z/OS Cryptographic Services ICSF System Programmer's Guide
Previous topic | Next topic | Contents | Index | Contact z/OS | Library | PDF


TKE Workstation

z/OS Cryptographic Services ICSF System Programmer's Guide
SA22-7520-17

The Trusted Key Entry (TKE) workstation is available on the IBM eServer zSeries 990 IBM eServer zSeries 890, z9 EC, z9 BC, z10 EC, z10 BC, and z196. It can also be used to provide key management on the IBM eServer zSeries 900.

Refer to z/OS Cryptographic Services ICSF TKE Workstation User’s Guide for more information.

TKE Version 3.1 and Access to Callable Services

Access to services that are executed on the PCI Cryptographic Coprocessor is through Access Control Points in the DEFAULT Role. To execute callable services on the PCI Cryptographic Coprocessor, access control points must be enabled for each service in the DEFAULT Role. For systems that do not use the optional TKE Workstation, all access control points (current and new) are enabled in the DEFAULT Role with the appropriate microcode level on the PCI Cryptographic Coprocessor.

New TKE users and non-TKE users have all* access control points enabled. This is also true for brand new TKE V3.1 users (not converting from TKE V3.0).

Note:
*Access control point DKYGENKY-DALL is always disabled in the DEFAULT Role for all customers (TKE and Non-TKE). A TKE Workstation is required to enable this access control point for the Diversified Key Generate service.

All of the mentioned components are required for complete access control point support.

Access to services which execute on the Cryptographic Coprocessor Feature is through SAF. Disablement through SAF is sufficient to prevent execution of a service by the Cryptographic Coprocessor Feature, the PCI Cryptographic Coprocessor, the PCI X Cryptographic Coprocessor or the Crypto Express2 Coprocessor. For functions which can be executed on the PCI Cryptographic Coprocessor or PCI X Cryptographic Coprocessor/Crypto Express2 Coprocessor, enablement of the function requires that the function be enabled through SAF and through the access control point in the DEFAULT Role. For additional details, see TKE Version 4.x and Higher and Access to Callable Services.

These are access control points for PCICCs.

TKE Version 4.x and Higher and Access to Callable Services

Access to services that are executed on the PCI X Cryptographic Coprocessor or Crypto Express2 Coprocessor is through Access Control Points in the DEFAULT Role. To execute callable services on the PCIXCC/CEX2C, access control points must be enabled for each service in the DEFAULT Role. For systems that do not use the optional TKE Workstation, all access control points (current and new) are enabled in the DEFAULT Role with the appropriate microcode level on the PCIXCC/CEX2C.

New TKE users and non-TKE users have all* access control points enabled. If you are migrating from TKE V4.0 or TKE V4.1 or TKE V4.2 to TKE V5.x and have a PCIXCC/CEX2C, all your current access control points will remain the same and any new applicable access control points will not be enabled.

Note:
*Access control points DKYGENKY-DALL and DSG ZERO-PAD unrestricted hash length and PTR enhanced PIN security are always disabled in the DEFAULT role for all customers (TKE and Non-TKE). A TKE Workstation is required to enable these access control points.

TKE Enablement from the Support Element

On z890 or systems running with May 2004 or higher version of Licensed Internal Code or a z9 EC and z9 BC system running with MCL 029 Stream J12220 or higher version of Licensed Internal Code, you must enable TKE commands on each PCIXCC, CEX2C, or CEX3C card from the support element. This is true for new TKE users and those upgrading to this level of LIC. See Support Element Operations Guide and z/OS Cryptographic Services ICSF TKE Workstation User’s Guide for more information.

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014