IBM Support

SI49495 - CCA master key imported incorrectly via basic config wizard

PTF Cover Letter


PTF ( Program Temporary Fixes ) Cover letter


Order this fix

Abstract

CCA master key imported incorrectly via basic config wizard


Pre/Co-Requisite PTF / Fix List

REQ  LICENSED      PTF/FIX  LEVEL

TYPE PROGRAM  REL  NUMBER   MIN/MAX  OPTION
---- -------- ---  -------  -------  ------
PRE  5770999  710  MF99001   00/00    0000
DIST 5733CY3  710  SI46757   NONE     0000



NOTICE:
-------
Application of this PTF may disable or render ineffective programs that
use system memory addresses not generated by the IBM translator,
including programs that circumvent control technology designed to limit
interactive capacity to purchased levels.  This PTF may be a prerequisite
for future PTFs.  By applying this PTF you authorize and agree to the
foregoing.

This PTF is subject to the terms of the license agreement which
accompanied, or was contained in, the Program for which you are obtaining
the PTF.  You are not authorized to install or use the PTF except as part
of a Program for which you have a valid Proof of Entitlement.

SUBJECT TO ANY WARRANTIES WHICH CAN NOT BE EXCLUDED OR EXCEPT AS EXPLICITLY
AGREED TO IN THE APPLICABLE LICENSE AGREEMENT OR AN APPLICABLE SUPPORT
AGREEMENT, IBM MAKES NO WARRANTIES OR CONDITIONS EITHER EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OR CONDITIONS OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON INFRINGEMENT,
REGARDING THE PTF.

The applicable license agreement may have been provided to you in printed
form and/or may be viewed using the Work with Software Agreements (WRKSFWAGR)
CL command.


APAR Error Description / Circumvention

-------------------------------------------------
After using the Basic Configuration Wizard to configure a crypto
card using a keystore created on a previous release, several CCA
APIs fail with return code 8 and reason code 48.  The indicates
that the keys in keystore were not encrypted under the current
master key.  If the same master key is entered through the
master key function in the Manage Configuration portion of the
Crypto Config Utility, the CCA APIs no longer report errors.

CORRECTION FOR APAR 'SE54954' :
-------------------------------
There was an error in the Basic Configuration Wizard such that
only the first 8 bytes of the third master key part were being
used correctly.  The last 16 bytes were copied from the last 16
bytes of the second master key part.  The problem does not apply
to the AES master key.  The problem has been fixed.

CIRCUMVENTION FOR APAR 'SE54954' :
----------------------------------
None.


Activation Instructions


None.




Special Instructions

If there are no cryptographic coprocessors installed in the system,
nothing further needs to be done.

Run the following command to determine if any jobs are currently using
any cryptographic coprocessor (4758, 4764, or 4765):

WRKCFGSTS *DEV *CRP

If there are any jobs currently using a cryptographic coprocessor, end
them and then start them again after applying this PTF.

If you have used the Basic Configuration Wizard in V6R1M0 or in an
earlier release to configure a cryptographic coprocessor but have
NOT used it in V7R1M0, or if you have never used the Basic
Configuration Wizard in any release, nothing further needs to be done.

For each cryptographic coprocessor, if you have used the Basic
Configuration Wizard in V7R1M0 and have subsequently changed the
DES and PKA master keys, nothing further needs to done.

If you have used the Basic Configuration Wizard in V7R1M0 and have not
subsequently changed the DES and PKA master keys, it is strongly
recommended that you do change them either by using the master key
function in the Manage Configuration portion of the Cryptographic
Configuration Utility, or by using a program that calls the
CSNBMKP (Master Key Proces API) in library QCCA. This can be performed
either prior to the apply of this PTF or afterwards.

If you choose NOT to change the master key, be aware that in order for
encryption keys to be usable after performing disaster recovery or to
configure a new card you will need to modify the value of the master
key entered via the Basic Configuration Wizard such that the last 16
bytes of the key part are the same as the last 16 bytes of the second
master key part. This is shown in this example:

Key part 1:  0123456789ABCDEF FEDCBA(876543210 0123456789ABCDEF
Key part 2:  01020407080B0D0E 51525457585E5D5D 6723ABEF01454523
---------------- ----------------
Key part 3:  89AB012367EFBA98 51525457585E5D5D 6723ABEF01454523
---------------- ----------------

Prior to the apply of this PTF, the Basic Configuration Utility was
replacing the last 16 bytes the third key part with the last 16
bytes of the second key part.  After applying this PTF, you will
need to duplicate the same incorrect behavior to configure a
new/replacement card in order for keys in keystore to be usable.

Master keys entered via the master key function in the Manage
Configuration portion on the Crypto Configuration Utility were
unaffected as were keys entered via a program that calls the
CSNBMKP API.



********************************************************************
THE FOLLOWING ARE SUPERSEDED SPECIAL INSTRUCTIONS. IF THE SUPERSEDED
PTF HAS ALREADY BEEN APPLIED AND ITS SPECIAL INSTRUCTION FOLLOWED,
IT IS NOT NECESSARY TO FOLLOW THAT SPECIAL INSTRUCTION AGAIN.
********************************************************************

SPECIAL INSTRUCTIONS FOR SUPERSEDED PTF SI48991 :
=================================================

If there are no cryptographic coprocessors installed in the system
or if there are no cryptographic device descriptions created,
nothing further needs to be done.

For each cryptographic device description perform and follow these
instructions only if the reported error has occurred for that specific
device.  Warning: Performing these instructions on a device that is
otherwise functioning normally may result in the loss of cryptographic
keys.


If the CRYPADMN profile is available, reset the DEFAULT role using
Cryptographic Coprocessor Configuration utility.

1) End and restart the ADMIN instance of the HTTP Server after applying
the PTF.

2) Start a web browser and enter this URL:

http://server_name:2001/QIBM/CCA/Admin/qc6fmenu.ndm/main0

where server_name is the name of your partition or system.  The link
to the utility can also be found in the IBM i Tasks page.

3) Click on the button labeled "Start secure session".

4) Click on the Manage Configuration link on the left panel to expand
the list.

5) Click on the Attributes link.

6) On the Allocate a device page, select the device and click on
Continue.

7) On the Log on Crypto Coprocessor page, enter CRYPADMN in the
profile field and type the pass phrase for CRYPADMN in the
pass phrase field, and then click on Continue.

8) Click on the button labeled "Re-initialize" and then click on
Continue on the subsequent page.

9) If the operation was successful, a pop-up window should appear with
a message indicating the device was reinitialized.


If the CRYPADMN profile is not available or if the previous
instructions failed, the  device needs to be reinitialized through
Hardware Service Manager instead.

1) Vary the device description off using either the Work with
Configuration Status (WRKCFGSTS) or Vary Configuration (VRYCFG) CL
commands on a CL command line.

2) Type STRSST and press enter to start system service tools.

3) Enter a valid service tools user ID and password, and then press
enter.

4) Enter 1 to start a service tool, and then press enter.

5) Enter 7 for Hardware Service Manager, and then press enter.

6) Enter 3 to locate resource by name, and then press enter.

7) Enter the name of the resource used by the cryptographic device
description, and then press enter.

8) Enter 6 for I/O Debug, and then press enter.

9) Enter 1 to Reinitialize Flash Memory, and then press enter.

10) Press enter on the Warning display.

11) When the reinitialization completes, exit out of system service
tools.


At this point, the Basic Configuration Wizard can be used again for the
device.

SPECIAL INSTRUCTIONS FOR SUPERSEDED PTF SI46962 :
=================================================

If there is at least one 4765 Cryptographic Coprocessor installed, load
and apply PTF SI46757.

Run the following command to determine if any jobs are currently using
any cryptographic coprocessor (4758, 4764, or 4765):

WRKCFGSTS *DEV *CRP

If there are any jobs currently using a cryptographic coprocessor, end
them and then start them again after applying this PTF (SI46962).

SPECIAL INSTRUCTIONS FOR SUPERSEDED PTF SI45912 :
=================================================

If there is at least one 4765 Cryptographic Coprocessor installed, load
and apply PTF SI43664.

Run the following command to determine if any jobs are currently using
any cryptographic coprocessor (4758, 4764, or 4765):

WRKCFGSTS *DEV *CRP

If there are any jobs currently using a cryptographic coprocessor, end
them and then start them again after applying this PTF (SI45912).

SPECIAL INSTRUCTIONS FOR SUPERSEDED PTF SI40203 :
=================================================

If you do not currently have a 4764 Cryptographic Coprocessor installed
or do not have any AES keystore files created, nothing further needs to
be done.

This PTF introduces a format change to AES keystore files used with the
4764 cryptographic coprocessor.  Existing AES keystore files will be
unusable until they are converted.  Operations using the old format
keystore files will fail with either return/reason codes 12/197 or
return/reason codes 8/6009.  A migration utility program is
provided to convert your existing AES keystore files to the new format.

Before using the the migration utility program, it is recommended that
you save a backup copy of each AES keystore file.

To convert AES keystore files, use the following command:

CALL QCCA/QC6UPDAES PARM('FILENAME' 'LIBNAME')

where FILENAME is the name of an AES keystore and LIBNAME is the
name of the library in which the file is stored.

Run this command for each AES keystore file on the system.

If this PTF is removed, delete the converted AES files and restore the
backed up copies.

DES and PKA keystores are unaffected by this PTF.


Default Instructions

THIS PTF CAN BE APPLIED IMMEDIATE OR DELAYED.



Supersedes

PTF/FIX NO(S).  APAR TITLE LINE
--------------  ------------------------------------------------------------
   SI36681      CCA-INCORROUT RANDOM MASTER KEYS FAIL WITH INTERNET EXPLORER
   SI48991      CCA-INCORROUT BASIC CONFIG WIZARD FAILS RET/REAS 8/772 CSUAL
   SI46962      CCA Update CCA level to 4.2.8
   SI46442      CCA CSNDDSG return reason codes 8/95 using key labels
   SI45912      CCA - CSNDPKX fails with return reason code 8/72 for ECC key
   SI43428      CCA Key_Storage_Designate (CSUAKSD) fails with 8/752
   SI42111      CCA enable future enhancement
   SI40203      CCA Add support for the 4765 cryptographic coprocessor

Summary Information

System..............................i
Models..............................
Release.............................V7R1M0
Licensed Program...............5770SS1
APAR Fixed..........................View details for APAR SE54954
Superseded by:......................
Recompile...........................N
Library.............................QCCA
MRI Feature ........................NONE
Cum Level...........................NONE


System i Support

IBM disclaims all warranties, whether express or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. By furnishing this document, IBM grants no licenses to any related patents or copyrights. Copyright © 1996,1997,1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017 IBM Corporation. Any trademarks and product or brand names referenced in this document are the property of their respective owners. Consult the Terms of use link for trademark information.

[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.1.0"},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG15V","label":"PTF Cover Letters - OS\/400 General"},"Component":"","ARM Category":[],"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"V7R1M0","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
12 April 2013