CCF only system

z/OS Cryptographic Services ICSF Administrator's Guide

CCF only system

z/OS Cryptographic Services ICSF Administrator's Guide
SA22-7521-17

SMK equal to KMMK

Using Master Key Entry
1. Start ICSF on a z990, z890, z9 EC, z9 BC, z10 EC, z10 BC, or z196 system, pointing to the initialized CKDS/PKDS. You will see the message: CSFM419E INCORRECT MASTER KEY (BOTH) ON PCI X CRYPTOGRAPHIC COPROCESSOR Xnn, SERIAL NUMBER nnnnnnnn.
2. Using Master Key Entry, load the value of the CCF DES master key into the new DES-MK register. Load the value of the CCF SMK/KMMK master key into the new ASYM-MK register. You will need the checksums for each of these values.
3. Set the DES master key.
4. Enable PKA Callable Services/Dynamic PKDS Access.
Using Pass Phrase Initialization
1. Start ICSF on a z990, z890, z9 EC, z9 BC, z10 EC, z10 BC, or z196 system, pointing to the initialized CKDS/PKDS.
2. Using PPINIT, type in the same pass phrase used to initialize CCF system. Respond N to Initialize the CKDS/PKDS? (Y/N) question.

SMK not equal to KMMK

Without a PCICC, the PKDS reencipher must run on the PCIXCC, CEX2C, or CEX3C. If it is not, the z990, z890, z9 EC, z9 BC, z10 EC, z10 BC, or z196 system will not be able to use the tokens encrypted under the KMMK. This procedure requires that you switch between your legacy and z990/z890 TSO sessions.

Using Master Key Entry
It does not matter whether you reencipher to the KMMK or the SMK. This checklist reenciphers to the SMK.
1. Start ICSF on a z990, z890, z9 EC, z9 BC, z10 EC, z10 BC, or z196 system, pointing to the initialized CKDS/PKDS.
2. Define an empty PKDS.
3. Load the value of the CCF DES master key into the new DES-MK register. You will need the checksum.
4. Load the value of the CCF KMMK master key into the new ASYM-MK register. You will need the checksum. The ASYM-MK is automatically set when the final key part is loaded.
5. Load the value of the CCF SMK master key into the new ASYM-MK register. You will need the checksum. The ASYM-MK is automatically set when the final key part is loaded. The old ASYM-MK register now contains the KMMK value and the current ASYM-MK register contains the SMK value.
6. Set the DES-MK.
7. Reencipher the active PKDS to the empty PKDS.
8. Refresh the new PKDS. Enable PKA Callable Services/Dynamic PKDS Access.
9. Update options data set to point to the new PKDS.
10. On CCF system, disable PKA Callable Services.
11. Reset the KMMK register.
12. Load the value of the CCF SMK master key into the KMMK register.
13. Activate the new PKDS.
14. Enable PKA Callable Services/Dynamic PKDS Access.
15. Update options data set to point to the new PKDS.
Using Pass Phrase Initialization
1. On a CCF system, use PPKEYS to get the clear key values of the SMK and KMMK from a pass phrase. You will need the checksum for each of these values.
2. On z990/z890, z9 EC, z9 BC, z10 EC, z10 BC, or z196 system, start ICSF pointing to initialized CKDS/PKDS.
3. Define an empty PKDS.
4. Using Master Key Entry, load the value of the CCF KMMK master key into the new ASYM-MK register. You will need the checksum. Load a final key part of zeroes. The ASYM-MK is automatically set when the final key part is loaded.
5. Using PPINIT, type in the pass phrase used to initialize the CCF system, enter the names of the initialized CKDS/PKDS, respond N to Initialize the CKDS/PKDS? (Y/N).
6. Reencipher the PKDS to the empty PKDS.
7. Refresh the new PKDS.
8. Update options data set to point to new PKDS.
9. On a CCF system, disable PKA Callable Services.
10. Using Master Key Entry, reset the KMMK register.
11. Load the value of the SMK into the KMMK register. You can get the clear key value of the SMK using the PPKEYS utility. You will need the SMK checksum.
12. Activate the new PKDS.
13. Enable PKA Callable Services/Dynamic PKDS Access.
14. Update options data set to point to new PKDS.

Notices | Terms of use | Support | Contact z/OS | zFavorites