This page displays master key status information and allows you to generate, load, set, and clear domain key registers.
The upper part of the window displays the status and hash patterns for the AES, ECC (APKA), DES, and RSA key registers.
The lower part of the Domain Keys page allows you to select the key type with which you wish to work. Select the key type you will be working with from the Key Type container. Each key type supports various actions. Not all actions are available for all key types. Table 1 illustrates the possibilities for the supported crypto modules.
| Key type | Popup | Sub-popup | Action description |
|---|---|---|---|
| AES master key ECC (APKA) master key DES master key RSA master key |
Generate single key part | Generate one master key part and store it on a TKE smart card or save it to a binary or print file. | |
| Generate multiple key parts to … | Smart card Binary file Print file |
Run a wizard-like feature to generate
a user specified number of master key parts and store them on TKE
smart cards or save them to binary or print files. Note: You can use
the same smart card or switch smart cards between key part generations.
|
|
| Generate a set of master key parts | Run a wizard-like feature to generate a set of master key parts (AES, DES, RSA or ECC (APKA)). | ||
| Load single key part | First Intermediate Last |
Load one key part into the appropriate
"new" master key register. Notes:
|
|
| Load all key parts from | Smart card Binary file Print file |
Run a wizard-like feature to load
an entire "new" master key register. At the beginning of the process,
you specify the total number of key parts and have the option of clearing
the "new" master key register. Note: No new security controls are
introduced by this feature. ALL authority and dual control requirements
you put in place remain in effect. It takes the same number of people
to load an entire key using this procedure as it does loading an entire
key one part at a time.
|
|
| Load all new master keys | Run a wizard-like feature to load one or more new master key registers -- first, middle (optional), and last key parts. At the beginning of the process, you have the option of clearing one or more master key registers. Note: No new security controls are introduced by this feature. ALL authority and dual control requirements you put in place remain in effect. It takes the same number of people to load an entire key using this procedure as it does loading an entire key one part at a time. | ||
| Clear | New Master Key Register Old Master Key Register |
Clear the new or old master key register. The status of the register will be "empty" when the operation is complete. | |
| Set (Option only shown on RSA master key) | Sets the RSA master key. Notes:
|
||
| AES master key ECC (APKA) master key DES master key RSA master key (continued) |
Set, immediate | Sets the master key. Transfers the value in the current master key register to the old master key register, transfers the value in the new master key register to the current master key register, and clears the new master key register. Under normal circumstances, set master keys using ICSF procedures or services that coordinate setting the master key with initializing or re-enciphering key storage. This option sets the master key but does not change the associated key storage. If used inappropriately, this command causes the keys in key storage to become unusable when accessed by ICSF in the domain. Use this option only when key storage does not need to be initialized or re-enciphered when the master key is set. For example, this command can be used to reload previous master key values if a host crypto module has been inadvertently zeroized. |
|
| Secure key part entry | Enter known key part value to a TKE smart card; see Secure key part entry. | ||
| DES or AES operational keys | Generate single key part | Generate one key part and store it on a TKE smart card or save it to a binary or print file. | |
| Generate multiple key parts to … | Smart card Binary file Print file |
Run a wizard-like feature to generate
a user specified number of key parts and store them on TKE smart cards
or save them to binary or print files. Note: You can use the same
smart card or switch smart cards between key part generations.
|
|
| Load single key part | First First (minimum of 2 parts) First (minimum of 3 parts) Add part Complete Note: First
(minimum of x parts)" options are only shown on Operational Keys -
AES key types other than DATA.
|
Load one key part into a key part
register. Note:
|
|
| Load to Key Storage Note: Options
only shown on DES operational key type IMP-PKA and AES operational
key type IMPORTER.
|
First Intermediate Last |
Load a key part to the TKE workstation's DES or AES key storage. | |
| Load all key parts from | Smart card Binary file Print file |
Run a wizard-like feature to load
an entire operational key register. At the beginning of the process,
you specify the total number of key parts and have the option of clearing
the "new" master key register. Note: No new security controls are
introduced by this feature. ALL authority and dual control requirements
you put in place remain in effect. It takes the same number of people
to load an entire key using this procedure as it does loading an entire
key one part at a time.
|
|
| View | View key part register information | ||
| Clear | Clear (reset) the operational key part register. | ||
| Secure key part entry | Enter known key part value to a TKE smart card; see Secure key part entry. | ||
| RSA keys | Generate single key part | Generate an RSA key and encrypt it under a DES IMP-PKA key or AES IMPORTER key. | |
| Encipher | Encipher an unencrypted RSA key under an IMP-PKA key. | ||
| Load to PKDS | Load an RSA key to the PKDS active in the logical partition where the Host Transaction Program is started. | ||
| Load to dataset | Load an RSA key to the host data set |