z/OS Cryptographic Services ICSF Administrator's Guide
Previous topic | Next topic | Contents | Index | Contact z/OS | Library | PDF


Reentering master keys when they have been cleared

z/OS Cryptographic Services ICSF Administrator's Guide
SA22-7521-17

In these situations, the PCIXCC, CEX2C, or CEX3C clears the master key registers so that the master key values are not disclosed.

  • If the PCIXCC, CEX2C, or CEX3C detects tampering (the intrusion latch is tripped), ALL installation data is cleared: master keys, retained keys for all domains, as well as roles and profiles.
  • If the PCIXCC, CEX2C, or CEX3C detects tampering (the secure boundary of the card is compromised), the card is rendered inoperable.
  • If you issue a command from the TKE workstation to zeroize a domain

    This command zeroizes the master key data specific to the domain.

  • If you issue a command from the Support Element panels to zeroize all domains.

    This command zeroizes ALL installation data: master keys, retained keys and access control roles and profiles.

Although the values of the master keys are cleared, the secure keys in the CKDS are still enciphered under the cleared DES or AES master keys. The PKA private keys are also each enciphered under the cleared asymmetric master key. Therefore, to recover the keys in the CKDS, and the PKA private keys, you must reenter the same master keys and set the master key. For security reasons, you may then want to change all the master keys.

PR/SM Considerations: If you are running in PR/SM logical partition (LPAR) mode, there are several situations (listed previously) that can cause loss of master keys and other data. You must then reenter the master keys in each LPAR. If you zeroize a domain using the TKE workstation, however, the master keys are cleared only in that domain. Master keys in other domains are not affected and do not need to be reentered. For more information about reentering master keys in LPAR mode, see Appendix D. PR/SM Considerations during Key Entry.

Note:
If PPINIT was used initially, you must rerun the utility with the same pass phrase.

When the PCIXCC, CEX2C, or CEX3C clears the master keys, reenter the same master keys by using these steps:

  1. Check the status of the PKA callable services. If they are enabled, use the Administrative Control Functions to disable them. See Steps for enabling and disabling PKA callable services and PKDS updates for details.
  2. Retrieve the key parts, checksums, verification patterns, and hash patterns you used when you entered the master keys originally.

    These values should be stored in a secure place as specified in your enterprises security process.

  3. Access the Master Key Entry panels and enter the master keys as described in Steps for entering the first master key part.
  4. After you have entered the master keys, select option 2, MASTER KEY MGMT, from the primary menu. The Master Key Management panel appears. See Figure 109.

    To activate the master keys you just entered, you need to set them.

  5. To set any master key, choose option 2 on the panel and press ENTER.
    Figure 109. Selecting the Set Host Master Key Option on the ICSF Master Key Management Panel 
     CSFMKM10 ---------------- ICSF - Master Key Management  ----------------
 OPTION ===>  2

 Enter the number of the desired option.                                       
                                                                              
   1  INIT/REFRESH/UPDATE CKDS - Initialize a Cryptographic Key Data Set or    
                           activate an updated Cryptographic Key Data Set      
   2  SET MK            -  Set a master key (AES, DES, ECC)               
   3  REENCIPHER CKDS   -  Reencipher the CKDS prior to changing a symmetric   
                           master key                                          
   4  CHANGE SYM MK     -  Change a symmetric master key and activate the      
                           reenciphered CKDS 
   5  INIT/REFRESH/UPDATE PKDS -  Initialize a Public Key Data Set or
                           activate an updated Public Key Data Set or
                           update the Public Key Data Set header              
   6  REENCIPHER PKDS   -  Reencipher the PKDS        
   7  CHANGE ASYM MK    -  Change an asymmetric master key and activate the
                           reenciphered PKDS
   8  COORDINATED KDS REFRESH - Perform a coordinated KDS refresh
   9  COORDINATED KDS CHANGE MK - Perform a coordinated KDS change master key

    When you select option 2, ICSF checks that the states of the registers are correct. ICSF then transfers the DES-MK master key from the new master key register to the master key register. This process sets the DES-MK master key.

    When ICSF attempts to set the DES-MK master key, it displays a message on the top right of the Master Key Management panel. The message indicates either that the master key was successfully set, or that an error prevented the completion of the set process.

    When you set the reentered DES-MK master key, the DES-MK master key that enciphers the existing CKDS now exists.

  6. You can now change the DES-MK master key, if you choose to, for security reasons. Continue with Steps for changing master keys.

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014