z/OS Cryptographic Services ICSF Administrator's Guide
Previous topic | Next topic | Contents | Index | Contact z/OS | Library | PDF


CCF with PCICCs

z/OS Cryptographic Services ICSF Administrator's Guide
SA22-7521-17

SMK equal to KMMK

  • Using Master Key Entry
    1. Start ICSF on a z990, z890, z9 EC, z9 BC, z10 EC, z10 BC, or z196 system, pointing to the initialized CKDS/PKDS. You will see message: CSFM419E INCORRECT MASTER KEY (BOTH) ON PCI X CRYPTOGRAPHIC COPROCESSOR Xnn, SERIAL NUMBER nnnnnnnn.
    2. Using Master Key Entry, load the value of the CCF DES master key into the new DES-MK register. Load the value of the CCF SMK/KMMK master key into the new ASYM-MK register. You will need the checksums for each of the master key values.
    3. Set the DES master key.
    4. Enable PKA Callable Services/Dynamic PKDS Access.
  • Using Pass Phrase Initialization
    1. Start ICSF on a z990, z890, z9 EC, z9 BC, z10 EC, z10 BC, or z196 system, pointing to the initialized CKDS/PKDS.
    2. Using PPINIT, type in the same pass phrase used to initialize CCF system. Respond N to Initialize the CKDS/PKDS? (Y/N).

SMK not equal to KMMK

Make the SMK=KMMK prior to sharing the CKDS/PKDS with the z990, z890, z9 EC, z9 BC, z10 EC, z10 BC, or z196 system.

  • Using Master Key Entry
    1. Define an empty PKDS.
    2. On the CCF system, disable PKA Callable Services.
    3. Using Master Key Entry, reset ALL-PKA registers. Load the value of the CCF KMMK master key into the SMK/KMMK/ASYM-MK registers on all CCF/PCICC coprocessors. You will need the checksum. The ASYM-MK is automatically set when the final key part is loaded.
    4. Reencipher the PKDS to the empty PKDS.
    5. Activate the new PKDS.
    6. Enable PKA Callable Services/Dynamic PKDS Access.
    7. Update options data set to point to new PKDS.
    8. Start ICSF on the z990, z890, z9 EC, z9 BC, z10 EC, z10 BC, or z196 system, pointing to initialized CKDS/PKDS.
    9. Load the value of the CCF DES master key into the new DES-MK register.
    10. Load the value of the CCF KMMK master key into the new ASYM-MK register. You will need the checksum. The ASYM-MK is automatically set when the final key part is loaded. The current ASYM-MK now has the same value as the SMK/KMMK/ASYM-MK on the CCF/PCICC(s).
    11. Set the DES-MK.
    12. Enable PKA Callable Services/Dynamic PKDS Access.
  • Using Pass Phrase Initialization
    1. On the CCF system, use PPKEYS to get the clear key values of the SMK and KMMK from a pass phrase. You will also need the checksum for each of these values.
    2. Define an empty PKDS. Disable PKA Callable Services.
    3. Using Master Key Entry, load the value of the CCF KMMK master key into the new ASYM-MK register on the PCICC(s). You will need the checksum. Load a final key part of zeroes. The ASYM-MK is automatically set when the final key part is loaded. The current ASYM-MK is now the same as the KMMK value.
    4. Load the value of the CCF SMK into the new ASYM-MK register on the PCICC(s). You will need the checksum. Load a final key part of zeroes. The ASYM-MK is automatically set when the final key part is loaded. The current ASYM-MK is now the same as the SMK value. The KMMK value is now in the old ASYM-MK register.
    5. Reset the KMMK register on the CCFs. Load the SMK value into the KMMK register. Now the KMMK = SMK.
    6. Reencipher the PKDS to the empty PKDS.
    7. Activate the new PKDS.
    8. Enable PKA Callable Services/Dynamic PKDS Access.
    9. Update options data set to point to the new PKDS.
    10. Start ICSF on a z990, z890, z9 EC, z9 BC, z10 EC, z10 BC, or z196 system, pointing to the initialized CKDS/PKDS (the one just reenciphered previously).
    11. Using PPINIT, type in the same pass phrase used to initialize CCF system. Respond N to Initialize the CKDS/PKDS? (Y/N).

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014