Abstract: A key management service creates a key upon user request. The key management service receives a request for a first cryptographic operation. The key management service performs the first cryptographic operation. The key management service returns results of the first cryptographic operation to a dependent service. The key management service receives a notification of key rotation. The key management service receives a request for a second cryptographic operation. The key management service performs the second cryptographic operation. The key management service returns results of the second cryptographic operation to the dependent service. The key management service returns updated key metadata to the dependent service.

Abstract: A method includes: federating, by a computer device, a proxy hardware security module from a physical hardware security module; storing, by the computer device, the proxy hardware security module; receiving, by the computer device, a first one of a plurality of periodic identifying communications from the physical hardware security module; and erasing, by the computer device, the proxy hardware security module as a result of the computer device not receiving a second one of the plurality of periodic identifying communications.

Abstract: A computer program product, the computer program product including a computer readable storage medium having program instructions embodied therewith, the program instructions executable by a computer device to cause the computer device to: federate a proxy hardware security module from a physical hardware security module; store the proxy hardware security module; receive a first one of a plurality of periodic identifying communications from the physical hardware security module; and erase the proxy hardware security module as a result of the computer device not receiving a second one of the plurality of periodic identifying communications.

Abstract: A method includes: federating, by a computer device, a proxy hardware security module from a physical hardware security module; storing, by the computer device, the proxy hardware security module; receiving, by the computer device, a first one of a plurality of periodic identifying communications from the physical hardware security module; and erasing, by the computer device, the proxy hardware security module as a result of the computer device not receiving a second one of the plurality of periodic identifying communications.

Abstract: A key management service creates a key upon user request. The key management service receives a request for a first cryptographic operation. The key management service performs the first cryptographic operation. The key management service returns results of the first cryptographic operation to a dependent service. The key management service receives a notification of key rotation. The key management service receives a request for a second cryptographic operation. The key management service performs the second cryptographic operation. The key management service returns results of the second cryptographic operation to the dependent service. The key management service returns updated key metadata to the dependent service.

Abstract: A computing device includes an interface configured to interface and communicate with a communication system, a memory that stores operational instructions, and processing circuitry operably coupled to the interface and to the memory that is configured to execute the operational instructions to perform various operations. The computing device generates a sub-key identifier based on a data ID, which is based on unique ID value(s) associated with an encrypted data object, and a requester secret. The computing device processes the sub-key identifier in accordance with an Oblivious Pseudorandom Function (OPRF) blinding operation to generate a blinded input and an Oblivious Key Access Request (OKAR). The computing device transmits the OKAR to another computing device (e.g., Key Management System (KMS) service) and receives a blinded sub-key therefrom. The computing device processes the blinded sub-key in accordance with an OPRF unblinding operation to generate the key and accesses secure data thereby.

Abstract: A computer program product, the computer program product including a computer readable storage medium having program instructions embodied therewith, the program instructions executable by a computer device to cause the computer device to: federate a proxy hardware security module from a physical hardware security module; store the proxy hardware security module; receive a first one of a plurality of periodic identifying communications from the physical hardware security module; and erase the proxy hardware security module as a result of the computer device not receiving a second one of the plurality of periodic identifying communications.

Abstract: A method includes: federating, by a computer device, a proxy hardware security module from a physical hardware security module; storing, by the computer device, the proxy hardware security module; receiving, by the computer device, a first one of a plurality of periodic identifying communications from the physical hardware security module; and erasing, by the computer device, the proxy hardware security module as a result of the computer device not receiving a second one of the plurality of periodic identifying communications.

Abstract: A computing device includes an interface configured to interface and communicate with a communication system, a memory that stores operational instructions, and processing circuitry operably coupled to the interface and to the memory that is configured to execute the operational instructions to perform various operations. The computing device generates a sub-key identifier based on a data ID, which is based on unique ID value(s) associated with an encrypted data object, and a requester secret. The computing device processes the sub-key identifier in accordance with an Oblivious Pseudorandom Function (OPRF) blinding operation to generate a blinded input and an Oblivious Key Access Request (OKAR). The computing device transmits the OKAR to another computing device (e.g., Key Management System (KMS) service) and receives a blinded sub-key therefrom. The computing device processes the blinded sub-key in accordance with an OPRF unblinding operation to generate the key and accesses secure data thereby.

Abstract: Disclosed is a computer implemented method, data processing system, and apparatus to respond to detection of a hardware interface error on a system bus, for example, during a concurrent maintenance operation. The service processor may receive an error on the system bus. The error identifies at least one field replaceable unit and may inhibit the suppression of clock signal to the field replaceable unit. The service processor adds an identifier of the field replaceable unit to an eligible Field Replaceable Unit (FRU) list. The service processor recursively adds at least one field replaceable unit that the field replaceable unit depends upon. The service processor suppresses the clock signal to the field replaceable unit. The service processor inhibits tagging the field replaceable unit as unusable for next initial program load.

Abstract: During an initial generation/assignment of location codes for field replaceable units (FRUs) that are and/or may be attached to the computer system, the service processor provides an alias location code for each FRU not currently attached. When the service processor later detects a concurrent install of the FRU, the service processor's firmware generates the correct location code from data retrieved from the FRU, and replaces the alias location code stored within the service processor's internal data structures with the correct location code. The firmware also forwards the correct location code back to a serviceability application, and the application utilizes the new location code in all remaining concurrent install commands to maintain a single, consistent view of the system.

Abstract: Disclosed is a computer implemented method, data processing system, and apparatus to respond to detection of a hardware interface error on a system bus, for example, during a concurrent maintenance operation. The service processor may receive an error on the system bus. The error identifies at least one field replaceable unit and may inhibit the suppression of clock signal to the field replaceable unit. The service processor adds an identifier of the field replaceable unit to an eligible Field Replaceable Unit (FRU) list. The service processor recursively adds at least one field replaceable unit that the field replaceable unit depends upon. The service processor suppresses the clock signal to the field replaceable unit. The service processor inhibits tagging the field replaceable unit as unusable for next initial program load.

Abstract: During an initial generation/assignment of location codes for field replaceable units (FRUs) that are and/or may be attached to the computer system, the service processor provides an alias location code for each FRU not currently attached. When the service processor later detects a concurrent install of the FRU, the service processor's firmware generates the correct location code from data retrieved from the FRU, and replaces the alias location code stored within the service processor's internal data structures with the correct location code. The firmware also forwards the correct location code back to a serviceability application, and the application utilizes the new location code in all remaining concurrent install commands to maintain a single, consistent view of the system.

Abstract: A method of preventing failed field replaceable units (FRUs) directly connected to an interprocessor bus or fabric from interfering with the operation of a computer system during concurrent maintenance operations. When a FRU fails a concurrent maintenance operation, the service processor stores identification information corresponding to the failed FRU in an alert fail registry or a hot add fail registry and reports the failure status to a user. When a user attempts to perform a new concurrent maintenance operation on a FRU, the service processor compares that FRU to the alert fail registry or the hot add fail registry. If a concurrent maintenance operation on the requested FRU would cause a system crash due to interference with the failed FRU, the service processor notifies the repair and verify application (which notifies the user) and prevents concurrent maintenance operations from occurring on the new FRU.