IBM Support

BE00014 - OSP-CRYPTO: AES MASTER KEY NOT LOADED WITH CORRECT KEY PARTS

 APAR (Authorized Program Analysis Report)

Abstract

OSP-CRYPTO: AES MASTER KEY NOT LOADED WITH CORRECT KEY PARTS

Error Description

When using the Cryptographic Coprocessor configuration utility  
to load master key, generate verify value, clear registry,      
reload key parts, and then verify key parts against the saved  
verify value results in error 0004/0001.  This means the verify
master key was not successful due to the key stored into the    
Cryptographic Coprocessor is not the correct.                  
The error verifying master key occurs because the load master  
key parts for AES using the master key management GUI does not  
store the fourth 8-byte section of each key part as expected.  
This issue does not apply for DES or PKA master keys or if using
a program that calls API CSNBMKP (Master Key Process) in library
QCCA.                                                          

Problem Summary

****************************************************************
* PROBLEM: (BE00014) Licensed Program = 5770SS1 for i 7.1,     *
*                                        i 7.2, and i 7.3      *
*           Unpredictable Corruption                           *
****************************************************************
* USERS AFFECTED: All IBM i operating system Option 35 users   *
****************************************************************
* RECOMMENDATION: Apply PTF SI64478 for i 7.1 and perform the  *
*                 special instructions to re-enter the AES     *
*                 master key parts, then re-encrypt any keys   *
*                 that are encrypted with the prior master key *
*                 Apply PTF SI64296 for i 7.2 and perform the  *
*                 special instructions to re-enter the AES     *
*                 master key parts, then re-encrypt any keys   *
*                 that are encrypted with the prior master key *
*                 Apply PTF SI64477 for i 7.3 and perform the  *
*                 special instructions to re-enter the AES     *
*                 master key parts, then re-encrypt any keys   *
*                 that are encrypted with the prior master key *
****************************************************************
A problem exists storing master key parts into the cryptographic
coprocessor that may require the key parts to be reentered and  
existing encrypted keys in keystores to be re-encrypted.  The  
issue only occurs if using the Cryptographic Coprocessor        
Configuration GUI to manually load AES or APKA master key parts.
This issue does not apply for DES or PKA master keys or if      
entering master key parts using a program that calls API CSNBMKP
(Master Key Process) in library QCCA.                          

Problem Conclusion

The Cryptographic Coprocessor Configuration GUI to load master  
key values has been updated to correctly store the key parts    
that are typed on the load master key GUI.  To ensure all keys  
currently encrypted under the incorrect master key are using the
desired master key parts, you must re-encrypt all keys in the  
AES keystore with updated AES and APKA master keys.            

Temporary Fix

                       *********                                
                       * HIPER *                                
                       *********                                

Comments

Circumvention


PTFs Available

R710 SI64478 PTF Cover Letter   7192
R720 SI64296 PTF Cover Letter   7290
R730 SI64477 PTF Cover Letter   7283

Affected Modules

         
         

Affected Publications

Summary Information

Status............................................ CLOSED PER
HIPER........................................... Yes
Component.................................. 5770SS1CR
Failing Module.......................... RCHMGR
Reported Release................... R730
Duplicate Of..............................




System i Support

IBM disclaims all warranties, whether express or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. By furnishing this document, IBM grants no licenses to any related patents or copyrights. Copyright © 1996,1997,1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017 IBM Corporation. Any trademarks and product or brand names referenced in this document are the property of their respective owners. Consult the Terms of use link for trademark information

Document information

More support for: i family

Software version: V7R1M0, V7R2M0, V7R3M0

Operating system(s): OS/400

Reference #: BE00014

Modified date: 28 October 2017