When initializing only new PCIXCCs, CEX2Cs, or CEX3C, at least one card must be active and PKA callable services must be enabled.

If you are running on a:

• z196 server with a CEX3C, you have ECC master key support. See Steps for running PPINIT with ECC master key support.
• z9, z10, or z196 server with the Nov. 2008 or later licensed internal code (LIC), you have AES master key support. See Steps for running PPINIT with AES master key support unless you also have ECC master key support.

The Pass Phrase MK/CKDS/PKDS Initialization panel appears. See Figure 13.

 CSFPMC10 ------- ICSF - Pass Phrase MK/CKDS/PKDS Initialization ---
 Command ===>
 Enter your pass phrase (16 to 64 characters)
   ===>

 Select one of the initialization actions then press ENTER to process.

_ Initialize system - Load the DES and asymmetric master keys to all
    coprocesors and initialize the CKDS and the PKDS.  
    CKDS ===>
    PKDS ===>

_ Reinitialize system - Load the DES and asymmetric master keys to all
    coprocesors and make the specified CKDS and the PKDS the current key data
    sets. 
    CKDS ===>
    PKDS ===>


 _ Add coprocessors - Initialize additional online coprocessors with the 
   same DES and asymmetric master keys.


 Press ENTER to process.
 Press END   to exit to the previous menu.

 

1. Type the pass phrase and the data set names in the spaces that are provided. Make sure you save the pass phrase and store it in a secure place.
   Notes:

   1. The same pass phrase will always produce the same master key values, and is therefore as critical and sensitive as the master key values themselves. Make sure you save the pass phrase so that you can later reenter it if needed (for example, if you need to restore master key values that have been cleared). Because of the sensitive nature of the pass phrase, make sure you secure it in a safe place.
   2. If you are reentering master keys when they have been cleared, use the same pass phrase as when you originally entered the keys. If you are adding coprocessors or missing master keys, use the same pass phrase you used when you initialized the system.
2. Select one of the following initialization actions:
   • Select 'Initialize system' if this is the first time you are running the pass phrase initialization utility.

     Fill in the CKDS and PKDS fields with the names of two valid VSAM data sets that have not been initialized

   • Select 'Reinitialize system' if there is an existing CKDS and PKDS,

     The CKDS and PKDS must have already been initialized with the pass phrase initialization utility and the identical pass phrase.

     ICSF checks and refreshes the existing CKDS and PKDS.

     When using PPINIT with a system where coprocessors have been initialized with PPINIT (the CKDS/PKDS are initialized), keep in mind:

     • If the CKDS and PKDS were initialized with the same pass phrase, the 'Reinitialize system' option will process active coprocessors, and online processors will become active. However, if the coprocessor supports any additional master key type and there is no MKVP in the KDS for the key type, the master key will not become active during reinitialization. To initialize online coprocessors in this scenario, use the 'Add coprocessors' option.
     • When the CKDS and PKDS were initialized with a different pass phrase, 'Reinitialize system' will fail.
   • Select 'Add coprocessors' if you have already initialized your system with the Pass Phrase Initialization utility and now want to initialize new PCI cards.
   Figure 14. Entering Options on the Pass Phrase MK/CKDS/PKDS Initialization Panel

    CSFPMC10 ------- ICSF - Pass Phrase MK/CKDS/PKDS Initialization ---
    Command ===>
    Enter your pass phrase (16 to 64 characters)
      ===> winnie the pooh and tigger too
   
    Select one of the initialization actions then press ENTER to process.
   
   S Initialize system - Load the DES and asymmetric master keys to all
       coprocesors and initialize the CKDS and the PKDS.  
       CKDS ===> CRYPTO.HCRICSF.CKDS
       PKDS ===> CRYPTO.HCRICSF.PKDS
   
   _ Reinitialize system - Load the DES and asymmetric master keys to all
       coprocesors and make the specified CKDS and the PKDS the current key data
       sets. 
       CKDS ===>
       PKDS ===>
   
   
    _ Add coprocessors - Initialize additional online coprocessors with the 
      same DES and asymmetric master keys.
   
   
    Press ENTER to process.
    Press END   to exit to the previous menu.
   
    

3. Press ENTER to run the utility.

   This utility uses the pass phrase, a series of constants, and the MD5 hash algorithm to:

   • Calculate the DES master key and load the new master key register on the card with the value.
   • Calculate the ASYM-MK value and load the new asymmetric-keys master key register on the card with the value.
   • Set the master key registers.
   • Initialize the CKDS or refresh an existing CKDS.
   • Initialize the PKDS.

   For details of these calculations, refer to Pass Phrase Initialization master key calculations.

   Messages on the bottom half of the panel display the progress of the utility.

4. When the utility has completed successfully, press END to return to the primary menu.
5. If either KDS has already been initialized, and if the DES-MK or RSA-MK is valid, this panel appears:

CSFPMC20 --------- ICSF - Pass Phrase MK/CKDS/PKDS Initialization ----------

ARE YOU SURE YOU WISH TO PROCEED WITH PASS PHRASE INITIALIZATION?

There are currently coprocessors with valid valid_master_key_types master 
key(s). If you proceed with pass phrase initialization, the master key value(s)
May change.

If you wish to initialize new coprocessors only, return to the previous panel
and select the Add coprocessors action.                                      
                                                                             
To proceed with pass phrase initialization, PKA callable services must be    
disabled. Use the Administrative Control Functions utility to disable PKA    
callable services. 


Press ENTER to proceed with pass phrase initialization.
Press END to exit to the previous menu. 

This prevents you from making a mistake and changing a system that is already operational.

Steps for running PPINIT with ECC master key support

If you are running on a z196 server with a CEX3C, the Pass Phrase MK/KDS Initialization panel appears as shown in the following figure.

CSFPMC40 ------- ICSF - Pass Phrase MK/CKDS/PKDS Initialization ---------------
COMMAND ===>

Enter your pass phrase (16 to 64 characters)
  ===>

Select one of the initialization actions then press ENTER to process.

 _ Initialize system - Load the AES, DES, ECC, and RSA master keys to all 
   coprocessors and initialize the CKDS and PKDS, making then the active key
   data sets.
   CKDS ===>
   PKDS ===>

 _ Reinitialize system - Load the AES, DES, ECC, and RSA master keys to all 
   coprocessors and make the specified CKDS and PKDS the active key data sets.
   CKDS ===>
   PKDS ===>

 _ Add coprocessors - Initialize additional online coprocessors with the
   same currently active master keys.

 _ Add missing MKs - Load missing AES and/or ECC master keys on each active 
   coprocessor. Update the CKDS and/or PKDS to include the MKVP of the loaded MK(s).

Press ENTER to process.
Press END to exit to the previous menu.

 

1. Type the pass phrase and the data set names in the spaces that are provided. Make sure you save the pass phrase and store it in a secure location.
   Notes:

   1. The same pass phrase will always produce the same master key values, and is therefore as critical and sensitive as the master key values themselves. Make sure you save the pass phrase so that you can later reenter it if needed (for example, if you need to restore master key values that have been cleared). Because of the sensitive nature of the pass phrase, make sure you secure it in a safe place.
   2. If you are reentering master keys when they have been cleared, use the same pass phrase as when you originally entered the keys.
2. Select one of the following initialization actions:
   • Select 'Initialize system' if this is the first time you are running the pass phrase initialization utility.

     Save the pass phrase in a secure place.

     The CKDS and PKDS names must refer to a valid CKDS and PKDS in your system that have not been initialized.

   • Select 'Reinitialize system' if there is an existing CKDS and PKDS,

     The CKDS and PKDS must have already been initialized with the pass phrase initialization utility and the identical pass phrase.

     ICSF checks and refreshes the existing CKDS and PKDS.

   • Select 'Add coprocessors' if you have previously initialized your system with the Pass Phrase Initialization utility and now want to initialize additional online coprocessors.
   • Select 'Add missing MKs' if you want to load missing AES and ECC master keys on each active coprocessor that supports AES and/or ECC keys.
   Figure 17. Entering Options on the Pass Phrase MK/CKDS/PKDS Initialization Panel

   CSFPMC40 ------- ICSF - Pass Phrase MK/CKDS/PKDS Initialization ---------------
   COMMAND ===>
   
   Enter your pass phrase (16 to 64 characters)
     ===>
   
   Select one of the initialization actions then press ENTER to process.
   
    _ Initialize system - Load the AES, DES, ECC, and RSA master keys to all 
      coprocessors and initialize the CKDS and PKDS, making then the active key
      data sets.
      CKDS ===> CRYPTO.HCRICSF.CKDS
      PKDS ===> CRYPTO.HCRICSF.PKDS
   
    _ Reinitialize system - Load the AES, DES, ECC, and RSA master keys to all 
      coprocessors and make the specified CKDS and PKDS the active key data sets.
      CKDS ===>
      PKDS ===>
   
    _ Add coprocessors - Initialize additional online coprocessors with the
      same currently active master keys.
   
    _ Add missing MKs - Load missing AES and/or ECC master keys on each active 
      coprocessor. Update the CKDS and/or PKDS to include the MKVP of the loaded MK(s).
   
   Press ENTER to process.
   Press END to exit to the previous menu.

3. Press ENTER to run the utility.

   This utility uses the pass phrase, a series of constants, and the MD5 and SHA-256 hash functions to load AES, DES, ECC, and RSA master keys, and initialize the CKDS and PKDS.

   For details on how the values of master keys are calculated, refer to Pass Phrase Initialization master key calculations.

   Messages on the bottom half of the panel display the progress of the utility.

4. When the utility has completed successfully, press END to return to the primary menu.
5. If there is currently any coprocessor with a valid master key, the following panel appears. The valid_master_key_types could be DES, AES, ECC, and/or RSA.

CSFPMC20 --------- ICSF - Pass Phrase MK/CKDS/PKDS Initialization ----------

ARE YOU SURE YOU WISH TO PROCEED WITH PASS PHRASE INITIALIZATION?

There are currently coprocessors with valid valid_master_key_types master 
key(s). If you proceed with pass phrase initialization, the master key value(s)
May change.

If you wish to initialize new coprocessors only, return to the previous panel
and select the Add coprocessors action.                                      
                                                                             
To proceed with pass phrase initialization, PKA callable services must be    
disabled. Use the Administrative Control Functions utility to disable PKA    
callable services. 


Press ENTER to proceed with pass phrase initialization.
Press END to exit to the previous menu.

This prevents you from making a mistake and changing a system that is already operational.

Steps for running PPINIT with AES master key support

When initializing only new CEX2Cs or CEX3Cs, at least one card must be active and PKA callable services must be enabled.

If you are running on z9, z10, or z196 servers with the Nov. 2008 or later licensed internal code (LIC), the Pass Phrase MK/KDS Initialization panel appears. See Figure 19.

 CSFPMC30 ------- ICSF - Pass Phrase MK/CKDS/PKDS Initialization ---
 Command ===>
 Enter your pass phrase (16 to 64 characters)
   ===>

 Select one of the initialization actions then press ENTER to process.

_ Initialize system - Load the AES, DES and asymmetric master keys to all
    coprocesors and initialize the CKDS and the PKDS.  
    CKDS ===>
    PKDS ===>

_ Reinitialize system - Load the AES, DES and asymmetric master keys to all
    coprocesors and make the specified CKDS and the PKDS the current key data
    sets. 
    CKDS ===>
    PKDS ===>


 _ Add coprocessors - Initialize additional online coprocessors with the 
   same DES and asymmetric master keys.

_ Add AES-MK - Add the AES master key to all active coprocessors and the  
   current CKDS.


 Press ENTER to process.
 Press END   to exit to the previous menu.

 

1. Type the pass phrase and the data set names in the spaces that are provided. Make sure you save the pass phrase and store it in a secure location.
   Notes:

   1. The same pass phrase will always produce the same master key values, and is therefore as critical and sensitive as the master key values themselves. Make sure you save the pass phrase so that you can later reenter it if needed (for example, if you need to restore master key values that have been cleared). Because of the sensitive nature of the pass phrase, make sure you secure it in a safe place.
   2. If you are reentering master keys when they have been cleared, use the same pass phrase as when you originally entered the keys.
2. Select one of the following initialization actions:
   • Select 'Initialize system' if this is the first time you are running the pass phrase initialization utility.

     Save the pass phrase in a secure place.

     The CKDS and PKDS names must refer to a valid CKDS and PKDS in your system that have not been initialized.

   • Select 'Reinitialize system' if there is an existing CKDS and PKDS,

     The CKDS and PKDS must have already been initialized with the pass phrase initialization utility and the identical pass phrase.

     ICSF checks and refreshes the existing CKDS and PKDS.

   • Select 'Add coprocessors' if you have previously initialized your system with the Pass Phrase Initialization utility and now want to initialize new PCI cards.
   • Select 'Add AES-MK' if you want to add secure key AES support to a system previously initialized with the utility. This selection updates the active CKDS.
   Figure 20. Entering Options on the Pass Phrase MK/CKDS/PKDS Initialization Panel

    CSFPMC30 ------- ICSF - Pass Phrase MK/CKDS/PKDS Initialization ---
    Command ===>
    Enter your pass phrase (16 to 64 characters)
      ===> winnie the pooh and tigger too
   
    Select one of the initialization actions then press ENTER to process.
   
   S Initialize system - Load the AES, DES and asymmetric master keys to all
       coprocesors and initialize the CKDS and the PKDS.  
       CKDS ===> CRYPTO.HCRICSF.CKDS
       PKDS ===> CRYPTO.HCRICSF.CKDS
   
   _ Reinitialize system - Load the AES, DES and asymmetric master keys to all
       coprocesors and make the specified CKDS and the PKDS the current key data
       sets. 
       CKDS ===>
       PKDS ===>
   
   
    _ Add coprocessors - Initialize additional online coprocessors with the 
      same DES and asymmetric master keys.
   
   _ Add AES-MK - Add the AES master key to all active coprocessors and the  
      current CKDS.
   
   
    Press ENTER to process.
    Press END   to exit to the previous menu.
   
    

3. Press ENTER to run the utility.

   This utility uses the pass phrase, a series of constants, and the MD5 hash algorithm to:

   • Calculates the DES and AES master key values and loads the new master key register on the CEX2C or CEX3C with the value.
   • Calculate the ASYM-MK value and load the new asymmetric-keys master key register on the CEX2C or CEX3C with the value.
   • Set the master key registers.
   • Initialize the CKDS or refresh an existing CKDS.
   • Initialize the PKDS.

   For details of these calculations, refer to Pass Phrase Initialization master key calculations.

   Messages on the bottom half of the panel display the progress of the utility.

4. When the utility has completed successfully, press END to return to the primary menu.
5. If the KDS has been initialized and if either the DES or AES master key is valid, the following panel appears. The valid_master_key_types could be DES, AES, and/or RSA.

CSFPMC20 --------- ICSF - Pass Phrase MK/CKDS/PKDS Initialization ----------

ARE YOU SURE YOU WISH TO PROCEED WITH PASS PHRASE INITIALIZATION?

There are currently coprocessors with valid valid_master_key_types master 
key(s). If you proceed with pass phrase initialization, the master key value(s)
May change.

If you wish to initialize new coprocessors only, return to the previous panel
and select the Add coprocessors action.                                      
                                                                             
To proceed with pass phrase initialization, PKA callable services must be    
disabled. Use the Administrative Control Functions utility to disable PKA    
callable services. 


Press ENTER to proceed with pass phrase initialization.
Press END to exit to the previous menu.

This prevents you from making a mistake and changing a system that is already operational.