SMK equal to KMMK
- Using Master Key Entry
- Start ICSF on a z990, z890, z9 EC, z9 BC, z10 EC, z10 BC, or z196 system,
pointing to the initialized CKDS/PKDS. You will see message: CSFM419E
INCORRECT MASTER KEY (BOTH) ON PCI X CRYPTOGRAPHIC COPROCESSOR Xnn,
SERIAL NUMBER nnnnnnnn.
- Using Master Key Entry, load the value of the CCF DES master key
into the new DES-MK register. Load the value of the CCF SMK/KMMK master
key into the new ASYM-MK register. You will need the checksums for
each of the master key values.
- Set the DES master key.
- Enable PKA Callable Services/Dynamic PKDS Access.
- Using Pass Phrase Initialization
- Start ICSF on a z990, z890, z9 EC, z9 BC, z10 EC, z10 BC, or z196 system,
pointing to the initialized CKDS/PKDS.
- Using PPINIT, type in the same pass phrase used to initialize
CCF system. Respond N to Initialize the CKDS/PKDS? (Y/N).
SMK not equal to KMMK
Make the SMK=KMMK prior to sharing the CKDS/PKDS with the z990,
z890, z9 EC, z9 BC, z10 EC, z10 BC, or z196 system.
- Using Master Key Entry
- Define an empty PKDS.
- On the CCF system, disable PKA Callable Services.
- Using Master Key Entry, reset ALL-PKA registers. Load the value
of the CCF KMMK master key into the SMK/KMMK/ASYM-MK registers on
all CCF/PCICC coprocessors. You will need the checksum. The ASYM-MK
is automatically set when the final key part is loaded.
- Reencipher the PKDS to the empty PKDS.
- Activate the new PKDS.
- Enable PKA Callable Services/Dynamic PKDS Access.
- Update options data set to point to new PKDS.
- Start ICSF on the z990, z890, z9 EC, z9 BC, z10 EC, z10 BC, or z196 system,
pointing to initialized CKDS/PKDS.
- Load the value of the CCF DES master key into the new DES-MK register.
- Load the value of the CCF KMMK master key into the new ASYM-MK
register. You will need the checksum. The ASYM-MK is automatically
set when the final key part is loaded. The current ASYM-MK now has
the same value as the SMK/KMMK/ASYM-MK on the CCF/PCICC(s).
- Set the DES-MK.
- Enable PKA Callable Services/Dynamic PKDS Access.
- Using Pass Phrase Initialization
- On the CCF system, use PPKEYS to get the clear key values of the
SMK and KMMK from a pass phrase. You will also need the checksum for
each of these values.
- Define an empty PKDS. Disable PKA Callable Services.
- Using Master Key Entry, load the value of the CCF KMMK master
key into the new ASYM-MK register on the PCICC(s). You will need the
checksum. Load a final key part of zeroes. The ASYM-MK is automatically
set when the final key part is loaded. The current ASYM-MK is now
the same as the KMMK value.
- Load the value of the CCF SMK into the new ASYM-MK register on
the PCICC(s). You will need the checksum. Load a final key part of
zeroes. The ASYM-MK is automatically set when the final key part is
loaded. The current ASYM-MK is now the same as the SMK value. The
KMMK value is now in the old ASYM-MK register.
- Reset the KMMK register on the CCFs. Load the SMK value into the
KMMK register. Now the KMMK = SMK.
- Reencipher the PKDS to the empty PKDS.
- Activate the new PKDS.
- Enable PKA Callable Services/Dynamic PKDS Access.
- Update options data set to point to the new PKDS.
- Start ICSF on a z990, z890, z9 EC, z9 BC, z10 EC, z10 BC, or z196 system,
pointing to the initialized CKDS/PKDS (the one just reenciphered previously).
- Using PPINIT, type in the same pass phrase used to initialize
CCF system. Respond N to Initialize the CKDS/PKDS? (Y/N).
|