|
When you define the DES master key and initialize a CKDS, you
can generate or enter any additional system keys you need to perform
cryptographic functions.
If you are running on a IBM  zSeries 990, and wish to share your CKDS and
PKDS with an IBM zSeries 900 (which might be your disaster
recovery site), the CKDS and PKDS should be initialized on the IBM
zSeries 900.
There are four different types of system keys you can install in
the CKDS:
- Required SYSTEM keys are automatically generated when you first
initialize the CKDS. These include the MAC and MACVER keys that ICSF uses
to generate and validate the MAC code in each CKDS record.
- NOCV-enablement keys are required for NOCV IMPORTERs and EXPORTERs.
The NOCV-enablement system keys are used to twist on and twist off
the CVs on external tokens during key import and key export. This
allows ICSF to communicate with systems that do not use control
vectors.
- ANSI system keys are required for almost all ANSI services to
perform the notarization and offset that are required by ANSI X9.17.
- ESYS, or enhanced system keys, are used only in Symmetric Key
Export service.
For information on system keys, see Entering system keys into the cryptographic key data set (CKDS).
If running in a sysplex, see Running in a Sysplex Environment.
Steps for initializing a CKDS
You have to initialize a CKDS only the first time you start ICSF on
a system. When you initialize a CKDS, you can copy the disk copy of
the CKDS to create other CKDSs for use on the system. You can also
use a CKDS on another ICSF system if the system has the same master
key value. At any time, you can read a different disk copy into storage.
For information about how to read a disk copy into storage, see Refreshing the CKDS at any time. For information about initializing a CKDS in a
sysplex environment, see Running in a Sysplex Environment.
For a description of how to use the Master Key Entry panels to
enter the master key, see Steps for entering the first master key part. For a description
of how to use the TKE workstation to enter the master key, refer to z/OS Cryptographic Services ICSF TKE Workstation User’s Guide.
Starting with release HCR7780, there are two formats of the CKDS:
a fixed-length record (supported by all releases of ICSF) and a new,
variable-length record (supported by HCR7780 and later releases).
You can use the following steps to initialize either format of CKDS.
To initialize the CKDS:
- Return to the Primary Menu panel by pressing END from the Master
Key Entry panel.
- Select Option 2, MASTER KEY, on the Primary Menu panel as shown
in Figure 50.
Figure 50. Selecting the Master Key option on the primary menu panel
CSF@PRIM --------- Integrated Cryptographic Service Facility ---------
OPTION ===> 2
Enter the number of the desired option.
1 COPROCESSOR MGMT - Management of Cryptographic Coprocessors
2 MASTER KEY MGMT - Master key set or change, CKDS/PKDS processing
3 OPSTAT - Installation options
4 ADMINCNTL - Administrative Control Functions
5 UTILITY - ICSF Utilities
6 PPINIT - Pass Phrase Master Key/KDS Initialization
7 TKE - TKE Master and Operational key processing
8 KGUP - Key Generator Utility processes
9 UDX MGMT - Management of User Defined Extensions
Licensed Materials - Property of IBM
5694-A01 (C) Copyright IBM Corp. 1990, 2011. All rights reserved.
US Government Users Restricted Rights - Use, duplication or
disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Press ENTER to go to the selected option.
Press END to exit to the previous menu.
The Master Key Management panel appears. See Figure 51.
Figure 51. ICSF Master Key Management Panel
CSFMKM00 ---------------- ICSF - Master Key Management ----------------
OPTION ===> 1
Enter the number of the desired option above.
1 INIT/REFRESH/UPDATE CKDS - Initialize a Cryptographic Key Data Set or
activate an updated Cryptographic Key Data Set
2 SET MK - Set a symmetric (DES or AES) master key
3 REENCIPHER CKDS - Reencipher the CKDS prior to changing a symmetric
master key
4 CHANGE MK - Change a symmetric master key and
activate the reenciphered CKDS
5 INITIALIZE PKDS - Initialize or update a PKA Cryptographic
Key Data Set header record
6 REENCIPHER PKDS - Reencipher the PKA Cryptographic Key Data Set
7 REFRESH PKDS - Activate an updated PKA Cryptographic Key Data Set
- Select option 1, INIT/REFRESH CKDS and the Initialize a CKDS panel
appears. See Figure 52.
Figure 52. ICSF Initialize a CKDS Panel
CSFCKD00 ---------------- ICSF - Initialize a CKDS ----------------
COMMAND ===> 1
Enter the number of the desired option.
1 Initialize an empty CKDS (creates the header and system keys)
2 NOCVKEYS - Create NOCV-Enablement keys (for keys without CVs)
3 ANSI - Create ANSI system keys (for ANSI X9.17 services)
4 ESYS - Create enhanced system keys (for Symmetric services)
5 REFRESH - Activate an updated CKDS
Enter the name of the CKDS below.
CKDS ===> 'FIRST.EMPTY.CKDS'
- In the CKDS field, enter the name of the empty VSAM data set that
was created to use as the disk copy of the CKDS.
The name you enter
should be the same name that is specified in the CKDSN installation
option in the installation options data set. For information about creating a CKDS and specifying
the CKDS name in the installation options data set, see z/OS Cryptographic Services ICSF System Programmer’s Guide.
- Choose option 1, Initialize an empty CKDS, and press ENTER.
ICSF creates
the header record in the disk copy of the CKDS. Next, ICSF sets
the DES master key. ICSF then adds the required system keys to the
CKDS and refreshes the CKDS. When ICSF completes all these steps,
the message INITIALIZATION COMPLETE appears. If you did
not enter a master key into the new master key register previously,
the message NMK REGISTER NOT FULL appears and the initialization
process ends. You must enter a master key into the new master key
register to initialize the CKDS.
Note:
If any part of
the option 1 fails, you must delete the CKDS and start over. If the
failure occurs when the master key has been set and before the system
keys have been created, you will need to reset the master keys.
- If you want ICSF to create NOCV-enablement keys when the initialization
process has been completed, select option 2, NOCVKEYS, and press ENTER.
The creation of NOCV-enablement
keys is optional. It allows you to use either the key generator utility
program or the Key Token Build callable service to create NOCV keys.
NOCV keys allow you to send and receive keys from systems that do
not use control vectors. For a description of NOCV keys, see the description
of the NOCV keyword for the key generator utility program on ***.
- To create ANSI system keys that are used for the ANSI X9.17 services,
choose option 3, ANSI.
The creation of ANSI system keys is optional.
ANSI system keys are required if you intend to also create enhanced
system keys.
The message ANSI KEYS ADDED appears
on the top right of the panel, if the process succeeds.
- To create enhanced system keys, choose option 4, ESYS.
The
creation of enhanced system keys is optional. To create enhanced system
keys, you must have previously installed the ANSI system keys in the
CKDS.
The message ESYS KEYS ADDED appears on the
top right of the panel, if the process succeeds.
When you complete the entire process, a master key and CKDS exist
on your system. You can now generate keys using the key generate callable
service and key generator utility program, or convert PCF keys to ICSF keys
using the conversion program. ICSF services use the keys to perform
the cryptographic functions you request.
Note:
You enable special secure mode to initialize ICSF for
the first time. When you perform the initialization process, you may
choose to disable special secure mode.
|
z/OS Cryptographic Services ICSF Administrator's Guide
Copyright IBM Corporation 1990, 2014