Check Master KVV (CHKMSTKVV)
| Where allowed to run: All environments (*ALL) Threadsafe: Yes |
Parameters Examples Error messages |
The Check Master KVV (CHKMSTKVV) command returns the key verification value (KVV) for the specified master key in informational message CPI9ED3.
For more information on master keys, refer to the Cryptographic services key management section of the Security category in the IBM Systems Information Center at http://www.ibm.com/systems/infocenter/.
Note: If the KVV value returned for the Save/Restore Master Key is hexadecimal '16C1D3E3C073E77DB28F33E81EC165313318CE54', the key is set to its default value. The default value is not a secure setting for saving the master keys. Master keys can be saved by running the Save System (SAVSYS) command. To properly secure your master keys on the next SAVSYS operation, load and set the Save/Restore Master Key using the Add Master Key Part (ADDMSTPART) and Set Master Key (SETMSTKEY) CL commands, or by using the Qc3LoadMasterKeyPart and Qc3SetMasterKey APIs, or by using the Cryptographic Services Key Management interface in System i Navigator.
Restrictions:
None
| Top |
Parameters
| Keyword | Description | Choices | Notes |
|---|---|---|---|
| MSTKEY | Master key | 1-8, *ASP, *SAVRST | Required, Positional 1 |
| VERSION | Master key version | *NEW, *CURRENT, *OLD, *PENDING | Required, Positional 2 |
| Top |
Master key (MSTKEY)
Specifies the master key on which to perform the action.
This is a required parameter.
The action will be performed on:
- *ASP
- The master key used for encrypting data stored on auxiliary storage pool (ASP) disk storage.
- *SAVRST
- The master key used for encrypting all the other master keys on a SAVSYS operation.
- 1-8
- One of the eight general purpose master keys.
| Top |
Master key version (VERSION)
Specifies the version of the master key whose key verification value will be returned in informational message CPI9ED3.
This is a required parameter.
- *NEW
- Returns the key verification value (KVV) that would be created if a Set Master Key (SETMSTKEY) command were to be run for the key parts previously added by running the Add Master Key Part (ADDMSTPART) command.
- *CURRENT
- Returns the KVV for the current version of the specified master key.
- *OLD
- Returns the KVV for the old version of the specified master key. An old master key was the current master key previous to a SETMSTKEY being done.
- *PENDING
- Returns the KVV for the pending version of the specified master key. A pending master key is a master key restored from SAVSYS media, but the system was unable to decrypt it and make it useable. This value is not valid if *SAVRST is specified for the master key.
| Top |
Examples
CHKMSTKVV MSTKEY(*ASP) VERSION(*CURRENT)
This command checks whether there is a current version of the auxiliary storage pool (ASP) master key. If a current version exists, informational message CPI9E93 is sent with the version's KVV as a replacement data value.
| Top |
Error messages
*ESCAPE Messages
- CPF3CF2
- Error(s) occurred during running of &1 API.
- CPF9872
- Program or service program &1 in library &2 ended. Reason code &3.
- CPF9DAF
- Version &2 of master key &1 is not set.
- CPF9DDA
- Unexpected return code &1 from cryptographic service provider &2.
| Top |