z/OS Cryptographic Services ICSF Administrator's Guide
Previous topic | Next topic | Contents | Index | Contact z/OS | Library | PDF


Master Keys

z/OS Cryptographic Services ICSF Administrator's Guide
SA22-7521-17

ICSF uses master keys to protect other keys. Keys are active on a system only when they are encrypted under a master key variant, so the master key protects all keys that are used on the system. A key is in operational form when it has been encrypted under a master key variant.

The ICSF administrator initializes and changes master keys using the ICSF panels or TKE. Master keys always remain in a secure area in the cryptographic hardware.

ICSF uses master keys to protect keys that are used with the PCICC, PCIXCC, CEX2C, or CEX3C:

DES Master Key
The DES (DES-MK) master key is a 16-byte (128-bit) key that is used to protect symmetric DES/TDES keys used on the PCICC, PCIXCC, CEX2C or CEX3C. On a PCICC, this key must have the same value as the DES master key on the zSeries.
AES Master Key
The AES (AES-MK) master key is a 32-byte (256 bit) key that is used to protect AES keys used on the CEX2C or CEX3C, and HMAC keys used on a CEX3C. It is only available on the z9 EC, z9 BC, z10 EC, z10 BC, and z196 with the Nov. 2008 or later licensed internal code (LIC).
RSA Master Key
The RSA (RSA-MK) master key is a 24-byte (192-bit) key. The RSA-MK master key protects RSA private keys that are used on the PCICC, PCIXCC, CEX2C, or CEX3C.
ECC Master Key
The ECC (ECC-MK) master key is a 32-byte (256 bit) key that is used to protect ECC keys used on the CEX3C. It is only available on the z196 with the Sept. 2010 or later licensed internal code (LIC).

Restriction: Master keys on a z990 or z890 require a PCIXCC or CEX2C. Master Keys on a z9 EC and z9 BC require a CEX2C. Master keys on a z10 EC and z10 BC require a CEX2C or CEX3C. Master keys on a z196 require a CEX3C.

ICSF uses three types of master keys to protect keys that are used with the Cryptographic Coprocessor Feature:

DES Master Key
The DES master key is a double-length (128-bit) key that is used to protect DES and CDMF keys.
PKA Key Management Master Key
The PKA key management master key (KMMK) is a triple-length (192-bit) key. The KMMK protects PKA private keys that are used in both the digital signature services and in the CDMF and DES data key distribution functions. Support for the PKA KMMK is available only on the Cryptographic Coprocessor Feature on the IBM eServer zSeries 900 processors.
PKA Signature Master Key
The PKA signature master key (SMK) is a triple-length (192-bit) key. The SMK protects PKA private keys that are used only in digital signature services. Support for the PKA SMK is available only on the Cryptographic Coprocessor Feature on the IBM eServer zSeries 900 processors.
Note:
On CCF systems, it is strongly recommended that the KMMK have the same value as the SMK.

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014