TKE catcher daemon to be loaded, which cannot communicated with CEX3C adapters. The new TKE catcher daemon can deal with CEX2C and CEX3C adapters, so it is preferred for all systems with co-install of the xcryptolinzGA rpm and the new rpm. ==================================================================== README Useful tools ========= ==================================== Installed with the rpm are 2 useful tools that can help you inspect your configuration. They are (IVP) /opt/IBM/CEX3C/bin/ivp.e (PCLI) /opt/IBM/CEX3C/bin/panel.exe =========================================================== README I0. Install Verification Program (IVP) ========= --------------------- Running the IVP gives a quick verification that the rpm install proceeded as expected. For most real errors the rpm itself will tell you if the install failed. However, if there is no Crypto Card installed, if the card(s) installed is/are not configured, or if the device driver needed to access the cards is not loaded, the rpm install will still succeed with no report on the matter. The IVP provides a simple test that queries all available adapters card, and will warn if no adapters are available.. =========================================================== README I1. Panel CLI (PCLI) ========= --------------------- ------------------------ --What is PCLI?-- ------------------------ PCLI replaces some of the function available in zOS TSO panels for local administration of the active cards. It is intended for Linux-only systems where a Trusted Key Entry (TKE) workstation solution is not available. The TKE allows completely secure remote administration of many cards. It also allows control of profiles and access points. **NOTE** The access restrictions enforced within the Master Key manipulation host library mean that your user must be either 'root' or a member of the 'cca_admin' group (this group is added by rpm install) in order to use 'panel.exe' tool. This is a security measure due to the access to the Master Key verbs. **HELPFUL COMMANDS** A full description of PCLI is left to the document noted above. A few useful commands however are: To Query usage of the tool: /opt/IBM/CEX3C/bin/panel.exe -? To get a shorthand status list of all available adapters: /opt/IBM/CEX3C/bin/panel.exe -x =========================================================== =========================================================== =========================================================== =========================================================== =========================================================== (C) Copyright IBM Corporation, 2010, All Rights Reserved.