When you enter the first key part, and any intermediate key parts,
you then enter the final master key part.
- Select option 1, COPROCESSOR MGMT, on the ICSF Primary menu
and press ENTER.
The Coprocessor Management panel appears.
- Select the coprocessor(s) to be processed by entering an 'E'
on the Coprocessor Management panel.
- When pressing ENTER, the Master Key Entry panel appears.
Figure 45. The Master Key Entry Panel when entering Final Key Values
CSFDKE10 -------------- ICSF - Master Key Entry ---------
COMMAND ===>
CCF DES/PCICC SYM-MK new master key register : PART FULL
CCF Signature/PCICC ASYM-MK master key register : EMPTY
CCF Key management master key register : EMPTY
Specify information below
Key Type ===> ___ (DES, SMK, KMMK, ALL-PKA)
Part ===> ________ (RESET, FIRST, MIDDLE, FINAL)
Checksum ===> 4A
Key Value ===> 8697ACDC2431BABA
===> CE369D24680E9753
===> 0000000000000000 (SMK, KMMK and ALL-PKA only)
Press ENTER to process.
Press END to exit to the previous menu.
- Fill in the panel
- Enter the master key type in the Key Type field.
In this example
we are continuing to enter the DES master key.
- Enter FINAL in the Part field.
- Enter the two-digit checksum and the two 16-digit key values (if
you did not use random number generate).
- Make sure you have recorded the two 16-digit key values.
You may need to reenter these same values at a later date to restore
master key values that have been cleared. Make sure
all master key parts you enter are recorded and saved in a secure
location.
- When all the fields are complete, press ENTER.
If the checksum
entered in the checksum field matches the checksum that the Cryptographic Coprocessor Feature calculated,
the key part is accepted. The message at the top of the panel states KEY
PART LOADED, as shown in Figure 46. The new master
key register status changes to FULL.
The verification pattern and hash pattern that
are calculated for the key part appear near the bottom of the panel.
Compare them with the patterns generated by the random number generator
or provided by the person who gave you the key part value to enter.
- Record the verification pattern and hash pattern.
Figure 46. The Master Key Entry Panel with Final Key Values
CSFDKE10 -------------- ICSF - Master Key Entry ------ KEY PART LOADED
COMMAND ===>
CCF DES/PCICC SYM-MK new master key register : FULL
CCF Signature/PCICC ASYM-MK master key register : EMPTY
CCF Key management master key register : EMPTY
Specify information below
Key Type ===> DES (DES, SMK, KMMK, ALL-PKA)
Part ===> FINAL (RESET, FIRST, MIDDLE, FINAL)
Checksum ===> 00
Key Value ===> 0000000000000000
===> 0000000000000000
===> 0000000000000000 (SMK, KMMK and ALL-PKA only)
Entered key part VP: 8D8A000BE067EBF7 HP: 9D92F343479D77F2 229FD4CDB49C2679
Master Key VP: 8F887096A8D4922C HP: 4C887096A8D4922B 33387096A8D4922B
(Record and secure these patterns)
- If the checksums do not match, the message Invalid Checksum appears.
If this occurs, follow this sequence to resolve the problem:
- Reenter the checksum.
- If you still get a checksum error, recalculate the checksum.
- If your calculations result in a different value for the checksum,
enter the new value.
- If your calculations result in the same value for the checksum,
or if a new checksum value does not resolve the error, reenter the
key part halves and checksum.
- When you have entered the final key part successfully, it is combined
with the first key part and any intermediate key parts in the new
master key register.
The new master key register status is now FULL, and the panel
displays two verification patterns and two hash patterns. It gives
you verification patterns and hash patterns for both the final key
part and the new master key, since it is now complete.
- Check that the key part verification pattern or hash pattern
you may have previously calculated matches the verification pattern
or hash pattern that is shown on the panel. If they do not, you may
want to restart the key entry process. For information on how to restart
the key entry process, see Steps for restarting the key entry process.
- Record the verification pattern and hash pattern
for the new master key, because you may want to verify it at another
time.
Note:
When you initialize or reencipher a CKDS, ICSF places
the verification pattern for the DES master key into the CKDS header
record.
When you have entered the master key parts correctly, they are
in the new master key registers and are not active on the system.
Note:
Ensure that the new master key is installed on all cryptographic
coprocessors. When you enter the master keys, you
should do one of these:
|