|
To change the PKA master keys:
- Disable the PKA callable services as described previously.
- Return to the primary menu and select option 1, COPROCESSOR MGMT,
and press enter.
The Coprocessor Management panel appears.
Figure 64. Selecting the coprocessor on the Coprocessor Management Panel
CSFCMP00 ---------------- ICSF Coprocessor Management -------------
COMMAND ===>
Select the coprocessors to be processed and press ENTER.
Action characters are: A, D, E, R, and S. See the help panel for details.
COPROCESSOR MODULE ID/SERIAL NUMBER STATUS
----------- ------------------------------- -------
_ A06 ACTIVE
_ A07 ACTIVE
E C0 E589C396944007A6 5D40369997A386F4 ACTIVE
E C1 0AA379BFD2387960 0367DC04533125FF ACTIVE
E P00 41-00YE1 ACTIVE
E P01 41-00K11 ACTIVE
E P02 41-0A355 ACTIVE
_ P03 41-0BA3F ONLINE
_ P04 41-0RT2T DEACTIVATED
_ P05 41-00342 DISABLED
- Select the coprocessor(s) for PKA master key entry by entering 'E'
before the coprocessor and pressing enter.
The Master Key Entry
panel appears. See Figure 65. You need to RESET to clear
the contents of the registers so you can set a new key value.
In
this example, ALL-PKA has been entered, as SMK=KMMK. If
this was not the case, SMK would have been used.
Figure 65. The Master Key Entry Panel to Reset Registers
CSFDKE10 -------------- ICSF - Master Key Entry ---------
COMMAND ===>
CCF DES/PCICC SYM-MK new master key register : EMPTY
CCF Signature/PCICC ASYM-MK master key register : NOT THE SAME
CCF Key management master key register : FULL
Specify information below
Key Type ===> ALL-PKA (DES, SMK, KMMK, ALL-PKA)
Part ===> RESET (RESET, FIRST, MIDDLE, FINAL)
Checksum ===> 00
Key Value ===> 0000000000000000
===> 0000000000000000
===> 0000000000000000 (SMK, KMMK and ALL-PKA only)
- When you select RESET, the Restart Key Entry Process panel is
displayed. See Figure 66.
This panel confirms your
request to restart the key entry process. Press ENTER.
Figure 66. Confirm Restart Request Panel
CSFDKE40 -------------- ICSF - Restart Key Entry Process -------------
ARE YOU SURE YOU WISH TO RESTART THE KEY ENTRY PROCESS?
Restarting the process will clear the ALL-PKA master key register.
WARNING: Resetting the KMMK or SMK will invalidate any private
internal key tokens in the PKDS
Press ENTER to confirm restart request
Press END to cancel restart request
- The Master Key Entry panel again appears. See Figure 67.
Enter the type of PKA master key you are changing and enter the key
part.
Figure 67. The Master Key Entry Panel with First Key Values
CSFDKE10 -------------- ICSF - Master Key Entry ---------
COMMAND ===>
CCF DES/PCICC SYM-MK new master key register : EMPTY
CCF Signature/PCICC ASYM-MK master key register : EMPTY
CCF Key management master key register : EMPTY
Specify information below
Key Type ===> ALL-PKA (DES, SMK, KMMK, ALL-PKA)
Part ===> FIRST (RESET, FIRST, MIDDLE, FINAL)
Checksum ===> 59
Key Value ===> 8F887096A8D4922B
===> 75D1189666F4DAA7
===> 9B28AEFA8C47760F (SMK, KMMK and ALL-PKA only)
- Fill in the panel
- Enter the master key type in the Key Type field.
In this example
we are entering ALL-PKA. A PKA master key requires at least two key
parts. You may enter additional key parts if necessary. ALL-PKA includes
the SMK, KMMK and ASYM-MK.
- Enter FIRST in the Part field.
- Enter the two-digit checksum and the three 16-digit key values (if
you did not use random number generate).
- Make sure you have recorded the three 16-digit key values.
You may need to reenter these same values at a later date to restore
master key values that have been cleared. Make sure
all master key parts you enter are recorded and saved in a secure
location.
- When all the fields are complete, press ENTER.
If the checksum
entered in the checksum field matches the checksum that the cryptographic
coprocessor calculated, the key part is accepted. The message at the
top of the panel will now state KEY PART LOADED.
The
Signature/PCICC ASYM-MK register status and KMMK status change to PART
FULL. The hash pattern that is calculated for the key part appears
near the bottom of the panel. Compare it with the pattern generated
by the checksum, VP, HP utility or provided by the person who gave
you the key part value to enter.
- Record the hash pattern.
- If the checksums do not match, the message Invalid Checksum appears.
If this occurs, follow this sequence to resolve the problem:
- Reenter the checksum.
- If you still get a checksum error, recalculate the checksum.
- If your calculations result in a different value for the checksum,
enter the new value.
- If your calculations result in the same value for the checksum,
or if a new checksum value does not resolve the error, reenter the
key part halves and checksum.
- Now enter the FINAL key part.
Figure 68. The Master Key Entry Panel with Final Key Values
CSFDKE10 -------------- ICSF - Master Key Entry ---------
COMMAND ===>
CCF DES/PCICC SYM-MK new master key register : EMPTY
CCF Signature/PCICC ASYM-MK master key register : NOT THE SAME
CCF Key management master key register : FULL
Specify information below
Key Type ===> ALL-PKA (DES, SMK, KMMK, ALL-PKA)
Part ===> FINAL (RESET, FIRST, MIDDLE, FINAL)
Checksum ===> 53
Key Value ===> 8FDAD096A8D4922B
===> 75D1189ADAF4DAA7
===> 9B28333A8C47760F (SMK, KMMK and ALL-PKA only)
- Fill in the panel
- Enter the master key type in the Key Type field.
In this example
we are entering ALL-PKA. ALL-PKA includes the SMK, KMMK and ASYM-MK.
- Enter FINAL in the Part field.
- Enter the two-digit checksum and the three 16-digit key values (if
you did not use random number generate).
- Make sure you have recorded the three 16-digit key values.
You may need to reenter these same values at a later date to restore
master key values that have been cleared. Make sure
all master key parts you enter are recorded and saved in a secure
location.
- When all the fields are complete, press ENTER.
If the checksum
entered in the checksum field matches the checksum that the cryptographic
coprocessor calculated, the key part is accepted. The message at the
top of the panel states KEY PART LOADED, as shown in Figure 68.
The Signature/PCICC ASYM-MK master key register
status changes to NOT THE SAME. This is because the PCICC
current ASYM-MK register is loaded with the value in the new master
key register and the new ASYM-MK register is empty. The KMMK status
changes to FULL.
The hash pattern that is calculated
for the key part appears near the bottom of the panel. Compare it
with the pattern generated by the checksum, VP, HP utility or provided
by the person who gave you the key part value to enter.
- Record the hash pattern.
- If the checksums do not match, the message Invalid Checksum appears.
If this occurs, follow this sequence to resolve the problem:
- Reenter the checksum.
- If you still get a checksum error, recalculate the checksum.
- If your calculations result in a different value for the checksum,
enter the new value.
- If your calculations result in the same value for the checksum,
or if a new checksum value does not resolve the error, reenter the
key part halves and checksum.
- When you have entered the PKA master keys correctly, the PKA master
key registers are active when the final key part is loaded. You must
then reencipher and activate the PKDS (Steps for reenciphering and refreshing the PKDS) and
enable PKA callable services Steps for enabling and disabling PKA services. Also enable PKDS
Read and PKDS Write, Create and Delete.
- When changing the master key, remember to change the name of the
PKDS in the Installation Options Data Set.
|
z/OS Cryptographic Services ICSF Administrator's Guide
Copyright IBM Corporation 1990, 2014