|
Use the Master Key Entry panels to enter each key part. You can
enter as many key parts as you like. When the new master key register
is empty, the first key part must be identified as FIRST. Subsequent
intermediate key parts must be identified as MIDDLE. To close the
new master key register to prevent additional key parts from being
loaded, the final key part must be identified as FINAL.
Important:
When entering the key part
values, be aware that you may need to reenter these
same key values at a later date to restore master key values
that have been cleared. Make sure the key part values are recorded
and saved in a secure location.
If you use the random number generator utility to generate key
parts, enter each key part directly after you generate the key part
data and prior to generating another key part.
To enter master key parts:
- Select option 1, COPROCESSOR MGMT, on the ICSF Primary menu,
as shown in Figure 85, and press ENTER.
Figure 85. Selecting the Coprocessor Management option on the primary menu panel
CSF@PRIM --------- Integrated Cryptographic Service Facility ---------
OPTION ===> 1
Enter the number of the desired option.
1 COPROCESSOR MGMT - Management of Cryptographic Coprocessors
2 MASTER KEY MGMT - Master key set or change, CKDS/PKDS processing
3 OPSTAT - Installation options
4 ADMINCNTL - Administrative Control Functions
5 UTILITY - ICSF Utilities
6 PPINIT - Pass Phrase Master Key/KDS Initialization
7 TKE - TKE Master and Operational key processing
8 KGUP - Key Generator Utility processes
9 UDX MGMT - Management of User Defined Extensions
Licensed Materials - Property of IBM
5694-A01 (C) Copyright IBM Corp. 1990, 2011. All rights reserved.
US Government Users Restricted Rights - Use, duplication or
disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Press ENTER to go to the selected option.
Press END to exit to the previous menu.
The ICSF Coprocessor Management panel appears (Figure 86).
- Select the coprocessor(s) to be processed by entering an 'E'
and then pressing ENTER. Select as many coprocessors as required.
This loads the same master key for all coprocessors selected.
Note:
During first time initialization, the coprocessor status
will be ONLINE. When master key (AES, DES, ECC, or
RSA) has been set, the status will be ACTIVE.
Figure 86. Selecting the coprocessor on the Coprocessor Management Panel
CSFGCMP0 ---------------- ICSF Coprocessor Management -------------
COMMAND ===>
Select the coprocessors to be processed and press ENTER.
Action characters are: A, D, E, K, R, and S. See the help panel for details.
Serial
CoProcessor Number Status AES DES ECC RSA
----------- --------- ------ --- --- --- ----
__ H00 ACTIVE
__ G01 00000001 ONLINE U U U U
__ G02 00000002 ACTIVE C U U C
__ G03 00000003 ACTIVE C U A C
E G04 00000004 ACTIVE C C A C
__ G05 00000005 ONLINE U C E U
__ E06 00000006 ACTIVE C C - C
__ G07 00000007 OFFLINE
The coprocessor management panels shows all accelerators
and coprocessors, their status, and the state of the master keys for
coprocessors. The panel shows an accelerator (H00), a CEX2C coprocessor
(E06), and a set of CEX3C processors. Accelerators don't have master
keys and the states are blank. When a coprocessor doesn't s support
a master key, a hyphen (-) is used for its state. The master key state
for coprocessors shows U (uninitialized), C (correct), A (active),
and E (error).
The activation procedure for non-CCF systems
selects the combination of master keys that will maximize the number
of active coprocessors. ICSF checks the master keys available on the
system (AES, DES, ECC and RSA) and determines validity based on the
master keys used for the CKDS and PKDS. The master key verification
patterns (MKVPs) contained in the header of the CKDS and PKDS are
compared to the MKVPs of the master keys on the coprocessors. If they
match, then the master key is valid. After determining the valid master
keys for the system, it then selects the set of available master keys
that will maximize the number of active coprocessors.
For
example, consider the master key states for the preceding coprocessor
management panel. There are 4 coprocessors with a valid AES master
key. There are 3 coprocessors with a valid DES master key. There are
2 coprocessors with a valid ECC master key. There are 4 coprocessors
with a valid RSA master key. If AES and RSA support is made available,
then 4 coprocessors (G02, G03, G04 and E06) can be activated. This
is the largest subset of the coprocessors that can be activated based
on the state of the master keys. For this reason, AES and RSA support
will be made available and cards G02, G03, G04 and E06 will be activated.
Cards G01 and G05 will be ONLINE but not ACTIVE until their MKs are
put in the proper state. DES and ECC support is not available.
ECC
master key support is based on the existence of CEX3C coprocessors.
If a mixture of CEX3C coprocessors and older coprocessors exist on
a system, then ECC support will be based solely on the state of the
CEX3C coprocessors. In our example, if the ECC MK for coprocessor
G02 is loaded with a valid value, then ECC support will be available
despite the fact that E06 is a CEX2C coprocessor and does not support
an ECC MK.
As coprocessor master keys are set or changed,
additional function may become available. If a valid DES master key
is loaded on G02 and G03 then DES functionality will become available.
- The ICSF Master Key Entry panel appears. See Figure 87.
Figure 87. Master Key Entry Panel
CSFDKE50------------- ICSF - Master Key Entry -----------------
COMMAND ===>
AES new master key register : EMPTY
DES new master key register : EMPTY
ECC new master key register : EMPTY
RSA new master key register : EMPTY
Specify information below
Key Type ===> ___ (AES-MK, DES-MK, ECC-MK, RSA-MK)
Part ===> ______ (RESET, FIRST, MIDDLE, FINAL)
Checksum ===> 40
Key Value ===> 51ED9CFA90716CFB
===> 58403BFA02BD13E8
===> 0000000000000000 (AES-MK, ECC-MK and RSA-MK only)
===> 0000000000000000 (AES-MK, ECC-MK only)
Press ENTER to process.
Press END to exit to the previous menu.
If you are not running on z10 EC, z10 BC, or z196 with the Nov. 2008 or later licensed internal code (LIC),
AES keys are not supported. If you are running without a CEX3C coprocessor
with the Sept. 2010 or later LIC, ECC keys are not supported.
- Fill in the panel
- Enter the master key type in the Key Type field.
In this example
we are entering the DES-MK master key.
- Enter FIRST in the Part field.
- Enter the two-digit checksum and the two 16-digit key values (if
you did not use random number generate).
- Make sure you have recorded the two 16-digit key values.
You may need to reenter these same values at a later date to restore
master key values that have been cleared. Make sure
all master key parts you enter are recorded and saved in a secure
location.
- When all the fields are complete, press ENTER.
If
the checksum entered in the checksum field matches the checksum that
the master key entry utility calculated, the key part is accepted. The
message at the top of the panel states KEY PART LOADED,
as shown in Figure 88. The new master key register status
changes to PART FULL. The verification pattern and hash pattern that
are calculated for the key part appear near the bottom of the panel.
Compare them with the patterns generated by the random number generator
or provided by the person who gave you the key part value to enter.
- Record the verification pattern and hash pattern.
Figure 88. The Master Key Entry Panel Following Key Part Entry
CSFDKE60 -------------- ICSF - Master Key Entry --- KEY PART LOADED
COMMAND ===>
AES new master key register : EMPTY
DES new master key register : PART FULL
ECC new master key register : EMPTY
RSA new master key register : EMPTY
Specify information below
Key Type ===> DES-MK (AES-MK, DES-MK, ECC-MK, RSA-MK)
Part ===> FIRST (RESET, FIRST, MIDDLE, FINAL)
Checksum ===> 00
Key Value ===> 0000000000000000
===> 0000000000000000
===> 0000000000000000 (AES-MK, ECC-MK, and RSA-MK only)
===> 0000000000000000 (AES-MK, ECC-MK only)
Entered key part VP: 0CCE190A63546489 HP: 9C92A343479D33F2 66229FCD55B49C26
(Record and secure these patterns)
Press ENTER to process.
Press END to exit to the previous menu.
- If the checksums do not match, the message Invalid Checksum appears.
If this occurs, follow this sequence to resolve the problem:
- Reenter the checksum.
- If you still get a checksum error, recalculate the checksum.
- If your calculations result in a different value for the checksum,
enter the new value.
- If your calculations result in the same value for the checksum,
or if a new checksum value does not resolve the error, reenter the
key part halves and checksum.
When you have entered the first key part successfully, continue
with:
|
z/OS Cryptographic Services ICSF Administrator's Guide
Copyright IBM Corporation 1990, 2014