All DES, AES, and HMAC keys (except for master keys) can be stored in the CKDS.

There are several methods you can use to enter keys into the CKDS.

• Key generator utility program (KGUP)

  Regardless of your processor or server model, you can use KGUP to enter keys into the CKDS.

• Dynamic CKDS update callable services

  Regardless of your processor or server model, you can program applications to use the dynamic CKDS update callable services to enter keys into the CKDS.

• Trusted Key Entry (TKE) workstation

  With the TKE workstation you can load key parts for operational (PIN and transport) keys into a key queue on the CCF. To load these key parts into the CKDS, you must also use the ICSF Operational Key panel and perform a CKDS refresh. For more information, refer to z/OS Cryptographic Services ICSF TKE Workstation User’s Guide.

  DES operational key support for PCIXCC/CEX2C is available in TKE V4.1 and higher. AES operational key support for CEX2C is available in TKE V5.3. You can load key parts for all operational keys into key part registers on the card. To load the accumulated key into the CKDS, you must use the ICSF DES Operational Key Load panel or KGUP. For more information, refer to the z/OS Cryptographic Services ICSF TKE Workstation User’s Guide.

The table in Table 2 shows which keys can be entered by each of these methods.

Entering keys by using the key generator utility program

One function that KGUP performs is to enter key values that you supply into the CKDS. You can enter a clear or encrypted key value by using KGUP.

You submit KGUP control statements to specify to KGUP the function that you want KGUP to perform. To enter a key, you specify the key value in a KGUP control statement. You can either specify an encrypted or clear key value.

When you enter an encrypted key value, the key value must be encrypted under an importer key-encrypting key that exists in the CKDS. You use the KGUP control statement to specify which importer key-encrypting key encrypts the key. KGUP reenciphers the key from under the importer key-encrypting key to under the master key and places the key in the CKDS.

When you enter a clear key value, KGUP enciphers the clear key value under the master key and places the key in the CKDS. Because entering clear keys may endanger security, ICSF must be in special secure mode before you can enter a clear key by using KGUP. Special secure mode lowers the security of your system to allow you to use KGUP to enter clear keys, and to produce clear PINs.

Special Secure Mode

To use special secure mode, several conditions must be met.

• The installation options data set must specify YES for the SSM installation option.

  For information about specifying installation options, see z/OS Cryptographic Services ICSF System Programmer’s Guide.

• The environmental control mask (ECM) must be configured to permit special secure mode.

  The ECM is a 32-bit mask that is defined for each crypto domain during hardware installation. The second bit in this mask must have been turned on to enable special secure mode.

  This is required for systems with the Cryptographic Coprocessor Feature.

• If you are running in LPAR mode, special secure mode must be enabled

  You enable special secure mode during activation using the Crypto page of the Customize Activation Profiles task. After activation, you can enable or disable special secure mode on the Change LPAR Crypto task. Both of these tasks can be accessed from the Hardware Master Console.

  This is required for systems with the Cryptographic Coprocessor Feature.

If these conditions permit the use of special secure mode, it is enabled automatically when you specify that you are entering clear key values in a KGUP statement.

For a detailed description of how to use KGUP to enter keys, see Managing Cryptographic Keys Using the Key Generator Utility Program.

Entering keys by using the dynamic CKDS update services

ICSF provides a set of callable services that allow applications to dynamically update the CKDS. Applications can use these services to create, write, and delete records from the CKDS. These dynamic updates affect both the DASD copy of the CKDS currently in use and the in-storage copy. Another service allows an application to retrieve the key token from a record in the in-storage CKDS. That token can be used directly in subsequent CALLs to cryptographic services. The key part import callable service combines the clear key parts and returns the key value either in an internal key token or as a dynamic update to the CKDS. For more information on using the dynamic CKDS update services or the key part import service, refer to z/OS Cryptographic Services ICSF Application Programmer’s Guide.