|
You can use the ICSF panels to view the status of the cryptographic
coprocessor key registers, the PCI cryptographic coprocessor, the
master key verification patterns, and other information about the
cryptographic hardware.
When you enter and activate a DES master key, you change the status
of the registers. The cryptographic facility contains several key
registers. The master key register contains the active DES master
key. For the CCF, the auxiliary key register contains either
the old DES master key or a new DES master key prior to it being activated
and transferred to the master key register. For the PCICC, there
are three registers: one for the old master key, one for the new and
one for the current. When you have a PCICC, the old master key is
not lost when a new master key is loaded.
In addition, there are also registers for the PKA master keys.
When you enter a master key, the Cryptographic Coprocessor Feature or the PCI Cryptographic
Coprocessor calculates a verification pattern and a hash pattern
for the master key. You can use these patterns to identify master
keys.
You can use the panels to display the conditions of the key registers
and the verification pattern and hash patterns for the master keys.
You may use this information for master key management.
To display coprocessor hardware status:
- From the Coprocessor Management panel, select the coprocessors
to be processed by typing an 'S'.
Figure 178. Selecting the coprocessor on the Coprocessor Management Panel
CSFCMP00 ---------------- ICSF Coprocessor Management -------------
COMMAND ===>
Select the coprocessors to be processed and press ENTER.
Action characters are: A, D, E, R, and S. See the help panel for details.
COPROCESSOR MODULE ID/SERIAL NUMBER STATUS
----------- ------------------------------- -------
_ A06 ACTIVE
_ A07 ACTIVE
S C0 E589C396944007A6 5D40369997A386F4 ACTIVE
_ C1 0AA379BFD2387960 0367DC04533125FF ONLINE
S P00 41-00YE1 ONLINE
_ P01 41-00K11 ONLINE
_ P02 41-0A355 ACTIVE
_ P03 41-0BA3F ONLINE
_ P04 41-0RT2T DEACTIVATED
_ P05 41-00342 DISABLED
- The Coprocessor Hardware Status panel appears (Figure 179).
When more than two coprocessors are requested, the status display
can be scrolled left and right to show the other coprocessors. You
can scroll to the left using PFKey 10 and to the right with PFKey
11.
Figure 179. Coprocessor Hardware Status Panel
CSFCMP10 ----------- ICSF - Coprocessor Hardware Status ----------------
OPTION ===>
CRYPTO DOMAIN: 0
REGISTER STATUS COPROCESSOR C0 COPROCESSOR P00
More: +
Crypto Serial Number or : E589C39694407A60 41-00YE1
Module Id : 5D40C39997A396F0
Status : ACTIVE ONLINE
DES/Symmetric-Keys Master Key
New master key register : FULL PART FULL
Verification pattern : 1972BB5791BB2430 2342352352352352
Hash pattern : 0123456789ABCDEF A17B93C44D24681A
: 9691BDA1970BDAA2 806427AAC91221CC
Old master key register : EMPTY EMPTY
Verification pattern :
Hash pattern :
:
Current master key register : VALID VALID
Verification pattern : CA6B408A02371B1D 261AAB8A02371705
Hash pattern : 41DF774FF81547D0 562A5202F8154331
: 090ABC4539727511 4093990AB1202451
PKA Signature/Asymmetric-Keys Master Key
New master key register : N/A PART FULL
Hash pattern : 234235236236234D
: 5678567856785678
Old master key register : N/A EMPTY
Hash pattern :
:
Current master key register : VALID VALID
Hash pattern : 9691BDA1970BDAA2 9691BDA1970BDAA2
: 1972BB5791BB2430 1972BB5791BB2430
PKA Key Management Master Key register
Hash pattern : 123412341241234D N/A
: 5678567856785678
Special Secure Mode : Enabled N/A
Environment Control Mask : FBFEFCF0 N/A
Crypto Configuration Control : EF569412CD91AB78 N/A
: 1F25A78BC88ED77A
Press ENTER to refresh the hardware status display.
Press END to exit to the previous menu.
The coprocessor hardware status fields on this panel contain this
information:
- CRYPTO DOMAIN
- This field displays the value that is specified for the DOMAIN
keyword in the installation options data set at ICSF startup. This
is the domain in which your system is currently working. It specifies
which one of several separate sets of master key registers you can
currently access. A system programmer can use the DOMAIN keyword in
the installation options data set to specify the domain value to use
at ICSF startup. For more information see the DOMAIN installation
option.
- Crypto Serial Number or Module ID
- The serial number is a number for the PCI Cryptographic Coprocessor. The module ID
is the unique 128-bit value that was generated for the CCF during
the manufacturing process.
- Status
- This field displays the status of the CCF and the PCICC.
- State
- Indication
- ACTIVE (PCICC)
- The verification pattern for the SYM-MK matches the verification
pattern of the DES master key on the server's Cryptographic Coprocessor Feature. The hash pattern
for the ASYM-MK matches the hash pattern of the Signature Master Key
(SMK) register on the server's Cryptographic Coprocessor Feature.
Requests for services can then be routed to either cryptographic
coprocessor.
- ACTIVE (CCF)
- The DES master key is valid.
- ONLINE (PCICC)
- The PCI Cryptographic Coprocessor is online, but one or both of the master key verification
patterns or hash patterns do not match those of the server's Cryptographic Coprocessor Feature.
Requests for services cannot be routed to the PCI Cryptographic Coprocessor.
- ONLINE (CCF)
- The DES master key is not valid.
- DES/Symmetric-Keys Master KEY
-
- New Master Key Register
- This field shows the state of the new master key register.
This
key register can be in any of these states:
- State
- Indication
- EMPTY
- You have not entered any key parts for the initial master key,
or you have just transferred the contents of this register into the
master key register. Or you have RESET the registers. Or you have
zeroized the domain from a TKE workstation or the Support Element.
- PART FULL
- You have entered one or more key parts but not the final key
part.
- FULL
- You have entered an entire new master key, but have not transferred
it to the master key register yet.
For the CCF, the new master key is held in an auxiliary key register.
This auxiliary key register can contain either a new master key or
an old master key. Therefore, a new master key and the old master
key cannot coexist.
For the PCICC, there can be an old, new
and current master key.
- Verification Pattern
- When you use the master key panels to enter a new master key, record the verification pattern that appears
for the master key when the final key part has been entered.
You can compare the verification pattern you record with this one
to ensure that the key entered and the key in the new master key register
are the same.
If your system is using multiple cryptographic coprocessors,
you must enter the same master key into all units. If the status of
the new master key registers are valid, the NMK verification patterns
for each unit should match, because the patterns verify the same key.
- Hash Pattern
- If the master key register is not EMPTY, the panel
displays a hash pattern for the key. When you enter a new master key,
record the hash pattern that appears on the panel. When the master
key becomes active, you can compare the hash patterns to ensure that
the one you entered and set is in the master key register.
If your
system is using multiple cryptographic coprocessors, you enter the
same master key into all units. If the status of the new master key
registers are valid, the master key register hash patterns for each
unit should match, because the patterns verify the same key.
- Old Master Key register
-
- This field shows the states of the DES and symmetric keys old
master key register.
- State
- Indication
- EMPTY
- You have never changed the master key and, therefore, never
transferred a master key to the old master key register. Or you have
zeroized the domain from a TKE workstation or the Support Element.
- VALID
- You have changed the master key. The master key that was current
when you changed the master key was placed in the old master key register.
For the CCF, the old/new master key register is actually the
auxiliary master key register. The auxiliary master key register can
contain either the new master key or the old master key; therefore
a new master key and an old master key cannot coexist at the same
time. If an old master key exists, it is lost when you enter a new
one.
For the PCICC, there can be an old, new and current master
key.
- Verification Pattern
- When you use the master key panels to enter a new master key, record the verification pattern that appears
for the master key when the final key part has been entered.
You can compare the verification pattern you record with this one
to ensure that the key entered and the key in the new master key register
are the same.
If your system is using multiple cryptographic coprocessors,
you must enter the same master key into all units. If the status of
the new master key registers are valid, the DES verification patterns
for each unit should match, because the patterns verify the same key.
- Hash Pattern
- If the master key register is not EMPTY, the panel
displays a hash pattern for the key. When you enter a new master key,
record the hash pattern that appears on the panel. When the master
key becomes active, you can compare the hash patterns to ensure that
the one you entered and set is in the master key register.
If your
system is using multiple cryptographic coprocessors, you enter the
same master key into all units. If the status of the new master key
registers are valid, the master key register hash patterns for each
unit should match, because the patterns verify the same key.
- Current Master Key register
- This field shows the states of the DES and symmetric-keys master
key register.
- State
- Indication
- EMPTY
- You have never entered and set an initial DES/symmetric-keys
master key on the coprocessor. Or you have zeroized the domain from
a TKE workstation or the Support Element.
- VALID
- You have entered a new PKA or symmetric master key on this coprocessor
and chosen either the set or change option.
- Verification Pattern
- When you use the master key panels to enter a new master key, record the verification pattern that appears
for the master key when the final key part has been entered.
You can compare the verification pattern you record with this one
to ensure that the key entered and the key in the new master key register
are the same.
If your system is using multiple cryptographic coprocessors,
you must enter the same master key into all units. If the status of
the new master key registers are valid, the NMK verification patterns
for each unit should match, because the patterns verify the same key.
- Hash Pattern
- If the master key register is not EMPTY, the panel
displays a hash pattern for the key. When you enter a new master key,
record the hash pattern that appears on the panel. When the master
key becomes active, you can compare the hash patterns to ensure that
the one you entered and set is in the master key register.
If your
system is using multiple cryptographic coprocessors, you enter the
same master key into all units. If the status of the new master key
registers are valid, the master key register hash patterns for each
unit should match, because the patterns verify the same key.
- PKA Signature/Asymmetric Master Key
-
- New Master Key register (PCICC only)
- This field shows the state of the asymmetric new master key
register.
This key register can be in any of these states:
- State
- Indication
- EMPTY
- You have not entered any key parts for the initial asymmetric
master key, or you have just transferred the contents of this register
into the asymmetric master key register. Or you have RESET the registers.
Or you have zeroized the domain from a TKE workstation or the Support
Element.
- PART FULL
- You have entered one or more key parts but not the final key
part.
- Hash Pattern
- If the master key register is not EMPTY, a hash pattern is displayed.
- Old Master Key register (PCICC only)
- This field shows the states of the asymmetric keys old master
key register.
- State
- Indication
- EMPTY
- You have never changed the asymmetric master key and, therefore,
never transferred an asymmetric-keys master key to the asymmetric-keys
old master key register. Or you have zeroized the domain from a TKE
workstation or the Support Element.
- VALID
- You have changed the asymmetric master key. The asymmetric master
key that was current when you changed the master key was placed in
the asymmetric old master key register.
- Hash Pattern
- If the old asymmetric master key register is valid, the panel
displays a hash pattern for the asymmetric old master key.
- Current Master Key register
- This field shows the states of the PKA signature master
key and asymmetric master key register.
- State
- Indication
- EMPTY
- You have never entered an initial PKA signature master key or
an asymmetric master key on the coprocessor. Or you have zeroized
the domain from a TKE workstation or the Support Element.
- VALID
- You have entered a new PKA signature master key or asymmetric
master key on this coprocessor.
- Hash Pattern
- If the PKA signature master key and asymmetric master
key registers are valid, the panel displays a hash pattern for the
key. When you enter a new PKA signature master key and asymmetric-keys
master key, record the hash pattern that appears
on the panel. When the PKA signature master key and asymmetric
master key becomes active, you can compare the hash patterns to ensure
that the one you entered and set is in the master key register.
If
your system is using other PCI Cryptographic Coprocessors and one or more Cryptographic Coprocessor Features, the asymmetric
master key must be the same on all the PCI cards, and must also be
the same as the Signature master key in the Cryptographic Coprocessor Feature. If the
status of all these cryptographic coprocessors is valid, the MK hash
patterns for each unit should match, because the patterns verify the
same key.
Note:
An audit trail of the hash patterns that
the PCI Cryptographic Coprocessor calculates appears in SMF record type 82.
- PKA Key Mangement Master Key register (CCF only)
-
- Hash pattern
- You have entered a PKA key management master key and the hash
pattern for the key register is shown here.
- Special Secure Mode (CCF only)
- This field shows if the special secure mode
is enabled or disabled. Special secure mode is a lower form of security.
This mode allows you to use KGUP to enter clear keys, produce clear
PINs, use the secure key import callable service, and initialize the
CKDS. Special secure mode is enabled automatically when you send a
KGUP request, provided that the SSM installation option is set to
YES.
- Environment Control Mask (CCF only)
- The environment control mask contains controls
for a subset of the components for each domain. This field shows the
value of this control.
Note:
Selected bits can be changed
by the TKE workstation.
- Crypto Configuration Control (CCF only)
- The crypto configuration control contains
controls to enable and disable all the major components of the crypto
modules. This field shows the value of this control.
See Appendix A. CCC Bit Assignments for some selected values.
Note:
The CCC
cannot be changed.
|
z/OS Cryptographic Services ICSF Administrator's Guide
Copyright IBM Corporation 1990, 2014