The types of master keys you can enter and the steps you take to
enter master keys depend on your system processor and hardware features.
You can use any of these methods to enter the master keys:
- Pass Phrase Initialization
The pass phrase initialization utility
allows the user of ICSF to:
- set both the DES and PKA master keys on the Cryptographic Coprocessor Feature, PCICC and PCIXCC.
- set the DES-MK, AES-MK, and ASYM-MK on the CEX2C
or CEX3C.
- set the DES-MK, AES-MK, RSA-MK, and ECC-MK
on the CEX3C.
- initialize the CKDS and PKDS
For steps in using the pass phrase initialization utility, refer
to Using the Pass Phrase Initialization Utility.
- Master Key Entry panels
The Master Key Entry panels are enhanced
ISPF panels enabling you to enter master key parts in the clear. Use
these panels to enter master key parts into cryptographic coprocessor
hardware. The master key parts appear briefly in the clear in MVS
host storage within the address space of the TSO user before being
transferred to the secure hardware. Within the boundaries of the secure
hardware, the key parts are combined to produce the master key. The
master key part entry panels provide a level of security for master
key entry that is superior to that provided with PCF. Master key part
entry is provided for installations where the security requirements
do not warrant the additional expense and complexity of the optional
TKE workstation. For master key entry steps on the coprocessors, see Managing Master Keys - CCF and PCICC and Managing Master Keys - PCIXCC, CEX2C, or CEX3C.
- Trusted Key Entry (TKE) workstation
The TKE workstation is an optional hardware feature. The TKE workstation uses
a variety of public key cryptographic techniques to ensure both the
integrity and privacy of the logically secure master key transfer
channel. You can use a single TKE workstation to set up master keys
in all Cryptographic Coprocessor Features and Cryptographic Coprocessors within a server complex.
You
must use TKE V4.0 or higher to set up DES master keys on
a PCIXCC/CEX2C. You must use TKE V5.3 or higher to set
up AES master keys on a CEX2C. You must use TKE V6.0 or higher to
set up AES master keys on a CEX3C.
For information
on using the TKE workstation, see z/OS Cryptographic Services ICSF TKE Workstation User’s Guide.
When you have entered the master keys, choose option 1 on the ICSF
Master Key Management panel to:
- Create the CKDS header record.
- Activate the DES master key and/or AES master key and
read the CKDS into storage.
- Create keys that ICSF uses for internal processing, and read
the CKDS into storage again.
If you wish to add ANSI, NOCV, or Enhanced System Keys to your
CKDS, choose the appropriate option. Refresh the CKDS. Note that
these keys are not present in a CKDS initialized on a z990, z890,
z9 EC, z9 BC, z10 EC, z10 BC, or z196. A CKDS initialized
on the newer systems (listed above) cannot be shared with legacy systems.
Servers or processor models may have multiple cryptographic
coprocessor features. The master keys must be the same for all coprocessors accessed
by the same operating system.
When you have entered the PKA master keys, enter the name of the
PKDS to be initialized on the panel. To initialize the PKDS, choose
option 5 on the ICSF Master Key Management panel to:
- Create the PKDS header record.
- Activate the RSA master key and/or the ECC master key and read
that PKDS into storage.
|