|
Use the Master Key Entry panels to enter each key part. You can
enter as many key parts as you like. When the new master key register
is empty, the first key part must be identified as FIRST. Subsequent
intermediate key parts must be identified as MIDDLE. To close the
new master key register to prevent additional key parts from being
loaded, the final key part must be identified as FINAL.
Important:
When entering key part values,
be aware that you may need to reenter these same
key values at a later date to restore master key values that
have been cleared. Make sure the key parts are recorded
and saved in a secure location.
If you use the random number generator utility to generate key
parts, enter each key part directly after you generate the key part
data and when generating another key part.
To enter master key parts:
- Select option 1, COPROCESSOR MGMT, on the ICSF Primary menu,
as shown in Figure 39, and press ENTER.
Figure 39. Selecting the Coprocessor Management option on the primary menu panel
CSF@PRIM --------- Integrated Cryptographic Service Facility ---------
OPTION ===> 1
Enter the number of the desired option.
1 COPROCESSOR MGMT - Management of Cryptographic Coprocessors
2 MASTER KEY MGMT - Master key set or change, CKDS/PKDS processing
3 OPSTAT - Installation options
4 ADMINCNTL - Administrative Control Functions
5 UTILITY - ICSF Utilities
6 PPINIT - Pass Phrase Master Key/KDS Initialization
7 TKE - TKE Master and Operational key processing
8 KGUP - Key Generator Utility processes
9 UDX MGMT - Management of User Defined Extensions
Licensed Materials - Property of IBM
5694-A01 (C) Copyright IBM Corp. 1990, 2011. All rights reserved.
US Government Users Restricted Rights - Use, duplication or
disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Press ENTER to go to the selected option.
Press END to exit to the previous menu.
The ICSF Coprocessor Management panel appears (Figure 40).
- Select the coprocessor(s) to be processed by entering an 'E'
and then pressing ENTER. Select as many coprocessors as required.
This loads the same master key for all coprocessors selected.
Note:
During first time initialization, the coprocessor status
will be ONLINE. When the master keys are set, status will
be ACTIVE.
Figure 40. Selecting the coprocessor on the Coprocessor Management Panel
CSFCMP00 ---------------- ICSF Coprocessor Management -------------
COMMAND ===>
Select the coprocessors to be processed and press ENTER.
Action characters are: A, D, E, R, and S. See the help panel for details.
COPROCESSOR MODULE ID/SERIAL NUMBER STATUS
----------- ------------------------------- -------
_ A06 ACTIVE
_ A07 ACTIVE
E C0 E589C396944007A6 5D40369997A386F4 ONLINE
E C1 0AA379BFD2387960 0367DC04533125FF ONLINE
E P00 41-00YE1 ONLINE
E P01 41-00K11 ONLINE
E P02 41-0A355 ONLINE
E P03 41-0BA3F ONLINE
_ P04 41-0RT2T DEACTIVATED
_ P05 41-00342 DISABLED
- The ICSF Master Key Entry panel appears. See Figure 41.
Figure 41. Master Key Entry Panel
CSFDKE10------------- ICSF - Master Key Entry -----------------
COMMAND ===>
CCF DES/PCICC SYM-MK new master key register : EMPTY
CCF Signature/PCICC ASYM-MK master key register : EMPTY
CCF Key management master key register : EMPTY
Specify information below
Key Type ===> ___ (DES, SMK, KMMK, ALL-PKA)
Part ===> ______ (RESET, FIRST, MIDDLE, FINAL)
Checksum ===> 40
Key Value ===> 51ED9CFA90716CFB
===> 58403BFA02BD13E8
===> 0000000000000000 (SMK, KMMK and ALL-PKA only)
Press ENTER to process.
Press END to exit to the previous menu.
- Fill in the panel
- Enter the master key type in the Key Type field.
In this example
we are entering the DES master key.
- Enter FIRST in the Part field.
- Enter the two-digit checksum and the two 16-digit key values (if
you did not use random number generate).
- Make sure you have recorded the two 16-digit key values.
You may need to reenter these same values at a later date to restore
master key values that have been cleared. Make sure
all master key parts you enter are recorded and saved in a secure
location.
- When all the fields are complete, press ENTER.
If the checksum
entered in the checksum field matches the checksum that the Cryptographic Coprocessor Feature calculated,
the key part is accepted. The message at the top of the panel states KEY
PART LOADED, as shown in Figure 42. The new master
key register status changes to PART FULL.
The verification pattern and hash pattern that
are calculated for the key part appear near the bottom of the panel.
Compare them with the patterns generated by the random number generator
or provided by the person who gave you the key part value to enter.
- Record the verification pattern and hash pattern.
Figure 42. The Master Key Entry Panel Following Key Part Entry
CSFDKE10 -------------- ICSF - Master Key Entry --- KEY PART LOADED
COMMAND ===>
CCF DES/PCICC SYM-MK new master key register : PART FULL
CCF Signature/PCICC ASYM-MK master key register : EMPTY
CCF Key management master key register : EMPTY
Specify information below
Key Type ===> DES (DES, SMK, KMMK, ALL-PKA)
Part ===> FIRST (RESET, FIRST, MIDDLE, FINAL)
Checksum ===> 00
Key Value ===> 0000000000000000
===> 0000000000000000
===> 0000000000000000 (SMK, KMMK and ALL-PKA only)
Entered key part VP: 0CCE190A63546489 HP: 9C92A343479D33F2 66229FCD55B49C26
(Record and secure these patterns)
Press ENTER to process.
Press END to exit to the previous menu.
- If the checksums do not match, the message Invalid Checksum appears.
If this occurs, follow this sequence to resolve the problem:
- Reenter the checksum.
- If you still get a checksum error, recalculate the checksum.
- If your calculations result in a different value for the checksum,
enter the new value.
- If your calculations result in the same value for the checksum,
or if a new checksum value does not resolve the error, reenter the
key part halves and checksum.
When you have entered the first key part successfully, continue
with:
|
z/OS Cryptographic Services ICSF Administrator's Guide
Copyright IBM Corporation 1990, 2014