Previous topic |
Next topic |
Contents |
Index |
Contact z/OS |
Library |
PDF
TKE Workstation z/OS Cryptographic Services ICSF System Programmer's Guide SA22-7520-17 |
|
The Trusted Key Entry (TKE) workstation is available on the IBM zSeries 990 IBM zSeries 890, z9 EC, z9 BC, z10 EC, z10 BC, and z196. It can also be used to provide key management on the IBM zSeries 900. Refer to z/OS Cryptographic Services ICSF TKE Workstation User’s Guide for more information. TKE Version 3.1 and Access to Callable ServicesAccess to services that are executed on the PCI Cryptographic Coprocessor is through Access Control Points in the DEFAULT Role. To execute callable services on the PCI Cryptographic Coprocessor, access control points must be enabled for each service in the DEFAULT Role. For systems that do not use the optional TKE Workstation, all access control points (current and new) are enabled in the DEFAULT Role with the appropriate microcode level on the PCI Cryptographic Coprocessor. New TKE users and non-TKE users have all* access control points enabled. This is also true for brand new TKE V3.1 users (not converting from TKE V3.0). Note:
*Access control point DKYGENKY-DALL
is always disabled in the DEFAULT Role for all customers (TKE and
Non-TKE). A TKE Workstation is required to enable this access control
point for the Diversified Key Generate service. All of the mentioned components are required for complete access control point support. Access to services which execute on the Cryptographic Coprocessor Feature is through SAF. Disablement through SAF is sufficient to prevent execution of a service by the Cryptographic Coprocessor Feature, the PCI Cryptographic Coprocessor, the PCI X Cryptographic Coprocessor or the Crypto Express2 Coprocessor. For functions which can be executed on the PCI Cryptographic Coprocessor or PCI X Cryptographic Coprocessor/Crypto Express2 Coprocessor, enablement of the function requires that the function be enabled through SAF and through the access control point in the DEFAULT Role. For additional details, see TKE Version 4.x and Higher and Access to Callable Services. These are access control points for PCICCs. TKE Version 4.x and Higher and Access to Callable ServicesAccess to services that are executed on the PCI X Cryptographic Coprocessor or Crypto Express2 Coprocessor is through Access Control Points in the DEFAULT Role. To execute callable services on the PCIXCC/CEX2C, access control points must be enabled for each service in the DEFAULT Role. For systems that do not use the optional TKE Workstation, all access control points (current and new) are enabled in the DEFAULT Role with the appropriate microcode level on the PCIXCC/CEX2C. New TKE users and non-TKE users have all* access control points enabled. If you are migrating from TKE V4.0 or TKE V4.1 or TKE V4.2 to TKE V5.x and have a PCIXCC/CEX2C, all your current access control points will remain the same and any new applicable access control points will not be enabled. Note:
*Access
control points DKYGENKY-DALL and DSG ZERO-PAD unrestricted hash length and
PTR enhanced PIN security are always disabled in the DEFAULT
role for all customers (TKE and Non-TKE). A TKE Workstation is required
to enable these access control points. TKE Enablement from the Support ElementOn z890 or systems running with May 2004 or higher version of Licensed Internal Code or a z9 EC and z9 BC system running with MCL 029 Stream J12220 or higher version of Licensed Internal Code, you must enable TKE commands on each PCIXCC, CEX2C, or CEX3C card from the support element. This is true for new TKE users and those upgrading to this level of LIC. See Support Element Operations Guide and z/OS Cryptographic Services ICSF TKE Workstation User’s Guide for more information. |
Copyright IBM Corporation 1990, 2014
|