SI64477 - CRYPTO: AES MASTER KEY NOT LOADED WITH CORRECT KEY PARTS
PTF ( Program Temporary Fixes ) Cover letter
CRYPTO: AES MASTER KEY NOT LOADED WITH CORRECT KEY PARTS
Pre/Co-Requisite PTF / Fix List
REQ LICENSED PTF/FIX LEVEL
TYPE PROGRAM RELEASE NUMBER MIN/MAX OPTION
---- -------- --------- ------- ------- ------
PRE 5770999 V7R3M0 MF62802 00/00 0000
DIST 5733CY3 V7R3M0 SI63441 NONE 0000
DIST 5770SS1 V7R3M0 SI63096 NONE 0034
Application of this PTF may disable or render ineffective programs that
use system memory addresses not generated by the IBM translator,
including programs that circumvent control technology designed to limit
interactive capacity to purchased levels. This PTF may be a prerequisite
for future PTFs. By applying this PTF you authorize and agree to the
This PTF is subject to the terms of the license agreement which
accompanied, or was contained in, the Program for which you are obtaining
the PTF. You are not authorized to install or use the PTF except as part
of a Program for which you have a valid Proof of Entitlement.
SUBJECT TO ANY WARRANTIES WHICH CAN NOT BE EXCLUDED OR EXCEPT AS EXPLICITLY
AGREED TO IN THE APPLICABLE LICENSE AGREEMENT OR AN APPLICABLE SUPPORT
AGREEMENT, IBM MAKES NO WARRANTIES OR CONDITIONS EITHER EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OR CONDITIONS OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON INFRINGEMENT,
REGARDING THE PTF.
The applicable license agreement may have been provided to you in printed
form and/or may be viewed using the Work with Software Agreements (WRKSFWAGR)
APAR Error Description / Circumvention
A problem exists storing master key parts into the cryptographic
coprocessor that may require the key parts to be reentered and
existing encrypted keys in keystores to be re-encrypted. The
issue only occurs if using the Cryptographic Coprocessor
Configuration GUI to manually load AES or APKA master key parts.
This issue does not apply for DES or PKA master keys or if
entering master key parts using a program that calls API CSNBMKP
(Master Key Process) in library QCCA.
CORRECTION FOR APAR 'BE00014' :
The Cryptographic Coprocessor Configuration GUI to load master
key values has been updated to correctly store the key parts
that are typed on the load master key GUI. To ensure all keys
currently encrypted under the incorrect master key are using the
desired master key parts, you must re-encrypt all keys in the
AES keystore with updated AES and APKA master keys.
CIRCUMVENTION FOR APAR 'BE00014' :
If you are not using or do not intend to use a cryptographic
coprocessor nothing further needs to be done.
There are 3 master key registers: New, Current, and Old.
When "Loading" master key parts, only the New master key register
gets updated. The Current and Old registers are not changed.
When "Setting" master key parts, the Current master key gets moved
to the Old master key register, and the New master key gets moved to
the Current master key register.
When "Re-encrypting" keys in a keystore that are encrypted with a
master key, the Old master key is used to decrypt the keys, the
Current master key is used to encrypt the keys. It is therefore very
important to re-encrypt keys residing in a keystore immediately after
setting the master key to ensure the correct Old master key is
accessible for decryption.
The following steps describe how to load and set the master key parts.
If you have an APKA master key in addition to an AES master key, you
may set the APKA master key parts after setting the AES master key
so the re-encrypt process is only ran once. The process to load, set,
and re-encrypt keys is performed using the Cryptographic Coprocessor
Configuration web-based utility found by clicking on IBM i Tasks page
link on the IBM Navigator for i welcome page at
- Click on "Manage configuration".
- Click on "Master keys" and provide information to manage keys on
- Click on "Load".
- Select "AES" and click on "Manual load".
- Fill in the four 8-byte values and click "Continue" to set the
First key part.
- Repeat to set the Middle and Last key parts, and then click
- Click "Set", select "AES", and then click "Continue" to have the
new master key set as the current master key.
- Click "Done" to complete the Master key entering process.
- Click on "AES keys", specify the key store name and library, and
click "Continue" to manage the existing AES keys.
- Click on "Re-encrypt" and provide profile information, then click
"Re-encrypt" to have the keys enciphered using the current master
APKA master keys are used to encrypt Elliptic Curve Cryptography (ECC)
keys and RSA with Object Protection Keys (OPK). These keys reside in
the AES keystore. To re-encrypt these keys with a new APKA master key,
follow the process above specifying to load and set the APKA master
key instead of an AES master key, and then re-encrypt keys in the AES
If you have keys that are not in a keystore or if you would prefer to
write your own application to re-encrypt keys, you can do so by using
the key token change (CSNBKTC and CSNDKTC) API verbs.
After applying or removing this PTF,
end and restart the HTTP administration server.
THE FOLLOWING ARE SUPERSEDED SPECIAL INSTRUCTIONS. IF THE SUPERSEDED
PTF HAS ALREADY BEEN APPLIED AND ITS SPECIAL INSTRUCTION FOLLOWED,
IT IS NOT NECESSARY TO FOLLOW THAT SPECIAL INSTRUCTION AGAIN.
If you are not using or do not intend to use a cryptographic
coprocessor, nothing further needs to be done.
If you are using or intend to use a cryptographic coprocessor, follow
- End all jobs that are using the CCA APIs in 5770SS1 Option 35.
This includes the *ADMIN server instance.
- Load and apply the PTF.
- Start the jobs again.
THIS PTF CAN BE APPLIED IMMEDIATE OR DELAYED.
PTF/FIX NO(S). APAR TITLE LINE
SI64313 CCA Updates for 4.4 and 5.3 verbs
SI63798 OSP-SECURITY CCA APIs UPDATED FOR D/T 4765, 4767
SI63249 OSP-SECURITY APIs UPDATED FOR DEVICE 4767
SI63049 CRYPTO: Native support for Sentry Cryptographic Co-processo
|APAR Fixed..........................||View details for APAR BE00014|
|Superseded by:......................||View fix details for PTF SI68891|
|MRI Feature ........................||NONE|
More support for:
Software version: V7R3M0
Operating system(s): OS/400
Reference #: SI64477
Modified date: 12 April 2017