Step 6. Loading Master Keys and Initializing the CKDS through ICSF Panels

z/OS Cryptographic Services ICSF System Programmer's Guide

Step 6. Loading Master Keys and Initializing the CKDS through ICSF Panels

z/OS Cryptographic Services ICSF System Programmer's Guide
SA22-7520-17

Notes:

If sharing a CKDS between CCF systems and non-CCF systems, the CKDS must be initialized on a CCF system.
When defining a master key by specifying master key parts, make sure the key parts are recorded and saved in a secure location. When you are entering the key parts for the first time, be aware that you may need to reenter these same key values at a later date to restore master key values that have been cleared. If defining a master key using a pass phrase, realize that the same pass phrase will always produce the same master key values, and is therefore as critical and sensitive as the master key values themselves. Make sure you save the pass phrase so that you can later reenter it if needed. Because of the sensitive nature of the pass phrase, make sure you secure it in a safe place.

If you are using TKE, proceed to the next step.

Process

Passphrase Initialization to load and SET master keys and initialize CKDS and PKDS

Create NOCV, ANSI, and ESYS keys as applicable for your installation

Note:

These system keys are not valid on a PCIXCC, CEX2C, or CEX3C system.

- OR -

Clear Master Key Entry

Load DES New Master Key
Load AES New Master Key
Load PKA Signature Master Key (SMK)
Load PKA Key Management Master Key (KMMK)
Load New Symmetric Master Key (if applicable)
Load New Asymmetric Master Key (if applicable)

Note:

Using the Coprocessor Management panel, the master keys can be loaded into all the coprocessors (CCF, PCICC, PCIXCC, CEX2C, and CEX3C) at the same time. It is recommended that the SMK and KMMK keys be set to the same value.
Initialize CKDS
Create NOCV, ANSI, and ESYS keys as applicable for your installation - CCF systems only
Initialize the PKDS
Enable PKA Services
Enable PKDS Read Access
Enable PKDS Write, Create, and Delete Access

Responsible

ICSF Administrator and Key Officers

Where

ICSF Panels

Verify

In System Log (CCF Systems):

CSFM607I A CKDS KEY STORE POLICY IS NOT DEFINED.                        
CSFM607I A PKDS KEY STORE POLICY IS NOT DEFINED.
CSFM610I GRANULAR KEYLABEL ACCESS CONTROL IS DISABLED.
CSFM611I XCSFKEY EXPORT CONTROL FOR AES IS DISABLED.  
CSFM611I XCSFKEY EXPORT CONTROL FOR DES IS DISABLED.  
CSFM612I PKA KEY EXTENSIONS CONTROL IS DISABLED.
IEE504I CRYPTO(0),ONLINE
IEE504I CRYPTO(1),ONLINE  (if applicable)
CSFM116I BOTH MASTER KEYS CORRECT ON PCI CRYPTOGRAPHIC 
COPROCESSOR Pnn, SERIAL NUMBER nn-nnnn  (if applicable)
CSFM001I ICSF INITIALIZATION COMPLETE
CSFM126I CRYPTOGRAPHY - FULL CPU-BASED SERVICES ARE AVAILABLE. 
CSFM400I CRYPTOGRAPHY SERVICES ARE NOW AVAILABLE

In System Log (PCIXCC, CEX2C, or CEX3C Systems):

CSFM607I A CKDS KEY STORE POLICY IS NOT DEFINED.                        
CSFM607I A PKDS KEY STORE POLICY IS NOT DEFINED.
CSFM610I GRANULAR KEYLABEL ACCESS CONTROL IS DISABLED.
CSFM611I XCSFKEY EXPORT CONTROL FOR AES IS DISABLED.  
CSFM611I XCSFKEY EXPORT CONTROL FOR DES IS DISABLED.  
CSFM612I PKA KEY EXTENSIONS CONTROL IS DISABLED.
CSFM124I MASTER KEY DES ON CRYPTO EXPRESS3 COPROCESSOR xxx, SERIAL      
NUMBER nnnnnnnn, NOT INITIALIZED.                                       
CSFM124I MASTER KEY AES ON CRYPTO EXPRESS3 COPROCESSOR xxx, SERIAL      
NUMBER nnnnnnnn, NOT INITIALIZED. 
CSFM124I MASTER KEY ECC ON CRYPTO EXPRESS3 COPROCESSOR xxx, SERIAL      
NUMBER nnnnnnnn, NOT INITIALIZED.   
CSFM124I MASTER KEY RSA ON CRYPTO EXPRESS3 COPROCESSOR xxx, SERIAL      
NUMBER nnnnnnnn, NOT INITIALIZED.                                              
CSFM100E CRYPTOGRAPHIC KEY DATA SET, CSF.CKDS IS NOT INITIALIZED. 
CSFM508I CRYPTOGRAPHY - THERE ARE NO CRYPTOGRAPHIC ACCELERATORS ONLINE. 
CSFM100E CRYPTOGRAPHIC KEY DATA SET, CSF.PKDS IS NOT INITIALIZED.
CSFM012I NO ACCESS CONTROL AVAILABLE FOR CRYPTOZ RESOURCES. ICSF PKCS11 
SERVICES DISABLED.
CSFM122I PKA SERVICES WERE NOT ENABLED DURING ICSF INITIALIZATION
CSFM001I ICSF INITIALIZATION COMPLETE                                    
CSFM009I NO ACCESS CONTROL AVAILABLE FOR ICSF SERVICES OR KEYS 
CSFM126I CRYPTOGRAPHY - FULL CPU-BASED SERVICES ARE AVAILABLE.

Message CSFM440I will be issued for each active PCIXCC.

Message CSFM124I will be issued for each CEX2C/CEX3C online. The ECC master key is available only on the CEX3C.

Message CSFM122I will not be issued when your system has any CEX3C coprocessors (with the Sep. 2011 or later LIC) online. The PKA callable services control will not be active. The availability of RSA callable services will depend on the status of the RSA master key. CSFM130I is issued when the RSA master key is active and RSA callable services are available.

In System Log (CEX2C or CEX3C without CEX2A or CEX3A Systems):

S CSF   
CSFM607I A CKDS KEY STORE POLICY IS NOT DEFINED.                        
CSFM607I A PKDS KEY STORE POLICY IS NOT DEFINED.
CSFM610I GRANULAR KEYLABEL ACCESS CONTROL IS DISABLED.
CSFM611I XCSFKEY EXPORT CONTROL FOR AES IS DISABLED.  
CSFM611I XCSFKEY EXPORT CONTROL FOR DES IS DISABLED.  
CSFM612I PKA KEY EXTENSIONS CONTROL IS DISABLED.
CSFM124I MASTER KEY DES ON CRYPTO EXPRESS3 COPROCESSOR xxx, SERIAL      
NUMBER nnnnnnnn, NOT INITIALIZED.                                       
CSFM124I MASTER KEY AES ON CRYPTO EXPRESS3 COPROCESSOR xxx, SERIAL      
NUMBER nnnnnnnn, NOT INITIALIZED.
CSFM124I MASTER KEY ECC ON CRYPTO EXPRESS3 COPROCESSOR xxx, SERIAL      
NUMBER nnnnnnnn, NOT INITIALIZED.
CSFM124I MASTER KEY RSA ON CRYPTO EXPRESS3 COPROCESSOR xxx, SERIAL      
NUMBER nnnnnnnn, NOT INITIALIZED. 
CSFM129I MASTER KEY mk ON coprocessor-name cii, SERIAL 
NUMBER nnnnnnn, IS CORRECT.                                       
CSFM508I CRYPTOGRAPHY - THERE ARE NO CRYPTOGRAPHIC ACCELERATORS ONLINE.
CSFM001I ICSF INITIALIZATION COMPLETE                                  
CSFM400I CRYPTOGRAPHY - SERVICES ARE NOW AVAILABLE.
CSFM126I CRYPTOGRAPHY - FULL CPU-BASED SERVICES ARE AVAILABLE.
CSFM127I CRYPTOGRAPHY - AES SERVICES ARE AVAILABLE.

Message CSFM129I will be issued for each CEX2C/CEX3C online.

In System Log (CEX2C/CEX3C and CEX2A/CEX3A Systems):

S CSF  
CSFM607I A CKDS KEY STORE POLICY IS NOT DEFINED.                        
CSFM607I A PKDS KEY STORE POLICY IS NOT DEFINED.
CSFM610I GRANULAR KEYLABEL ACCESS CONTROL IS DISABLED.
CSFM611I XCSFKEY EXPORT CONTROL FOR AES IS DISABLED.  
CSFM611I XCSFKEY EXPORT CONTROL FOR DES IS DISABLED.  
CSFM612I PKA KEY EXTENSIONS CONTROL IS DISABLED.
CSFM101E PKA KEY DATA SET, CSF.PKDS IS NOT INITIALIZED.      
CSFM124I MASTER KEY DES ON CRYPTO EXPRESS3 COPROCESSOR xxx, SERIAL      
NUMBER nnnnnnnn, NOT INITIALIZED.                                       
CSFM124I MASTER KEY AES ON CRYPTO EXPRESS3 COPROCESSOR xxx, SERIAL      
NUMBER nnnnnnnn, NOT INITIALIZED.
CSFM124I MASTER KEY ECC ON CRYPTO EXPRESS3 COPROCESSOR xxx, SERIAL 
NUMBER nnnnnnnn, NOT INITIALIZED.
CSFM124I MASTER KEY RSA ON CRYPTO EXPRESS3 COPROCESSOR xxx, SERIAL      
NUMBER nnnnnnnn, NOT INITIALIZED.  
CSFM100E CRYPTOGRAPHIC KEY DATA SET, CSF.CKDS IS NOT INITIALIZED.     
CSFM126I CRYPTOGRAPHY - FULL CPU-BASED SERVICES ARE AVAILABLE. 
CSFM400I CRYPTOGRAPHY - SERVICES ARE NOW AVAILABLE.
CSFM127I CRYPTOGRAPHY - AES SERVICES ARE AVAILABLE.
CSFM111I CRYPTOGRAPHIC FEATURE IS ACTIVE. CRYPTO EXPRESS3 COPROCESSOR 
xxx, SERIAL NUMBER nnnnnnn

Message CSFM124I will be issued for each CEX2C/CEX3C online. The ECC master key is available only on the CEX3C.

Message CSFM111I will be issued for each active CEX2C/CEX3C.

In System Log (CPACF only system):

S CSF 
CSFM607I A CKDS KEY STORE POLICY IS NOT DEFINED.                        
CSFM607I A PKDS KEY STORE POLICY IS NOT DEFINED.
CSFM610I GRANULAR KEYLABEL ACCESS CONTROL IS DISABLED.
CSFM611I XCSFKEY EXPORT CONTROL FOR AES IS DISABLED.  
CSFM611I XCSFKEY EXPORT CONTROL FOR DES IS DISABLED.  
CSFM612I PKA KEY EXTENSIONS CONTROL IS DISABLED.                             
CSFM507I CRYPTOGRAPHY - THERE ARE NO CRYPTOGRAPHIC COPROCESSORS ONLINE.  
CSFM508I CRYPTOGRAPHY - THERE ARE NO CRYPTOGRAPHIC ACCELERATORS ONLINE.  
CSFM001I ICSF INITIALIZATION COMPLETE
CSFM126I CRYPTOGRAPHY - FULL CPU-BASED SERVICES ARE AVAILABLE.

In System Log (CPACF, CEX2A, and CEX3A)

S CSF   
CSFM607I A CKDS KEY STORE POLICY IS NOT DEFINED.                        
CSFM607I A PKDS KEY STORE POLICY IS NOT DEFINED.
CSFM610I GRANULAR KEYLABEL ACCESS CONTROL IS DISABLED.
CSFM611I XCSFKEY EXPORT CONTROL FOR AES IS DISABLED.  
CSFM611I XCSFKEY EXPORT CONTROL FOR DES IS DISABLED.  
CSFM612I PKA KEY EXTENSIONS CONTROL IS DISABLED.                                         
CSFM111I CRYPTOGRAPHIC FEATURE IS ACTIVE. CRYPTO EXPRESS3 COPROCESSOR 
xxx, SERIAL NUMBER nnnnnnn                         
CSFM507I CRYPTOGRAPHY - THERE ARE NO CRYPTOGRAPHIC COPROCESSORS ONLINE.  
CSFM001I ICSF INITIALIZATION COMPLETE
CSFM126I CRYPTOGRAPHY - FULL CPU-BASED SERVICES ARE AVAILABLE.

Message CSFM111I will be issued for each active CEX2A/CEX3A.

References

For information on using the Pass Phrase Initialization Utility and managing master keys, refer to z/OS Cryptographic Services ICSF Administrator’s Guide.

Completed

Notices | Terms of use | Support | Contact z/OS | zFavorites