|
You can use the ICSF panels to view the status of the cryptographic
coprocessor key registers, the master key verification patterns, and
other information about the cryptographic hardware. You can use this
information for master key management.
When you enter and activate an AES, DES, ECC or RSA master key,
you change the status of the registers. The cryptographic facility
contains three key registers: one for the old master key, one for
the new, and one for the current. The current master key register
contains the active master key. When you have a PCIXCC, CEX2C, or
CEX3C, the old master key is not lost when a new master key is loaded.
To display coprocessor hardware status:
- From the Coprocessor Management panel, select the coprocessors
to be processed by typing an 'S'.
Figure 180. Selecting the coprocessor on the Coprocessor Management Panel
CSFGCMP0 ---------------- ICSF Coprocessor Management -------------
COMMAND ===>
Select the coprocessors to be processed and press ENTER.
Action characters are: A, D, E, K, R, and S. See the help panel for details.
Serial
CoProcessor Number Status AES DES ECC RSA
----------- --------- ------ --- --- --- ----
__ A06 ACTIVE
__ H07 ACTIVE
__ X05 42-K0011 ACTIVE - A - C
s G02 42-K0111 ONLINE C C C C
s E04 42-K0043 DEACTIVATED - C - C
__ X05 42-K0058 DISABLED - - - -
- The Coprocessor Hardware Status panel appears (Figure 181).
When more than two coprocessors are requested, the status display
can be scrolled down to show the other coprocessors. You can scroll
down using PFKey 8 and up using PFKey 7.
Figure 181. Coprocessor Hardware Status Panel
CSFCMP40 ----------- ICSF - Coprocessor Hardware Status ----------------
OPTION ===>
CRYPTO DOMAIN: 8
REGISTER STATUS COPROCESSOR G02
Crypto Serial Number : 42-K0111
Status : ACTIVE
AES Master Key
New Master Key register : EMPTY
Verification pattern :
Old Master Key register : VALID
Verification pattern : BF494FF74B86343F
Current Master Key register : VALID
Verification pattern : 2058C870E9D3194F
DES Master Key
New Master Key register : EMPTY
Verification pattern :
Hash pattern :
:
Old Master Key register : VALID
Verification pattern : 1D08F1C67A1B709A
Hash pattern : 2B0C723D1AB9C948
: E9C9E32E7FF3B7F4
Current Master Key register : VALID
Verification pattern : CA6B408A02371B1D
Hash pattern : DF3A50AE35466123
: 96EF557E8BD074C1
ECC Master Key
New Master Key register : EMPTY
Verification pattern :
Old Master Key register : VALID
Verification pattern : 9999999999999999
Current Master Key register : VALID
Verification pattern : 9999999999999999
RSA Master Key
New Master Key register : EMPTY
Verification pattern :
:
Old Master Key register : VALID
Verification pattern : EF4C65754B5088C2
: 2D03480BC7B952B2
Current Master Key register : VALID
Verification pattern : E83F158521FEEA23
: 986CC9483DAFD711
The coprocessor hardware status fields on this panel contain this
information:
- CRYPTO DOMAIN
- This field displays the value that is specified for the DOMAIN
keyword in the installation options data set at ICSF startup. This
is the domain in which your system is currently working. It specifies
which one of several separate sets of master key registers you can
currently access. A system programmer can use the DOMAIN keyword in
the installation options data set to specify the domain value to use
at ICSF startup. For more information see the DOMAIN installation
option.
- Crypto Serial Number
- The serial number is a number for the PCIXCC, CEX2C, or
CEX3C.
- Status
- This field displays the status of the PCIXCC, CEX2C, or
CEX3C.
- State
- Indication
- ACTIVE
- The verification pattern for the DES-MK matches the verification
pattern of the CKDS. Requests for services can be routed to the coprocessor.
- ONLINE
- The coprocessor is online. The DES-MK verification
pattern does not match the verification pattern in the CKDS. Requests
for services cannot be routed to the coprocessor.
- DES Master Key
-
- New Master Key Register
- This field shows the state of the DES new master key
register.
This key register can be in any of these states:
- State
- Indication
- EMPTY
- You have not entered any key parts for the initial master key,
or you have just transferred the contents of this register into the
master key register. Or you have RESET the registers. Or you have
zeroized the domain from a TKE workstation or the Support Element.
- PART FULL
- You have entered one or more key parts but not the final key
part.
- FULL
- You have entered an entire new master key, but have not transferred
it to the master key register yet.
For the PCIXCC, CEX2C, or CEX3C, there can be
an old, new and current master key.
- Verification Pattern
- When you use the master key panels to enter a new master key, record the verification pattern that appears
for the master key when the final key part has been entered.
You can compare the verification pattern you record with this one
to ensure that the key entered and the key in the new master key register
are the same.
If your system is using multiple cryptographic coprocessors,
you must enter the same master key into all units. If the status of
the new master key registers are valid, the NMK verification patterns
for each unit should match, because the patterns verify the same key.
- Hash Pattern
- If the master key register is not EMPTY, the panel
displays a hash pattern for the key. When you enter a new master key,
record the hash pattern that appears on the panel. When the master
key becomes active, you can compare the hash patterns to ensure that
the one you entered and set is in the master key register.
If your
system is using multiple cryptographic coprocessors, you enter the
same master key into all units. If the status of the new master key
registers are valid, the master key register hash patterns for each
unit should match, because the patterns verify the same key.
- Old Master Key register
-
- This field shows the states of the DES old master key
register.
- State
- Indication
- EMPTY
- You have never changed the master key and, therefore, never
transferred a master key to the old master key register. Or you have
zeroized the domain from a TKE workstation or the Support Element.
- VALID
- You have changed the master key. The master key that was current
when you changed the master key was placed in the old master key register.
For the PCIXCC, CEX2C, or CEX3C, there can be an
old, new and current master key.
- Verification Pattern
- When you use the master key panels to enter a new master key, record the verification pattern that appears
for the master key when the final key part has been entered.
You can compare the verification pattern you record with this one
to ensure that the key entered and the key in the new master key register
are the same.
If your system is using multiple cryptographic coprocessors,
you must enter the same master key into all units. If the status of
the new master key registers are valid, the DES-MK verification
patterns for each unit should match, because the patterns verify the
same key.
- Hash Pattern
- If the master key register is not EMPTY, the panel
displays a hash pattern for the key. When you enter a new master key,
record the hash pattern that appears on the panel. When the master
key becomes active, you can compare the hash patterns to ensure that
the one you entered and set is in the master key register.
If your
system is using multiple cryptographic coprocessors, you enter the
same master key into all units. If the status of the new master key
registers are valid, the master key register hash patterns for each
unit should match, because the patterns verify the same key.
- Current Master Key register
- This field shows the states of the DES master key register.
- State
- Indication
- EMPTY
- You have never entered and set an initial symmetric master key.
Or you have zeroized the domain from a TKE workstation or the Support
Element.
- VALID
- You have entered a new symmetric master key on this coprocessor
and chosen either the set or change option.
- Verification Pattern
- When you use the master key panels to enter a new master key, record the verification pattern that appears
for the master key when the final key part has been entered.
You can compare the verification pattern you record with this one
to ensure that the key entered and the key in the new master key register
are the same.
If your system is using multiple cryptographic coprocessors,
you must enter the same master key into all units. If the status of
the new master key registers are valid, the NMK verification patterns
for each unit should match, because the patterns verify the same key.
- Hash Pattern
- If the master key register is not EMPTY, the panel
displays a hash pattern for the key. When you enter a new master key,
record the hash pattern that appears on the panel. When the master
key becomes active, you can compare the hash patterns to ensure that
the one you entered and set is in the master key register.
If your
system is using multiple cryptographic coprocessors, you enter the
same master key into all units. If the status of the new master key
registers are valid, the master key register hash patterns for each
unit should match, because the patterns verify the same key.
- AES Master Key
-
- New Master Key Register
- This field shows the state of the new master key register.
This
key register can be in any of these states:
- State
- Indication
- EMPTY
- You have not entered any key parts for the initial master key,
or you have just transferred the contents of this register into the
master key register. Or you have RESET the registers. Or you have
zeroized the domain from a TKE workstation or the Support Element.
- PART FULL
- You have entered one or more key parts but not the final key
part.
- FULL
- You have entered an entire new master key, but have not transferred
it to the master key register yet.
For the CEX2C or CEX3C, there can be an old,
new and current master key.
- Verification Pattern
- When you use the master key panels to enter a new master key, record the verification pattern that appears
for the master key when the final key part has been entered.
You can compare the verification pattern you record with this one
to ensure that the key entered and the key in the new master key register
are the same.
If your system is using multiple cryptographic coprocessors,
you must enter the same master key into all units. If the status of
the new master key registers are valid, the NMK verification patterns
for each unit should match, because the patterns verify the same key.
- Old Master Key register
-
- This field shows the states of the AES old master key
register.
- State
- Indication
- EMPTY
- You have never changed the master key and, therefore, never
transferred a master key to the old master key register. Or you have
zeroized the domain from a TKE workstation or the Support Element.
- VALID
- You have changed the master key. The master key that was current
when you changed the master key was placed in the old master key register.
For the CEX2C or CEX3C, there can be an old, new
and current master key.
- Verification Pattern
- When you use the master key panels to enter a new master key, record the verification pattern that appears
for the master key when the final key part has been entered.
You can compare the verification pattern you record with this one
to ensure that the key entered and the key in the new master key register
are the same.
If your system is using multiple cryptographic coprocessors,
you must enter the same master key into all units. If the status of
the new master key registers are valid, the AES-MK verification patterns
for each unit should match, because the patterns verify the same key.
- Current Master Key register
- This field shows the states of the AES master key register.
- State
- Indication
- EMPTY
- You have never entered and set an initial symmetric master key.
Or you have zeroized the domain from a TKE workstation or the Support
Element.
- VALID
- You have entered a new symmetric master key on this coprocessor
and chosen either the set or change option.
- Verification Pattern
- When you use the master key panels to enter a new master key, record the verification pattern that appears
for the master key when the final key part has been entered.
You can compare the verification pattern you record with this one
to ensure that the key entered and the key in the new master key register
are the same.
If your system is using multiple cryptographic coprocessors,
you must enter the same master key into all units. If the status of
the new master key registers are valid, the NMK verification patterns
for each unit should match, because the patterns verify the same key.
- ECC Master Key
-
- New Master Key Register
- This field shows the state of the new master key register.
This
key register can be in any of these states:
- State
- Indication
- EMPTY
- You have not entered any key parts for the initial master key,
or you have just transferred the contents of this register into the
master key register. Or you have RESET the registers. Or you have
zeroized the domain from a TKE workstation or the Support Element.
- PART FULL
- You have entered one or more key parts but not the final key
part.
- FULL
- You have entered an entire new master key, but have not transferred
it to the master key register yet.
For the CEX2C or CEX3C, there can be an old,
new and current master key.
- Verification Pattern
- When you use the master key panels to enter a new master key, record the verification pattern that appears
for the master key when the final key part has been entered.
You can compare the verification pattern you record with this one
to ensure that the key entered and the key in the new master key register
are the same.
If your system is using multiple cryptographic coprocessors,
you must enter the same master key into all units. If the status of
the new master key registers are valid, the NMK verification patterns
for each unit should match, because the patterns verify the same key.
- Old Master Key register
-
- This field shows the states of the ECC old master key
register.
- State
- Indication
- EMPTY
- You have never changed the master key and, therefore, never
transferred a master key to the old master key register. Or you have
zeroized the domain from a TKE workstation or the Support Element.
- VALID
- You have changed the master key. The master key that was current
when you changed the master key was placed in the old master key register.
For the CEX2C or CEX3C, there can be an old, new
and current master key.
- Verification Pattern
- When you use the master key panels to enter a new master key, record the verification pattern that appears
for the master key when the final key part has been entered.
You can compare the verification pattern you record with this one
to ensure that the key entered and the key in the new master key register
are the same.
If your system is using multiple cryptographic coprocessors,
you must enter the same master key into all units. If the status of
the new master key registers are valid, the ECC-MK verification patterns
for each unit should match, because the patterns verify the same key.
- Current Master Key register
- This field shows the states of the ECC master key register.
- State
- Indication
- EMPTY
- You have never entered and set an initial symmetric master key.
Or you have zeroized the domain from a TKE workstation or the Support
Element.
- VALID
- You have entered a new symmetric master key on this coprocessor
and chosen either the set or change option.
- Verification Pattern
- When you use the master key panels to enter a new master key, record the verification pattern that appears
for the master key when the final key part has been entered.
You can compare the verification pattern you record with this one
to ensure that the key entered and the key in the new master key register
are the same.
If your system is using multiple cryptographic coprocessors,
you must enter the same master key into all units. If the status of
the new master key registers are valid, the NMK verification patterns
for each unit should match, because the patterns verify the same key.
- RSA Master Key
-
- New Master Key register
- This field shows the state of the RSA new master key register.
This
key register can be in any of these states:
- State
- Indication
- EMPTY
- You have not entered any key parts for the initial RSA master
key, or you have just transferred the contents of this register into
the RSA master key register. Or you have RESET the registers. Or
you have zeroized the domain from a TKE workstation or the Support
Element.
- PART FULL
- You have entered one or more key parts but not the final key
part.
- Verification Pattern
- If the master key register is not EMPTY, a verification pattern
is displayed.
- Old Master Key register
- This field shows the state of the RSA old master key register.
- State
- Indication
- EMPTY
- You have never changed the RSA master key and, therefore, never
transferred an RSA master key to the RSA old master key register.
Or you have zeroized the domain from a TKE workstation or the Support
Element.
- VALID
- You have changed the RSA master key. The RSA master key that
was current when you changed the master key was placed in the RSA
old master key register.
- Verification Pattern
- If the old asymmetric master key register is valid, the panel
displays a verification pattern for the RSA old master key.
- Current Master Key register
- This field shows the states of the RSA master key register.
- State
- Indication
- EMPTY
- You have never entered an initial RSA master key on the coprocessor.
Or you have zeroized the domain from a TKE workstation or the Support
Element.
- VALID
- You have entered a new RSA master key on this coprocessor.
- Verification Pattern
- If the RSA master key registers are valid, the panel displays
a verification pattern for the key. When you enter a new RSA master
key, record the verification pattern that
appears on the panel. When the RSA master key becomes active, you
can compare the verification patterns to ensure that the one you entered
and set is in the master key register.
The RSA master key must
be the same on all the PCI X cards. If the status of all these cryptographic
coprocessors is valid, the MK verification patterns for each unit
should match, because the patterns verify the same key.
Note:
An audit trail of the verification patterns that the PCIXCC,
CEX2C, or CEX3C calculates appears in SMF record type 82.
|
z/OS Cryptographic Services ICSF Administrator's Guide
Copyright IBM Corporation 1990, 2014