z/OS Cryptographic Services ICSF System Programmer's Guide
Previous topic | Next topic | Contents | Index | Contact z/OS | Library | PDF


Step 7. Customizing TKE and Loading Master Keys

z/OS Cryptographic Services ICSF System Programmer's Guide
SA22-7520-17

If you are not using TKE, proceed to the next step.

Process - CCF Systems
TKE Administrator's and Key Officers
  • Define Host IDs
  • Define CCF Authorities
  • Define Access Controls (Signature Requirements for CCF)
  • Define Roles (if applicable)
  • Define PCI Cryptographic Coprocessor Authorities (if applicable)
  • Load DES New Master Key
  • Load PKA Signature Master Key (SMK)
  • Load PKA Key Management Master Key (KMMK)
  • Load New Symmetric Master Key (if applicable)
  • Load and SET New RSA Master Key (if applicable)
Note:
If you have more than one crypto module or PCI Cryptographic Coprocessor, repeat the process for each, unless Groups have been defined. It is recommended that the SMK and KMMK keys be set to the same value.
Process - PCIXCC/CEX2C/CEX3C Systems
TKE Administrator's and Key Officers
  • Define Host IDs
  • Define Roles
  • Define PCIXCC/CEX2C/CEX3C Authorities
  • Load New DES-MK
  • Load New AES-MK (if running on z10 or z196 servers with a CEX2C or CEX3C and the Nov. 2008 or later licensed internal code (LIC))
  • Load and SET New RSA-MK or ECC-MK
Note:
If you have more than one PCIXCC, CEX2C, or CEX3C, repeat the process for each, unless Groups have been defined.
Responsible
ICSF Administrator
  • Initialize CKDS and SET the DES/SYM-MK New Master Key
  • Create NOCV, ANSI, and ESYS keys as applicable for your installation - CCF Systems only
  • Load PKA/RSA-MK/ECC-MK Master Keys
  • SET RSA-MK (PCICC, PCIXCC, CEX2C, and CEX3C) and/or ECC-MK (CEX3C)
  • Initialize the PKDS
  • Enable PKA Services
  • Enable PKDS Read Access
  • Enable PKDS Write, Create, and Delete Access
Where
TKE Workstation and ICSF Panels
Verify
In System Log (CCF Systems): 
CSFM607I A CKDS KEY STORE POLICY IS NOT DEFINED.                        
CSFM607I A PKDS KEY STORE POLICY IS NOT DEFINED.
CSFM610I GRANULAR KEYLABEL ACCESS CONTROL IS DISABLED.
CSFM611I XCSFKEY EXPORT CONTROL FOR AES IS DISABLED.  
CSFM611I XCSFKEY EXPORT CONTROL FOR DES IS DISABLED.  
CSFM612I PKA KEY EXTENSIONS CONTROL IS DISABLED.
IEE504I CRYPTO(0),ONLINE
IEE504I CRYPTO(1),ONLINE  (if applicable)
CSFM116I BOTH MASTER KEYS CORRECT ON PCI CRYPTOGRAPHIC 
COPROCESSOR Pnn, SERIAL NUMBER nn-nnnn  (if applicable)
CSFM001I ICSF INITIALIZATION COMPLETE
CSFM126I CRYPTOGRAPHY - FULL CPU-BASED SERVICES ARE AVAILABLE. 
CSFM400I CRYPTOGRAPHY SERVICES ARE NOW AVAILABLE

In System Log (PCIXCC, CEX2C, or CEX3C Systems): 

CSFM607I A CKDS KEY STORE POLICY IS NOT DEFINED.                        
CSFM607I A PKDS KEY STORE POLICY IS NOT DEFINED.
CSFM610I GRANULAR KEYLABEL ACCESS CONTROL IS DISABLED.
CSFM611I XCSFKEY EXPORT CONTROL FOR AES IS DISABLED.  
CSFM611I XCSFKEY EXPORT CONTROL FOR DES IS DISABLED.  
CSFM612I PKA KEY EXTENSIONS CONTROL IS DISABLED.
CSFM124I MASTER KEY DES ON CRYPTO EXPRESS3 COPROCESSOR xxx, SERIAL      
NUMBER nnnnnnnn, NOT INITIALIZED.                                       
CSFM124I MASTER KEY AES ON CRYPTO EXPRESS3 COPROCESSOR xxx, SERIAL      
NUMBER nnnnnnnn, NOT INITIALIZED. 
CSFM124I MASTER KEY ECC ON CRYPTO EXPRESS3 COPROCESSOR xxx, SERIAL      
NUMBER nnnnnnnn, NOT INITIALIZED.   
CSFM124I MASTER KEY RSA ON CRYPTO EXPRESS3 COPROCESSOR xxx, SERIAL      
NUMBER nnnnnnnn, NOT INITIALIZED.                                              
CSFM100E CRYPTOGRAPHIC KEY DATA SET, CSF.CKDS IS NOT INITIALIZED. 
CSFM508I CRYPTOGRAPHY - THERE ARE NO CRYPTOGRAPHIC ACCELERATORS ONLINE. 
CSFM100E CRYPTOGRAPHIC KEY DATA SET, CSF.PKDS IS NOT INITIALIZED.
CSFM012I NO ACCESS CONTROL AVAILABLE FOR CRYPTOZ RESOURCES. ICSF PKCS11 
SERVICES DISABLED.
CSFM122I PKA SERVICES WERE NOT ENABLED DURING ICSF INITIALIZATION
CSFM001I ICSF INITIALIZATION COMPLETE                                    
CSFM009I NO ACCESS CONTROL AVAILABLE FOR ICSF SERVICES OR KEYS 
CSFM126I CRYPTOGRAPHY - FULL CPU-BASED SERVICES ARE AVAILABLE.

Message CSFM440I will be issued for each active PCIXCC.

Message CSFM124I will be issued for each CEX2C/CEX3C online. The ECC master key is available only on the CEX3C.

Message CSFM122I will not be issued when your system has any CEX3C coprocessors (with the Sep. 2011 or later LIC) online. The PKA callable services control will not be active. The availability of RSA callable services will depend on the status of the RSA master key. CSFM130I is issued when the RSA master key is active and RSA callable services are available.

In System Log (CEX2C or CEX3C without CEX2A or CEX3A Systems):

S CSF   
CSFM607I A CKDS KEY STORE POLICY IS NOT DEFINED.                        
CSFM607I A PKDS KEY STORE POLICY IS NOT DEFINED.
CSFM610I GRANULAR KEYLABEL ACCESS CONTROL IS DISABLED.
CSFM611I XCSFKEY EXPORT CONTROL FOR AES IS DISABLED.  
CSFM611I XCSFKEY EXPORT CONTROL FOR DES IS DISABLED.  
CSFM612I PKA KEY EXTENSIONS CONTROL IS DISABLED.
CSFM124I MASTER KEY DES ON CRYPTO EXPRESS3 COPROCESSOR xxx, SERIAL      
NUMBER nnnnnnnn, NOT INITIALIZED.                                       
CSFM124I MASTER KEY AES ON CRYPTO EXPRESS3 COPROCESSOR xxx, SERIAL      
NUMBER nnnnnnnn, NOT INITIALIZED.
CSFM124I MASTER KEY ECC ON CRYPTO EXPRESS3 COPROCESSOR xxx, SERIAL      
NUMBER nnnnnnnn, NOT INITIALIZED.
CSFM124I MASTER KEY RSA ON CRYPTO EXPRESS3 COPROCESSOR xxx, SERIAL      
NUMBER nnnnnnnn, NOT INITIALIZED. 
CSFM129I MASTER KEY mk ON coprocessor-name cii, SERIAL 
NUMBER nnnnnnn, IS CORRECT.                                       
CSFM508I CRYPTOGRAPHY - THERE ARE NO CRYPTOGRAPHIC ACCELERATORS ONLINE.
CSFM001I ICSF INITIALIZATION COMPLETE                                  
CSFM400I CRYPTOGRAPHY - SERVICES ARE NOW AVAILABLE.
CSFM126I CRYPTOGRAPHY - FULL CPU-BASED SERVICES ARE AVAILABLE.
CSFM127I CRYPTOGRAPHY - AES SERVICES ARE AVAILABLE.

Message CSFM129I will be issued for each CEX2C/CEX3C online.

In System Log (CEX2C/CEX3C and CEX2A/CEX3A Systems):

S CSF  
CSFM607I A CKDS KEY STORE POLICY IS NOT DEFINED.                        
CSFM607I A PKDS KEY STORE POLICY IS NOT DEFINED.
CSFM610I GRANULAR KEYLABEL ACCESS CONTROL IS DISABLED.
CSFM611I XCSFKEY EXPORT CONTROL FOR AES IS DISABLED.  
CSFM611I XCSFKEY EXPORT CONTROL FOR DES IS DISABLED.  
CSFM612I PKA KEY EXTENSIONS CONTROL IS DISABLED.
CSFM101E PKA KEY DATA SET, CSF.PKDS IS NOT INITIALIZED.      
CSFM124I MASTER KEY DES ON CRYPTO EXPRESS3 COPROCESSOR xxx, SERIAL      
NUMBER nnnnnnnn, NOT INITIALIZED.                                       
CSFM124I MASTER KEY AES ON CRYPTO EXPRESS3 COPROCESSOR xxx, SERIAL      
NUMBER nnnnnnnn, NOT INITIALIZED.
CSFM124I MASTER KEY ECC ON CRYPTO EXPRESS3 COPROCESSOR xxx, SERIAL 
NUMBER nnnnnnnn, NOT INITIALIZED.
CSFM124I MASTER KEY RSA ON CRYPTO EXPRESS3 COPROCESSOR xxx, SERIAL      
NUMBER nnnnnnnn, NOT INITIALIZED.  
CSFM100E CRYPTOGRAPHIC KEY DATA SET, CSF.CKDS IS NOT INITIALIZED.     
CSFM126I CRYPTOGRAPHY - FULL CPU-BASED SERVICES ARE AVAILABLE. 
CSFM400I CRYPTOGRAPHY - SERVICES ARE NOW AVAILABLE.
CSFM127I CRYPTOGRAPHY - AES SERVICES ARE AVAILABLE.
CSFM111I CRYPTOGRAPHIC FEATURE IS ACTIVE. CRYPTO EXPRESS3 COPROCESSOR 
xxx, SERIAL NUMBER nnnnnnn

Message CSFM124I will be issued for each CEX2C/CEX3C online. The ECC master key is available only on the CEX3C.

Message CSFM111I will be issued for each active CEX2C/CEX3C.

In System Log (CPACF only system):

S CSF 
CSFM607I A CKDS KEY STORE POLICY IS NOT DEFINED.                        
CSFM607I A PKDS KEY STORE POLICY IS NOT DEFINED.
CSFM610I GRANULAR KEYLABEL ACCESS CONTROL IS DISABLED.
CSFM611I XCSFKEY EXPORT CONTROL FOR AES IS DISABLED.  
CSFM611I XCSFKEY EXPORT CONTROL FOR DES IS DISABLED.  
CSFM612I PKA KEY EXTENSIONS CONTROL IS DISABLED.                             
CSFM507I CRYPTOGRAPHY - THERE ARE NO CRYPTOGRAPHIC COPROCESSORS ONLINE.  
CSFM508I CRYPTOGRAPHY - THERE ARE NO CRYPTOGRAPHIC ACCELERATORS ONLINE.  
CSFM001I ICSF INITIALIZATION COMPLETE
CSFM126I CRYPTOGRAPHY - FULL CPU-BASED SERVICES ARE AVAILABLE.

In System Log (CPACF, CEX2A, and CEX3A)

S CSF   
CSFM607I A CKDS KEY STORE POLICY IS NOT DEFINED.                        
CSFM607I A PKDS KEY STORE POLICY IS NOT DEFINED.
CSFM610I GRANULAR KEYLABEL ACCESS CONTROL IS DISABLED.
CSFM611I XCSFKEY EXPORT CONTROL FOR AES IS DISABLED.  
CSFM611I XCSFKEY EXPORT CONTROL FOR DES IS DISABLED.  
CSFM612I PKA KEY EXTENSIONS CONTROL IS DISABLED.                                         
CSFM111I CRYPTOGRAPHIC FEATURE IS ACTIVE. CRYPTO EXPRESS3 COPROCESSOR 
xxx, SERIAL NUMBER nnnnnnn                         
CSFM507I CRYPTOGRAPHY - THERE ARE NO CRYPTOGRAPHIC COPROCESSORS ONLINE.  
CSFM001I ICSF INITIALIZATION COMPLETE
CSFM126I CRYPTOGRAPHY - FULL CPU-BASED SERVICES ARE AVAILABLE.

Message CSFM111I will be issued for each active CEX2A/CEX3A.

References

For information on managing master keys, refer to z/OS Cryptographic Services ICSF Administrator’s Guide.

Completed

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014