In these situations, the PCIXCC, CEX2C, or CEX3C clears
the master key registers so that the master key values are not disclosed.
- If the PCIXCC, CEX2C, or CEX3C detects tampering (the
intrusion latch is tripped), ALL installation data is cleared: master
keys, retained keys for all domains, as well as roles and profiles.
- If the PCIXCC, CEX2C, or CEX3C detects tampering (the
secure boundary of the card is compromised), the card is rendered
inoperable.
- If you issue a command from the TKE workstation to zeroize a domain
This
command zeroizes the master key data specific to the domain.
- If you issue a command from the Support Element panels to zeroize
all domains.
This command zeroizes ALL installation data: master
keys, retained keys and access control roles and profiles.
Although the values of the master keys are cleared, the secure
keys in the CKDS are still enciphered under the cleared DES or
AES master keys. The PKA private keys are also each enciphered
under the cleared asymmetric master key. Therefore, to recover the
keys in the CKDS, and the PKA private keys, you must reenter the same
master keys and set the master key. For security reasons, you may
then want to change all the master keys.
PR/SM Considerations: If you are running
in PR/SM logical partition (LPAR) mode, there are several situations
(listed previously) that can cause loss of master keys and other data.
You must then reenter the master keys in each LPAR. If you zeroize
a domain using the TKE workstation, however, the master keys are cleared
only in that domain. Master keys in other domains are not affected
and do not need to be reentered. For more information about reentering
master keys in LPAR mode, see Appendix D. PR/SM Considerations during Key Entry.
Note:
If PPINIT was used initially, you must rerun the
utility with the same pass phrase.
When the PCIXCC, CEX2C, or CEX3C clears the master keys,
reenter the same master keys by using these steps:
- Check the status of the PKA callable services. If they are enabled,
use the Administrative Control Functions to disable them. See Steps for enabling and disabling PKA callable services and
PKDS updates for details.
- Retrieve the key parts, checksums, verification patterns, and
hash patterns you used when you entered the master keys originally.
These
values should be stored in a secure place as specified in your enterprises
security process.
- Access the Master Key Entry panels and enter the master keys as
described in Steps for entering the first master key part.
- After you have entered the master keys, select
option 2, MASTER KEY MGMT, from the primary menu. The Master Key Management
panel appears. See Figure 109.
To activate
the master keys you just entered, you need to set them.
- To set any master key, choose option 2 on
the panel and press ENTER.
Figure 109. Selecting the Set Host Master Key Option on the ICSF Master Key Management Panel
CSFMKM10 ---------------- ICSF - Master Key Management ----------------
OPTION ===> 2
Enter the number of the desired option.
1 INIT/REFRESH/UPDATE CKDS - Initialize a Cryptographic Key Data Set or
activate an updated Cryptographic Key Data Set
2 SET MK - Set a master key (AES, DES, ECC)
3 REENCIPHER CKDS - Reencipher the CKDS prior to changing a symmetric
master key
4 CHANGE SYM MK - Change a symmetric master key and activate the
reenciphered CKDS
5 INIT/REFRESH/UPDATE PKDS - Initialize a Public Key Data Set or
activate an updated Public Key Data Set or
update the Public Key Data Set header
6 REENCIPHER PKDS - Reencipher the PKDS
7 CHANGE ASYM MK - Change an asymmetric master key and activate the
reenciphered PKDS
8 COORDINATED KDS REFRESH - Perform a coordinated KDS refresh
9 COORDINATED KDS CHANGE MK - Perform a coordinated KDS change master key
When you select option 2, ICSF checks that the states
of the registers are correct. ICSF then transfers the DES-MK master
key from the new master key register to the master key register. This
process sets the DES-MK master key.
When ICSF attempts
to set the DES-MK master key, it displays a message on the
top right of the Master Key Management panel. The message indicates
either that the master key was successfully set, or that an error
prevented the completion of the set process.
When you set the
reentered DES-MK master key, the DES-MK master key
that enciphers the existing CKDS now exists.
- You can now change the DES-MK master key, if you choose
to, for security reasons. Continue with Steps for changing master keys.
|