Steps for entering the final key part

z/OS Cryptographic Services ICSF Administrator's Guide

Steps for entering the final key part

z/OS Cryptographic Services ICSF Administrator's Guide
SA22-7521-17

When you enter the first key part, and any intermediate key parts, you then enter the final master key part.

Select option 1, COPROCESSOR MGMT, on the ICSF Primary menu and press ENTER.
The Coprocessor Management panel appears.
Select the coprocessor(s) to be processed by entering an 'E' on the Coprocessor Management panel.

When pressing ENTER, the Master Key Entry panel appears.

Figure 45. The Master Key Entry Panel when entering Final Key Values

 CSFDKE10 -------------- ICSF - Master Key Entry ---------
 COMMAND ===> 

              CCF DES/PCICC SYM-MK new master key register     : PART FULL
              CCF Signature/PCICC ASYM-MK master key register  : EMPTY 
              CCF Key management master key register           : EMPTY


  Specify information below
    Key Type  ===>  ___          (DES, SMK, KMMK, ALL-PKA)

    Part      ===>  ________     (RESET, FIRST, MIDDLE, FINAL)

   
    Checksum  ===> 4A

    Key Value ===> 8697ACDC2431BABA
              ===> CE369D24680E9753
              ===> 0000000000000000   (SMK, KMMK and ALL-PKA only)



  Press ENTER to process.
  Press END   to exit to the previous menu.

Fill in the panel
1. Enter the master key type in the Key Type field.
  In this example we are continuing to enter the DES master key.
2. Enter FINAL in the Part field.
3. Enter the two-digit checksum and the two 16-digit key values (if you did not use random number generate).
4. Make sure you have recorded the two 16-digit key values. You may need to reenter these same values at a later date to restore master key values that have been cleared. Make sure all master key parts you enter are recorded and saved in a secure location.
5. When all the fields are complete, press ENTER.
  If the checksum entered in the checksum field matches the checksum that the Cryptographic Coprocessor Feature calculated, the key part is accepted. The message at the top of the panel states KEY PART LOADED, as shown in Figure 46. The new master key register status changes to FULL. The verification pattern and hash pattern that are calculated for the key part appear near the bottom of the panel. Compare them with the patterns generated by the random number generator or provided by the person who gave you the key part value to enter.
6. Record the verification pattern and hash pattern.
  Figure 46. The Master Key Entry Panel with Final Key Values
```
 CSFDKE10 -------------- ICSF - Master Key Entry ------  KEY PART LOADED
 COMMAND ===> 

              CCF DES/PCICC SYM-MK new master key register     : FULL
              CCF Signature/PCICC ASYM-MK master key register  : EMPTY 
              CCF Key management master key register           : EMPTY


  Specify information below
    Key Type  ===>  DES          (DES, SMK, KMMK, ALL-PKA)

    Part      ===>  FINAL        (RESET, FIRST, MIDDLE, FINAL)

    Checksum  ===>  00

    Key Value ===> 0000000000000000
              ===> 0000000000000000
              ===> 0000000000000000   (SMK, KMMK and ALL-PKA only)

  Entered key part VP: 8D8A000BE067EBF7 HP: 9D92F343479D77F2 229FD4CDB49C2679
  Master Key       VP: 8F887096A8D4922C HP: 4C887096A8D4922B 33387096A8D4922B
                     (Record and secure these patterns)
 
```
If the checksums do not match, the message Invalid Checksum appears. If this occurs, follow this sequence to resolve the problem:
1. Reenter the checksum.
2. If you still get a checksum error, recalculate the checksum.
3. If your calculations result in a different value for the checksum, enter the new value.
4. If your calculations result in the same value for the checksum, or if a new checksum value does not resolve the error, reenter the key part halves and checksum.
When you have entered the final key part successfully, it is combined with the first key part and any intermediate key parts in the new master key register.
The new master key register status is now FULL, and the panel displays two verification patterns and two hash patterns. It gives you verification patterns and hash patterns for both the final key part and the new master key, since it is now complete.
Check that the key part verification pattern or hash pattern you may have previously calculated matches the verification pattern or hash pattern that is shown on the panel. If they do not, you may want to restart the key entry process. For information on how to restart the key entry process, see Steps for restarting the key entry process.
Record the verification pattern and hash pattern for the new master key, because you may want to verify it at another time.

Note:

When you initialize or reencipher a CKDS, ICSF places the verification pattern for the DES master key into the CKDS header record.

When you have entered the master key parts correctly, they are in the new master key registers and are not active on the system.

Note:

Ensure that the new master key is installed on all cryptographic coprocessors.

When you enter the master keys, you should do one of these:

If you are defining the DES master key and SYM-MK for the first time, initialize the CKDS with the DES master key. For a description of the process of initializing the CKDS with the DES master key on your system, see Initializing the CKDS and PKDS at First-Time Startup.
If you are defining a DES master key after it was cleared, set the DES master key to make it active. For a description of the process of recovering from tampering, see Reentering master keys when they have been cleared.
If you are changing a DES master key, reencipher the CKDS under the new DES master key and make it active. For a description of the process of changing a DES master key, see Steps for changing master keys.
If you are changing the PKA Master Key, see Steps for changing PKA master keys.

Notices | Terms of use | Support | Contact z/OS | zFavorites