The procedures presented in this chapter involving the RSA master
key will depend on whether your system has any CEX3C coprocessors
with the Sep. 2011 or later LIC installed and online. If your system
has any CEX3C coprocessors with the Sep. 2011 or later LIC online,
the RSA-MK will be processed in the same manner as the DES, AES, and
ECC master keys.
If your system has any CEX3C coprocessors with the Sep. 2011 or
later LIC online:
- The PKA callable services control will not be used on your system.
It will not appear on the Administrative Control Functions panel.
- The RSA-MK will not be set when the final key part is loaded on
the Master Key Entry panel. The master key will be in the new master
key register.
- The TKE Workstation cannot be used to set the RSA-MK.
- PKDS initialization will use the new master key register to get
the verification pattern of the RSA-MK to be stored in the PKDS header
record. The RSA-MK will be activated as part of PKDS initialization.
- The RSA-MK can be loaded to a coprocessor (new or after the master
keys are cleared) and set by using the Set MK utility on the Master
Key Management panel.
- The steps to change the RSA-MK are:
- Load the new master key value into the new RSA-MK register.
- Reencipher the PKDS from the current to the new master key.
- Change the RSA-MK using the Change ASYM MK utility on the Master
Key Management panel.
If your system doesn't have any CEX3C coprocessors with the
Sep. 2011 or later LIC:
- The PKA callable services control will be used as it has in past
releases of ICSF.
- The RSA-MK will be set when the final key part is loaded on the
Master Key Entry panel. The PKA callable services control must be
disabled to load the RSA-MK
- The RSA-MK can be set using the TKE Workstation.
- PKDS initialization will use the current master key register to
get the verification pattern of the RSA-MK to be stored in the PKDS
header record.
- The steps to change the RSA-MK are:
- Disable the PKA callable services control.
- Load the new master key value into the new RSA-MK register. The
master key will be set when the final key part is entered.
- Reencipher the PKDS from the old to the current master key.
- Refresh the PKDS with the reenciphered PKDS.
- Enable the PKA callable services control.
Note:
The PCI Cryptographic Accelerators improve private
key decryption performance. They do not require setting of master
keys.
|