z/OS Cryptographic Services ICSF Administrator's Guide
Previous topic | Next topic | Contents | Index | Contact z/OS | Library | PDF


Changes concerning the RSA master key (RSA-MK)

z/OS Cryptographic Services ICSF Administrator's Guide
SA22-7521-17

The procedures presented in this chapter involving the RSA master key will depend on whether your system has any CEX3C coprocessors with the Sep. 2011 or later LIC installed and online. If your system has any CEX3C coprocessors with the Sep. 2011 or later LIC online, the RSA-MK will be processed in the same manner as the DES, AES, and ECC master keys.

If your system has any CEX3C coprocessors with the Sep. 2011 or later LIC online:

  • The PKA callable services control will not be used on your system. It will not appear on the Administrative Control Functions panel.
  • The RSA-MK will not be set when the final key part is loaded on the Master Key Entry panel. The master key will be in the new master key register.
  • The TKE Workstation cannot be used to set the RSA-MK.
  • PKDS initialization will use the new master key register to get the verification pattern of the RSA-MK to be stored in the PKDS header record. The RSA-MK will be activated as part of PKDS initialization.
  • The RSA-MK can be loaded to a coprocessor (new or after the master keys are cleared) and set by using the Set MK utility on the Master Key Management panel.
  • The steps to change the RSA-MK are:
    1. Load the new master key value into the new RSA-MK register.
    2. Reencipher the PKDS from the current to the new master key.
    3. Change the RSA-MK using the Change ASYM MK utility on the Master Key Management panel.

If your system doesn't have any CEX3C coprocessors with the Sep. 2011 or later LIC:

  • The PKA callable services control will be used as it has in past releases of ICSF.
  • The RSA-MK will be set when the final key part is loaded on the Master Key Entry panel. The PKA callable services control must be disabled to load the RSA-MK
  • The RSA-MK can be set using the TKE Workstation.
  • PKDS initialization will use the current master key register to get the verification pattern of the RSA-MK to be stored in the PKDS header record.
  • The steps to change the RSA-MK are:
    1. Disable the PKA callable services control.
    2. Load the new master key value into the new RSA-MK register. The master key will be set when the final key part is entered.
    3. Reencipher the PKDS from the old to the current master key.
    4. Refresh the PKDS with the reenciphered PKDS.
    5. Enable the PKA callable services control.
Note:
The PCI Cryptographic Accelerators improve private key decryption performance. They do not require setting of master keys.

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014