Abstract: Stateful network connections between a first virtual machine and at least a second virtual machine are preserved during a suspend and resume cycle. The virtual machines are interconnected by a network. A control instance is provided to manage a routing of network traffic of the virtual machines to the network. In case of a suspend operation, the control instance tracks network addresses of each virtual machine, whereas in case of a resume operation, the control instance sets up a router for each virtual machine and requests new network addresses for each router. The control instance configures a network address translation on the router assigned to each virtual machine to map the new network addresses to the network addresses used before suspending the virtual machines.

Abstract: A method for managing resources in a server environment includes querying a first resource consumer for a list, wherein the list includes at least a first virtual resource and a first host resource. The method queries a host resource pool to determine if the first host resource is present. Responsive to determining the first host resource is present in the host resource pool, the method allocates the first host resource to the first resource consumer. The method sends a request to activate the first virtual resource and the first host resource to a virtual resource provider and a host resource provider, wherein the request to activate the first virtual resource and the first host resource is performed on a single thread. The method determines to prepare one or more virtual resources for activation of one or more allocated host resources.

Abstract: Generating a pool of random numbers for use by computer applications. Vibration sensors are placed throughout a machine and collects information theoretic entropy data from the measurement of the vibration sensors. The data is then filtered and added to an entropy pool. Applications needing a random number may acquire a number from the pool. A method, computer program product and system to generate the pool are provided.

Abstract: A method is provided for suspending and resuming virtual machines in a network in dependence of network activity. The method includes providing a virtual machine manager. The virtual machine manager monitors network traffic of the virtual machines on a network bridge in a network layer using data packet analysis to detect dedicated network protocol traffic. More particularly, the monitoring of network traffic of the virtual machines may include: logging network addresses of the virtual machines of the network; combining logged network addresses with information about suspending or resuming virtual machines based on filtering rules being provided for such combination; and sending information about the network addresses of active and suspended virtual machines for virtual network adapters assigned to the virtual machines to the virtual machine manager.

Abstract: Approving a group purchase request for a group of articles. A sub-group of articles is selected, wherein a unique article approval index is assigned to each of the articles and a highest article approval index is determined among the unique article approval indexes of the articles of the group, wherein the article of the group is selected into the sub-group if the article of the group complies with at least one of following article selection criteria: the unique article approval index of the article of the group is above a predetermined approval index threshold and the unique approval index of the article of the group is equal to the highest article approval index; approving the group purchase request for the group if the group purchase request for the sub-group is approved; and rejecting the group purchase request for the group if the group purchase request for the sub-group is rejected.

Abstract: Trusted firmware on a host server is used for managing access to a hardware security module (HSM) connected to the host server. The HSM stores confidential information associated with an operating system. As part of access management, the firmware detects a boot device identifier associated with a boot device configured to boot the operating system on the host server. The firmware then receives a second boot device identifier from the HSM. The boot device identifier and the second boot device identifier are then compared by the firmware. Based on the comparison, the firmware determines that the boot device identifier matches with the second boot device identifier. Based on this determination, the firmware grants the operating system access to the HSM.

Abstract: Protecting contents of storage in a computer system from unauthorized access. The computer system includes one or more processing units sharing the storage. Each of the processing units has at least one processor cache. Each processing unit respectively encrypts or decrypts, with a protected section key, data transferred between its processor cache and the storage, when data relates to the protected section used by the hypervisor; and each processing unit respectively encrypts or decrypts, with a virtual machine key, data transferred between its processor cache and the storage, when data relates to storage areas used by a virtual machine.

Abstract: Protecting contents of storage in a computer system from unauthorized access. The computer system includes one or more processing units sharing the storage. Each of the processing units has at least one processor cache. Each processing unit respectively encrypts or decrypts, with a protected section key, data transferred between its processor cache and the storage, when data relates to the protected section used by the hypervisor; and each processing unit respectively encrypts or decrypts, with a virtual machine key, data transferred between its processor cache and the storage, when data relates to storage areas used by a virtual machine.

Abstract: Protecting contents of storage in a computer system from unauthorized access. The computer system comprises one or more processing units sharing the storage, the processing units each having at least one processor cache. Each processing unit respectively encrypts or decrypts, with a protected section key in the chip cache, data transferred between its processor cache and the protected section, and each processing unit respectively encrypts or decrypts, with a segment key, data transferred between the chip cache and the storage, when data relates to a specific segment of the storage.

Abstract: At least one hardware security module out of a plurality of hardware security modules is assigned to a guest system. The at least one hardware security module out of the plurality of hardware security modules is configured with a master key. A data pattern is used for a challenge protocol adapted to prove that the at least one hardware security module out of the plurality of hardware security modules is configured with the master key. The at least one hardware security module including the master key is assigned to the guest system based on a positive outcome of the challenge protocol.

Abstract: At least one hardware security module out of a plurality of hardware security modules is assigned to a guest system. The at least one hardware security module out of the plurality of hardware security modules is configured with a master key. A data pattern is used for a challenge protocol adapted to prove that the at least one hardware security module out of the plurality of hardware security modules is configured with the master key. The at least one hardware security module including the master key is assigned to the guest system based on a positive outcome of the challenge protocol.

Abstract: Securely removing system capabilities, being available to at least one logical partition, from that partition, the partition being hosted by a computer system running an operating system. The system capabilities are available to a boot loader of the computer system, wherein the boot loader is started in the logical partition. The logical partition remains activated while removing the system capabilities. A removal request is initiated by the boot loader; and a deconfigure command is performed by the boot loader.

Abstract: Protecting contents of storage in a computer system from unauthorized access. The computer system comprises one or more processing units sharing the storage, the processing units each having at least one processor cache. Each processing unit respectively encrypts or decrypts, with a protected section key in the chip cache, data transferred between its processor cache and the protected section, and each processing unit respectively encrypts or decrypts, with a segment key, data transferred between the chip cache and the storage, when data relates to a specific segment of the storage.

Abstract: A computer-implemented method, carried out by one or more processors, for managing resources in a server environment. The method includes determining, by one or more processors, to shut down a first resource consumer, wherein the first resource consumer is assigned a first virtual resource with a first set of one or more host resources. It is determined, by one or more processors, whether a second virtual resource assigned to a second resource consumer requires the first set of one or more host resources. If the second virtual resource assigned to the second resource consumer does not require the first set of one or more host resources, it is determined, by one or more processors, not to deactivate the one or more host resources assigned to the first virtual resource.

Abstract: Embodiments of the present invention disclose a method, computer program product, and system for applying a plurality of program patch sets on a plurality of computer programs. Virtual machines are prepared to be patchable, in response to a suspended computer program. Synchronized snapshots of the virtual machines are created. A plurality of binary code sections of each of the synchronized snapshots are determined. Symbol data information of each of the synchronized snapshots are analyzed, based on the program patch sets. The determined binary code sections are replaced with a set of patch data, based on the plurality of program patch sets, resulting in patched snapshots for each of the synchronized snapshots. Dependencies of the patch data are adjusted, based on the replaced plurality of binary code sections and the execution of the computer program on each of the virtual machines are resumed using the plurality of patched snapshots.

Abstract: Embodiments of the present invention disclose a method, computer program product, and system for applying a plurality of program patch sets on a plurality of computer programs. Virtual machines are prepared to be patchable, in response to a suspended computer program. Synchronized snapshots of the virtual machines are created. A plurality of binary code sections of each of the synchronized snapshots are determined. Symbol data information of each of the synchronized snapshots are analyzed, based on the program patch sets. The determined binary code sections are replaced with a set of patch data, based on the plurality of program patch sets, resulting in patched snapshots for each of the synchronized snapshots. Dependencies of the patch data are adjusted, based on the replaced plurality of binary code sections and the execution of the computer program on each of the virtual machines are resumed using the plurality of patched snapshots.

Abstract: A computer-implemented method, carried out by one or more processors, for managing resources in a server environment. The method includes determining, by one or more processors, to shut down a first resource consumer, wherein the first resource consumer is assigned a first virtual resource with a first set of one or more host resources. It is determined, by one or more processors, whether a second virtual resource assigned to a second resource consumer requires the first set of one or more host resources. If the second virtual resource assigned to the second resource consumer does not require the first set of one or more host resources, it is determined, by one or more processors, not to deactivate the one or more host resources assigned to the first virtual resource.

Abstract: A method of securely deleting data from a data storage device is described. The method includes the steps of receiving a secure delete command to securely delete a file. A data block of the file to securely delete is identified. A pointer to the data block is stored in a deletion buffer. It is then determined whether the secure delete command has a highest priority over other data storage device commands. In response to the secure delete command having the highest priority, the secure delete command to the data block is performed.

Abstract: A method includes generating a set of virtual-machine-specific (VMS) encryption keys for a dedicated virtual machine, storing the set of VMS encryption keys in a protected memory, storing a first look-up table in the protected memory, and replacing an encryption key stored in a crypto unit with at least one VMS encryption key of the set of VMS encryption keys in an operation mode where the dedicated virtual machine is executed by a processor. The protected memory is selectively excluded from access by operating systems executable on a computer system. The look-up table being accessible only by firmware of the computer system.

Abstract: A method includes generating a set of virtual-machine-specific (VMS) encryption keys for a dedicated virtual machine, storing the set of VMS encryption keys in a protected memory, storing a first look-up table in the protected memory, and replacing an encryption key stored in a crypto unit with at least one VMS encryption key of the set of VMS encryption keys in an operation mode where the dedicated virtual machine is executed by a processor. The protected memory is selectively excluded from access by operating systems executable on a computer system. The look-up table being accessible only by firmware of the computer system.