The types of master keys you can enter and the steps you take to enter master keys depend on your system processor and hardware features.

You can use any of these methods to enter the master keys:

• Pass Phrase Initialization

  The pass phrase initialization utility allows the user of ICSF to:

  • set both the DES and PKA master keys on the Cryptographic Coprocessor Feature, PCICC and PCIXCC.
  • set the DES-MK, AES-MK, and ASYM-MK on the CEX2C or CEX3C.
  • set the DES-MK, AES-MK, RSA-MK, and ECC-MK on the CEX3C.
  • initialize the CKDS and PKDS

  For steps in using the pass phrase initialization utility, refer to Using the Pass Phrase Initialization Utility.

• Master Key Entry panels

  The Master Key Entry panels are enhanced ISPF panels enabling you to enter master key parts in the clear. Use these panels to enter master key parts into cryptographic coprocessor hardware. The master key parts appear briefly in the clear in MVS host storage within the address space of the TSO user before being transferred to the secure hardware. Within the boundaries of the secure hardware, the key parts are combined to produce the master key. The master key part entry panels provide a level of security for master key entry that is superior to that provided with PCF. Master key part entry is provided for installations where the security requirements do not warrant the additional expense and complexity of the optional TKE workstation. For master key entry steps on the coprocessors, see Managing Master Keys - CCF and PCICC and Managing Master Keys - PCIXCC, CEX2C, or CEX3C.

• Trusted Key Entry (TKE) workstation

  The TKE workstation is an optional hardware feature. The TKE workstation uses a variety of public key cryptographic techniques to ensure both the integrity and privacy of the logically secure master key transfer channel. You can use a single TKE workstation to set up master keys in all Cryptographic Coprocessor Features and Cryptographic Coprocessors within a server complex.

  You must use TKE V4.0 or higher to set up DES master keys on a PCIXCC/CEX2C. You must use TKE V5.3 or higher to set up AES master keys on a CEX2C. You must use TKE V6.0 or higher to set up AES master keys on a CEX3C.

  For information on using the TKE workstation, see z/OS Cryptographic Services ICSF TKE Workstation User’s Guide.

When you have entered the master keys, choose option 1 on the ICSF Master Key Management panel to:

• Create the CKDS header record.
• Activate the DES master key and/or AES master key and read the CKDS into storage.
• Create keys that ICSF uses for internal processing, and read the CKDS into storage again.

If you wish to add ANSI, NOCV, or Enhanced System Keys to your CKDS, choose the appropriate option. Refresh the CKDS. Note that these keys are not present in a CKDS initialized on a z990, z890, z9 EC, z9 BC, z10 EC, z10 BC, or z196. A CKDS initialized on the newer systems (listed above) cannot be shared with legacy systems.

Servers or processor models may have multiple cryptographic coprocessor features. The master keys must be the same for all coprocessors accessed by the same operating system.

When you have entered the PKA master keys, enter the name of the PKDS to be initialized on the panel. To initialize the PKDS, choose option 5 on the ICSF Master Key Management panel to:

• Create the PKDS header record.
• Activate the RSA master key and/or the ECC master key and read that PKDS into storage.