Abstract: According to one embodiment, a method, computer system, and computer program product for establishing identity-based hierarchical sessions on a hardware security module (HSM) for binding secure keys to a guest system, is disclosed. The present invention may include establishing a communication channel between the guest system and the HSM, wherein the communication channel is identity-based, end-to-end and encrypted, thereby establishing a session, transferring login information of the guest system through the communication channel to the HSM, maintaining a predefined security level throughout a hierarchy of the sessions, wherein no child session has a higher security level than its parent session, and performing a challenge-response protocol based on a session ownership verification with the guest, such that an HSM generated and secured key is bound to a related session.

Abstract: A method for a policy-based association of a hardware security module to a secure guest is disclosed. The method comprises maintaining a binding between a secure guest and an HSM. Thereby, the binding enables the trusted guest to send only non-sensitive request to the HSM. The method comprises further maintaining, for a secure guest, a pair of a secret and a secret name, submitting a query to the bound HSM for obtaining HSM configuration data, and upon determining that the obtained HSM configuration data match a rule available to the secure guest, wherein the rule associates the HSM to a secret name, requesting to associate the secret from the pair of secret and the secret name to the bound HSM, thereby triggering that the trusted firmware allows the secure guest to submit a sensitive crypto-request to the bound and associated HSM.

Abstract: A message limit value to be used in enqueuing one or more messages on a queue of a device of the computing environment is obtained. The message limit value indicates whether an extended maximum message length is supported by the device. The extended maximum message length is different from a default maximum message length supported by the device. Based on determining that the extended maximum message length is supported and that the obtained message limit value has a defined relationship with a select value, at least one message of an extended length is enqueued on the queue of the device.

Abstract: A message limit value to be used in enqueuing one or more messages on a queue of a device of the computing environment is obtained. The message limit value indicates whether an extended maximum message length is supported by the device. The extended maximum message length is different from a default maximum message length supported by the device. Based on determining that the extended maximum message length is supported and that the obtained message limit value has a defined relationship with a select value, at least one message of an extended length is enqueued on the queue of the device.

Abstract: Generating unique data encryption keys for a data set, by allocating a data set associated with a security policy, where the security policy specifies a key encryption key (KEK) label, retrieving the KEK label from the security policy, storing the KEK label as metadata of the data set, opening the data set for a first time write, generating a data encryption key (DEK), retrieving a KEK from a key store according to the KEK label, encrypting the DEK using the KEK, storing the encrypted DEK as metadata of the data set, and encrypting the data set using the DEK.

Abstract: Generating unique data encryption keys for a data set, by allocating a data set associated with a security policy, where the security policy specifies a key encryption key (KEK) label, retrieving the KEK label from the security policy, storing the KEK label as metadata of the data set, opening the data set for a first time write, generating a data encryption key (DEK), retrieving a KEK from a key store according to the KEK label, encrypting the DEK using the KEK, storing the encrypted DEK as metadata of the data set, and encrypting the data set using the DEK.