The pass phrase initialization utility can be used to initialize
PCI Cryptographic Coprocessors after system initialization. The procedure
is to re-run the Pass Phrase Initialization Utility.
Note:
Special
Secure Mode is not required when adding PCICCs after first time pass
phrase initialization.
The step-by-step procedure is:
- Run the Pass Phrase Initialization Utility.
Access the primary
menu panel.
Figure 22. Selecting the Pass Phrase Initialization Option on the ICSF Primary Menu Panel
CSF@PRIM ------------- Integrated Cryptographic Service Facility ---------
OPTION ===> 6
Enter the number of the desired option.
1 COPROCESSOR MGMT - Management of Cryptographic Coprocessors
2 MASTER KEY MGMT - Master key set or change, CKDS/PKDS processing
3 OPSTAT - Installation options
4 ADMINCNTL - Administrative Control Functions
5 UTILITY - ICSF Utilities
6 PPINIT - Pass Phrase Master Key/KDS Initialization
7 TKE - TKE Master and Operational key processing
8 KGUP - Key Generator Utility processes
9 UDX MGMT - Management of User Defined Extensions
Licensed Materials - Property of IBM
5694-A01 (C) Copyright IBM Corp. 1990, 2011. All rights reserved.
US Government Users Restricted Rights - Use, duplication or
disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Press ENTER to go to the selected option.
Press END to exit to the previous menu.
- Select option 6, PPINIT, and press ENTER to begin the pass phrase
initialization utility.
The Pass Phrase MK/KDS Initialization panel
appears. See Figure 23.
Figure 23. ICSF Pass Phrase MK/KDS Initialization Panel
CSFPMC00 ------- ICSF - Pass Phrase MK/KDS Initialization ---
Command ===>
Enter your pass phrase and the names of the CKDS and PKDS:
Pass Phrase (16 to 64 characters)
===>
CKDS
===>
PKDS
===>
Initialize the CKDS and PKDS? (Y/N) ===>
Signature MK = Key Management MK? (Y/N) ===>
Initialize new PCICCs only? (Y/N) ===>
Press ENTER to process.
Press END to exit to the previous menu.
- Type the pass phrase and the data set name in the spaces that
are provided.
The CKDS and PKDS names must be the current, active
CKDS and PKDS.
Note:
The same pass phrase will always
produce the same master key values. Because you are reentering master
keys, you must use the same pass phrase as when you originally entered
the keys. You should have saved the pass phrase in a secure place
when you entered the master keys previously.
- The "Initialize the CKDS and PKDS?" and "Signature MK = Key Management
MK?" questions are ignored.
- Answer the "Initialize new PCICCs only" question by typing your
response in the space following the question. Your response should
be Y.
Figure 24. Entering Options on the Pass Phrase MK/KDS Initialization Panel
CSFPMC00 --------- ICSF - Pass Phrase MK/KDS Initialization ----------
Enter your pass phrase and the names of the CKDS and PKDS:
Pass Phrase (16 to 64 characters)
===> winnie the pooh and tigger too
CKDS
===> 'CRYPTO.HCRICSF.CKDS'
PKDS
===> CRYPTO.HCRICSF.PKDS
Initialize the CKDS and PKDS? (Y/N) ===> N
Signature MK = Key Management MK? (Y/N) ===> Y
Initialize new PCICCs only? ===> Y
- Press ENTER to run the utility.
For details of these calculations,
refer to Pass Phrase Initialization master key calculations.
Messages on the bottom half
of the panel display the progress of the utility.
- When the utility has completed successfully, press END to return
to the primary menu.
|