Previous topic |
Next topic |
Contents |
Index |
Contact z/OS |
Library |
PDF
Reentering master keys when they have been cleared z/OS Cryptographic Services ICSF Administrator's Guide SA22-7521-17 |
|
In these situations, the Cryptographic Coprocessor Feature clears the master key registers so that the master key values are not disclosed.
In these situations, the PCI Cryptographic Coprocessor Feature (PCICC) clears the master key registers so that the master key values are not disclosed.
Although the values of the master keys are cleared, the keys in the CKDS are still enciphered under the cleared DES master key. The RSA and DSS private keys are also each enciphered under one of the cleared PKA master keys. Therefore, to recover the keys in the CKDS, and the PKA private keys, you must reenter the same master keys and set the DES master key. For security reasons, you may then want to change all the master keys. PR/SM Considerations: If you are running in PR/SM logical partition (LPAR) mode, there are several situations (listed previously) that can cause loss of master keys and other data. In these cases, you must first ensure that key entry is enabled for each LP on the Change LPAR Crypto page on the support element Hardware Master Console. You must then reenter the master keys in each LP. If you zeroize a domain using the TKE workstation, however, the master keys are cleared only in that domain. Master keys in other domains are not affected and do not need to be reentered. For more information about reentering master keys in LPAR mode, see Appendix D. PR/SM Considerations during Key Entry. |
Copyright IBM Corporation 1990, 2014
|