When initializing only new PCIXCCs, CEX2Cs, or CEX3C, at least
one card must be active and PKA callable services must be enabled.
If you are running on a:
The Pass Phrase MK/CKDS/PKDS Initialization panel appears. See Figure 13.
Figure 13. ICSF Pass Phrase MK/CKDS/PKDS Initialization Panel
CSFPMC10 ------- ICSF - Pass Phrase MK/CKDS/PKDS Initialization ---
Command ===>
Enter your pass phrase (16 to 64 characters)
===>
Select one of the initialization actions then press ENTER to process.
_ Initialize system - Load the DES and asymmetric master keys to all
coprocesors and initialize the CKDS and the PKDS.
CKDS ===>
PKDS ===>
_ Reinitialize system - Load the DES and asymmetric master keys to all
coprocesors and make the specified CKDS and the PKDS the current key data
sets.
CKDS ===>
PKDS ===>
_ Add coprocessors - Initialize additional online coprocessors with the
same DES and asymmetric master keys.
Press ENTER to process.
Press END to exit to the previous menu.
- Type the pass phrase and the data set names in the spaces that
are provided. Make sure you save the pass phrase
and store it in a secure place.
Notes:
- The same pass phrase will always produce the same master key values,
and is therefore as critical and sensitive as the master key values
themselves. Make sure you save the pass phrase so that you can later
reenter it if needed (for example, if you need to restore master key
values that have been cleared). Because of the sensitive nature of
the pass phrase, make sure you secure it in a safe place.
- If you are reentering master keys when they have been cleared,
use the same pass phrase as when you originally entered the keys.
If you are adding coprocessors or missing master keys, use the same
pass phrase you used when you initialized the system.
- Select one of the following initialization actions:
- Select 'Initialize system' if this is the first time you
are running the pass phrase initialization utility.
Fill in the
CKDS and PKDS fields with the names of two valid VSAM data sets that
have not been initialized
- Select 'Reinitialize system' if there is an existing CKDS
and PKDS,
The CKDS and PKDS must have already been initialized
with the pass phrase initialization utility and the identical pass
phrase.
ICSF checks and refreshes the existing CKDS and PKDS.
When
using PPINIT with a system where coprocessors have been initialized
with PPINIT (the CKDS/PKDS are initialized), keep in mind:
- If the CKDS and PKDS were initialized with the same pass phrase,
the 'Reinitialize system' option will process active coprocessors,
and online processors will become active. However, if the coprocessor
supports any additional master key type and there is no MKVP in the
KDS for the key type, the master key will not become active during
reinitialization. To initialize online coprocessors in this scenario,
use the 'Add coprocessors' option.
- When the CKDS and PKDS were initialized with a different pass
phrase, 'Reinitialize system' will fail.
- Select 'Add coprocessors' if you have already initialized
your system with the Pass Phrase Initialization utility and now want
to initialize new PCI cards.
Figure 14. Entering Options on the Pass Phrase MK/CKDS/PKDS Initialization Panel
CSFPMC10 ------- ICSF - Pass Phrase MK/CKDS/PKDS Initialization ---
Command ===>
Enter your pass phrase (16 to 64 characters)
===> winnie the pooh and tigger too
Select one of the initialization actions then press ENTER to process.
S Initialize system - Load the DES and asymmetric master keys to all
coprocesors and initialize the CKDS and the PKDS.
CKDS ===> CRYPTO.HCRICSF.CKDS
PKDS ===> CRYPTO.HCRICSF.PKDS
_ Reinitialize system - Load the DES and asymmetric master keys to all
coprocesors and make the specified CKDS and the PKDS the current key data
sets.
CKDS ===>
PKDS ===>
_ Add coprocessors - Initialize additional online coprocessors with the
same DES and asymmetric master keys.
Press ENTER to process.
Press END to exit to the previous menu.
- Press ENTER to run the utility.
This utility uses the pass
phrase, a series of constants, and the MD5 hash algorithm to:
- Calculate the DES master key and load the new master key register
on the card with the value.
- Calculate the ASYM-MK value and load the new asymmetric-keys master
key register on the card with the value.
- Set the master key registers.
- Initialize the CKDS or refresh an existing CKDS.
- Initialize the PKDS.
For details of these calculations, refer to Pass Phrase Initialization master key calculations.
Messages on the bottom half of the panel display
the progress of the utility.
- When the utility has completed successfully, press END to return
to the primary menu.
- If either KDS has already been initialized, and if the DES-MK
or RSA-MK is valid, this panel appears:
Figure 15. Pass Phrase MK/CKDS/PKDS Initialization Panel
CSFPMC20 --------- ICSF - Pass Phrase MK/CKDS/PKDS Initialization ----------
ARE YOU SURE YOU WISH TO PROCEED WITH PASS PHRASE INITIALIZATION?
There are currently coprocessors with valid valid_master_key_types master
key(s). If you proceed with pass phrase initialization, the master key value(s)
May change.
If you wish to initialize new coprocessors only, return to the previous panel
and select the Add coprocessors action.
To proceed with pass phrase initialization, PKA callable services must be
disabled. Use the Administrative Control Functions utility to disable PKA
callable services.
Press ENTER to proceed with pass phrase initialization.
Press END to exit to the previous menu. This prevents you from making a mistake and changing a system
that is already operational.
Steps for running PPINIT with ECC master key support
If you are running on a z196 server with a CEX3C, the Pass Phrase
MK/KDS Initialization panel appears as shown in the following figure.
Figure 16. ICSF Pass Phrase MK/CKDS/PKDS Initialization Panel
CSFPMC40 ------- ICSF - Pass Phrase MK/CKDS/PKDS Initialization ---------------
COMMAND ===>
Enter your pass phrase (16 to 64 characters)
===>
Select one of the initialization actions then press ENTER to process.
_ Initialize system - Load the AES, DES, ECC, and RSA master keys to all
coprocessors and initialize the CKDS and PKDS, making then the active key
data sets.
CKDS ===>
PKDS ===>
_ Reinitialize system - Load the AES, DES, ECC, and RSA master keys to all
coprocessors and make the specified CKDS and PKDS the active key data sets.
CKDS ===>
PKDS ===>
_ Add coprocessors - Initialize additional online coprocessors with the
same currently active master keys.
_ Add missing MKs - Load missing AES and/or ECC master keys on each active
coprocessor. Update the CKDS and/or PKDS to include the MKVP of the loaded MK(s).
Press ENTER to process.
Press END to exit to the previous menu.
- Type the pass phrase and the data set names in the spaces that
are provided. Make sure you save the pass phrase
and store it in a secure location.
Notes:
- The same pass phrase will always produce the same master key values,
and is therefore as critical and sensitive as the master key values
themselves. Make sure you save the pass phrase so that you can later
reenter it if needed (for example, if you need to restore master key
values that have been cleared). Because of the sensitive nature of
the pass phrase, make sure you secure it in a safe place.
- If you are reentering master keys when they have been cleared,
use the same pass phrase as when you originally entered the keys.
- Select one of the following initialization actions:
- Select 'Initialize system' if this is the first time you
are running the pass phrase initialization utility.
Save the pass
phrase in a secure place.
The CKDS and PKDS names must refer
to a valid CKDS and PKDS in your system that have not been initialized.
- Select 'Reinitialize system' if there is an existing CKDS
and PKDS,
The CKDS and PKDS must have already been initialized
with the pass phrase initialization utility and the identical pass
phrase.
ICSF checks and refreshes the existing CKDS and PKDS.
- Select 'Add coprocessors' if you have previously initialized
your system with the Pass Phrase Initialization utility and now want
to initialize additional online coprocessors.
- Select 'Add missing MKs' if you want to load missing AES
and ECC master keys on each active coprocessor that supports AES and/or
ECC keys.
Figure 17. Entering Options on the Pass Phrase MK/CKDS/PKDS Initialization Panel
CSFPMC40 ------- ICSF - Pass Phrase MK/CKDS/PKDS Initialization ---------------
COMMAND ===>
Enter your pass phrase (16 to 64 characters)
===>
Select one of the initialization actions then press ENTER to process.
_ Initialize system - Load the AES, DES, ECC, and RSA master keys to all
coprocessors and initialize the CKDS and PKDS, making then the active key
data sets.
CKDS ===> CRYPTO.HCRICSF.CKDS
PKDS ===> CRYPTO.HCRICSF.PKDS
_ Reinitialize system - Load the AES, DES, ECC, and RSA master keys to all
coprocessors and make the specified CKDS and PKDS the active key data sets.
CKDS ===>
PKDS ===>
_ Add coprocessors - Initialize additional online coprocessors with the
same currently active master keys.
_ Add missing MKs - Load missing AES and/or ECC master keys on each active
coprocessor. Update the CKDS and/or PKDS to include the MKVP of the loaded MK(s).
Press ENTER to process.
Press END to exit to the previous menu.
- Press ENTER to run the utility.
This utility uses the pass
phrase, a series of constants, and the MD5 and SHA-256 hash
functions to load AES, DES, ECC, and RSA master keys, and initialize
the CKDS and PKDS.
For details on how the values of master keys
are calculated, refer to Pass Phrase Initialization master key calculations.
Messages on
the bottom half of the panel display the progress of the utility.
- When the utility has completed successfully, press END to return
to the primary menu.
- If there is currently any coprocessor with a valid master key,
the following panel appears. The valid_master_key_types could
be DES, AES, ECC, and/or RSA.
Figure 18. Pass Phrase MK/CKDS/PKDS Initialization Panel
CSFPMC20 --------- ICSF - Pass Phrase MK/CKDS/PKDS Initialization ----------
ARE YOU SURE YOU WISH TO PROCEED WITH PASS PHRASE INITIALIZATION?
There are currently coprocessors with valid valid_master_key_types master
key(s). If you proceed with pass phrase initialization, the master key value(s)
May change.
If you wish to initialize new coprocessors only, return to the previous panel
and select the Add coprocessors action.
To proceed with pass phrase initialization, PKA callable services must be
disabled. Use the Administrative Control Functions utility to disable PKA
callable services.
Press ENTER to proceed with pass phrase initialization.
Press END to exit to the previous menu. This prevents you from making a mistake and changing a system
that is already operational.
Steps for running PPINIT with AES master key support
When initializing only new CEX2Cs or CEX3Cs, at least one card
must be active and PKA callable services must be enabled.
If you are running on z9, z10, or z196 servers with the Nov. 2008 or later licensed internal code (LIC), the
Pass Phrase MK/KDS Initialization panel appears. See Figure 19.
Figure 19. ICSF Pass Phrase MK/CKDS/PKDS Initialization Panel
CSFPMC30 ------- ICSF - Pass Phrase MK/CKDS/PKDS Initialization ---
Command ===>
Enter your pass phrase (16 to 64 characters)
===>
Select one of the initialization actions then press ENTER to process.
_ Initialize system - Load the AES, DES and asymmetric master keys to all
coprocesors and initialize the CKDS and the PKDS.
CKDS ===>
PKDS ===>
_ Reinitialize system - Load the AES, DES and asymmetric master keys to all
coprocesors and make the specified CKDS and the PKDS the current key data
sets.
CKDS ===>
PKDS ===>
_ Add coprocessors - Initialize additional online coprocessors with the
same DES and asymmetric master keys.
_ Add AES-MK - Add the AES master key to all active coprocessors and the
current CKDS.
Press ENTER to process.
Press END to exit to the previous menu.
- Type the pass phrase and the data set names in the spaces that
are provided. Make sure you save the pass phrase
and store it in a secure location.
Notes:
- The same pass phrase will always produce the same master key values,
and is therefore as critical and sensitive as the master key values
themselves. Make sure you save the pass phrase so that you can later
reenter it if needed (for example, if you need to restore master key
values that have been cleared). Because of the sensitive nature of
the pass phrase, make sure you secure it in a safe place.
- If you are reentering master keys when they have been cleared,
use the same pass phrase as when you originally entered the keys.
- Select one of the following initialization actions:
- Select 'Initialize system' if this is the first time you
are running the pass phrase initialization utility.
Save the pass
phrase in a secure place.
The CKDS and PKDS names must refer
to a valid CKDS and PKDS in your system that have not been initialized.
- Select 'Reinitialize system' if there is an existing CKDS
and PKDS,
The CKDS and PKDS must have already been initialized
with the pass phrase initialization utility and the identical pass
phrase.
ICSF checks and refreshes the existing CKDS and PKDS.
- Select 'Add coprocessors' if you have previously initialized
your system with the Pass Phrase Initialization utility and now want
to initialize new PCI cards.
- Select 'Add AES-MK' if you want to add secure key
AES support to a system previously initialized with the utility. This
selection updates the active CKDS.
Figure 20. Entering Options on the Pass Phrase MK/CKDS/PKDS Initialization Panel
CSFPMC30 ------- ICSF - Pass Phrase MK/CKDS/PKDS Initialization ---
Command ===>
Enter your pass phrase (16 to 64 characters)
===> winnie the pooh and tigger too
Select one of the initialization actions then press ENTER to process.
S Initialize system - Load the AES, DES and asymmetric master keys to all
coprocesors and initialize the CKDS and the PKDS.
CKDS ===> CRYPTO.HCRICSF.CKDS
PKDS ===> CRYPTO.HCRICSF.CKDS
_ Reinitialize system - Load the AES, DES and asymmetric master keys to all
coprocesors and make the specified CKDS and the PKDS the current key data
sets.
CKDS ===>
PKDS ===>
_ Add coprocessors - Initialize additional online coprocessors with the
same DES and asymmetric master keys.
_ Add AES-MK - Add the AES master key to all active coprocessors and the
current CKDS.
Press ENTER to process.
Press END to exit to the previous menu.
- Press ENTER to run the utility.
This utility uses the pass
phrase, a series of constants, and the MD5 hash algorithm to:
- Calculates the DES and AES master key values and loads
the new master key register on the CEX2C or CEX3C with the
value.
- Calculate the ASYM-MK value and load the new asymmetric-keys master
key register on the CEX2C or CEX3C with the value.
- Set the master key registers.
- Initialize the CKDS or refresh an existing CKDS.
- Initialize the PKDS.
For details of these calculations, refer to Pass Phrase Initialization master key calculations.
Messages on the bottom half of the panel display
the progress of the utility.
- When the utility has completed successfully, press END to return
to the primary menu.
- If the KDS has been initialized and if either the DES or AES
master key is valid, the following panel appears. The valid_master_key_types could be DES, AES, and/or
RSA.
Figure 21. Pass Phrase MK/CKDS/PKDS Initialization Panel
CSFPMC20 --------- ICSF - Pass Phrase MK/CKDS/PKDS Initialization ----------
ARE YOU SURE YOU WISH TO PROCEED WITH PASS PHRASE INITIALIZATION?
There are currently coprocessors with valid valid_master_key_types master
key(s). If you proceed with pass phrase initialization, the master key value(s)
May change.
If you wish to initialize new coprocessors only, return to the previous panel
and select the Add coprocessors action.
To proceed with pass phrase initialization, PKA callable services must be
disabled. Use the Administrative Control Functions utility to disable PKA
callable services.
Press ENTER to proceed with pass phrase initialization.
Press END to exit to the previous menu. This prevents you from making a mistake and changing a system
that is already operational.
|