If you intend to use the key entry panels to enter master keys, you need to generate and record these values when you begin:

• Key parts
• Checksums
• Verification patterns (optional)
• Hash patterns (optional)

The DES master key (DES-MK) is 16 bytes long. ICSF defines these master keys by exclusive ORing two or more key parts. Each of the master key parts is also 16 bytes long. To enter a DES-MK, you must enter a first key part and a final key part. If you choose to, you can also enter one or more intermediate key parts when entering the first key part and the final key part.

The AES master key (AES-MK) is 32 bytes long. ICSF defines these master keys by exclusive ORing two or more key parts.

The RSA master key (RSA-MK) is 24 bytes long. ICSF defines these master keys by exclusive ORing two or more key parts.

The ECC master key (ECC-MK) is 32-bytes long. ICSF defines these master keys by exclusive ORing two or more key parts. ECC master key support is available on the CEX3C.

If you are using ICSF to generate random numbers, generate a random number for each key part that you need to enter to create the master key.

A 16-byte key part consists of 32 hexadecimal digits. A 24-byte key part consists of 48 hexadecimal digits. To make this process easier, each part is broken into segments of 16 digits each. A 32-byte key part consists of 64 hexadecimal digits.

When you are manually entering the master key parts, you also enter a checksum that verifies whether you entered the key part correctly. A checksum is a two-digit result of putting a key part value through a series of calculations. The coprocessors calculate the checksum with the key part you enter and compare the one they calculated with the one you entered. The checksum verifies that you did not transpose any digits when entering the key part. If the checksums are equal, you have successfully entered the key.

When you enter a key part and its checksum for a DES-MK, the coprocessor calculates an eight-byte verification pattern and sixteen byte hash pattern. When you enter a key part and its checksum for a AES-MK, the coprocessor calculates an eight-byte verification pattern. When you enter a key part and its checksum for the RSA-MK, the coprocessor calculates a sixteen-byte verification pattern. When you enter a key part and its checksum for an ECC-MK, the coprocessor calculates an eight-byte verification pattern.

Before the verification and hash patterns can be calculated, the DES-MK master key must have been set.

The ICSF Master Key Entry panel displays the verification pattern. Check that the displayed verification pattern against the option verification pattern you may have generated at the time you generated the AES, DES, ECC, or RSA master key parts. The verification pattern checks whether you entered the key part correctly, and whether you entered the correct key type.

ICSF displays a verification and/or hash pattern for each master key part. It also displays a verification and/or hash pattern for the master key when you enter all the key parts. If the verification and hash patterns are the same, you have entered the key parts correctly.

To generate the value for a key part, you can use one of these methods:

• Choose a random number yourself.
• Access the ICSF utility panels to generate a random number.
• Call the random number generate callable service. For more information, see z/OS Cryptographic Services ICSF Application Programmer’s Guide.
  Note:

  ICSF must be initialized with a DES-MK or AES-MK master key to use the random number generate callable service or the Random Number Generator panel.

Steps for generating key parts using ICSF utilities

1. Access ICSF utilities by choosing option 5, UTILITY, on the Primary Menu panel, as shown in Figure 77.
   Figure 77. Selecting the Utility Option on the ICSF Primary Menu Panel

    CSF@PRIM --------- Integrated Cryptographic Service Facility ---------
    OPTION ===> 5
   
    Enter the number of the desired option.
   
      1  COPROCESSOR MGMT    -  Management of Cryptographic Coprocessors
      2  MASTER KEY MGMT     -  Master key set or change, CKDS/PKDS processing
      3  OPSTAT              -  Installation options
      4  ADMINCNTL           -  Administrative Control Functions
      5  UTILITY             -  ICSF Utilities
      6  PPINIT              -  Pass Phrase Master Key/KDS Initialization
      7  TKE                 -  TKE Master and Operational key processing
      8  KGUP                -  Key Generator Utility processes
      9  UDX MGMT            -  Management of User Defined Extensions
   
   
          Licensed Materials - Property of IBM
   
         5694-A01 (C) Copyright IBM Corp. 1990, 2011. All rights reserved.
         US Government Users Restricted Rights - Use, duplication or
         disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
   
    Press ENTER to go to the selected option.
    Press END   to exit to the previous menu.
    

   The Utilities panel appears. See Figure 78. You use the RANDOM and CHECKSUM options to generate random numbers, checksums, and verification patterns for master key management.

   Figure 78. ICSF Utilities Panel

    CSFUTL00 ---------------- ICSF - Utilities --------------------------
    OPTION ===> 3
   
   
    Enter the number of the desired option.
   
      1  ENCODE        -  Encode data
      2  DECODE        -  Decode data
      3  RANDOM        -  Generate a random number
      4  CHECKSUM      -  Generate a checksum and verification and
                          hash pattern
      5  PPKEYS        -  Generate master key values from a pass phrase
      6  PKDSKEYS      -  Manage keys in the PKDS 
    

2. Choose option 3, RANDOM, to access the Random Number Generator panel, shown in Figure 79.
   Figure 79. ICSF Random Number Generator Panel

    CSFRNG00 ---------------- ICSF - Random Number Generator -------------
    COMMAND ===>
   
   
    Enter data below:
   
      Parity Option  ===> RANDOM            ODD, EVEN, RANDOM
      Random Number1    : 0000000000000000  Random Number 1
      Random Number2    : 0000000000000000  Random Number 2
      Random Number3    : 0000000000000000  Random Number 3
      Random Number4    : 0000000000000000  Random Number 4 
    

3. To select the parity of the random numbers, enter ODD, EVEN, or RANDOM next to Parity Option and press ENTER.

   The DES-MK master key is forced to have odd parity, regardless of the parity option you select for each key part. Parity is not checked for AES, ECC, or PKA master keys.

   A random 16-digit number appears in each of the Random Number fields. You can use each of these random numbers for a segment of a key part.

   The DES master key uses random numbers 1 and 2. The PKA master key uses random numbers 1 through 3. The AES and ECC master keys use random numbers 1 through 4.

   Figure 80. ICSF Random Number Generator Panel with Generated Numbers

    CSFRNG00 ---------------- ICSF - Random Number Generator -------------
    COMMAND ===>
   
   
    Enter data below:
   
      Parity Option  ===> RANDOM            ODD, EVEN, RANDOM
      Random Number1    : 51ED9CFA90716CFB  Random Number 1
      Random Number2    : 58403BFA02BD13E8  Random Number 2
      Random Number3    : 9B28AEFA8C47760F  Random Number 3
      Random Number4    : 8453313235ABF69C  Random Number 4 
    

4. When you end the utility panels and access the Master Key Part Entry panel, the key parts you generated are transferred automatically to the Master Key Part Entry panels. For this reason, you will not need to enter the key parts on the Master Key Part Entry panels.

   Although the key parts are automatically transferred to the Master Key Entry panels, make sure you record the random numbers and store them in a safe place. You must have these numbers in case you ever need to reenter the master key values. If you ever need to restore a master key that has been cleared for any reason, you will need the key part values.

5. Press END to return to the Utilities panel.
6. Continue with Steps for generating a checksum, verification pattern, or hash pattern for a key part.

Steps for generating a checksum, verification pattern, or hash pattern for a key part

You can use the Utilities panel to generate a checksum and either an optional verification pattern or an optional hash pattern for a key part. You can use this panel to generate a checksum for a key part even if ICSF has not been initialized.

Follow these steps to generate the checksum and the optional verification pattern or hash pattern for a key part.

1. Select option 4, CHECKSUM, on the ICSF Utilities panel as shown in Figure 81.
   Figure 81. Selecting the Checksum Option on the ICSF Utilities Panel

    CSFUTL00 ---------------- ICSF - Utilities -------------------------
    OPTION ===> 4
   
   
    Enter the number of the desired option above.
   
      1  ENCODE        -  Encode data
      2  DECODE        -  Decode data
      3  RANDOM        -  Generate a random number
      4  CHECKSUM      -  Generate a checksum and verification and
                          hash patterns
      5  PPKEYS        -  Generate master key values from a pass phrase  
      6  PKDSKEYS      -  Manage keys in the PKDS 
    

   The Checksum and Verification and Hash Pattern panel appears. See Figure 82.

   Figure 82. ICSF Checksum and Verification and Hash Pattern Panel

    CSFMKV00 ------------ ICSF - Checksum and Verification and Hash Pattern -----
    COMMAND ===>
   
   
    Enter data below:
   
     Key Type      ===>                   (Selection panel displayed if blank)
   
     Key Value     ===> 51ED9CFA90716CFB  Input key value 1
                   ===> 58403BFA02BD13E8  Input key value 2
                   ===> 9B28AEFA8C47760F  Input key value 3 (AES & ECC & RSA Keys)
                   ===> 8453313235ABF69C  Input key value 4 (AES & ECC Keys only)   
   
   
     Checksum         : 00                Check digit for key value
     Key Part VP      : 0000000000000000  Verification Pattern
     Key Part HP      : 0000000000000000  Hash Pattern
                      : 0000000000000000
   
    

   If you accessed the Random Number Generator panel prior to this panel, the random numbers that are generated appear automatically in the Key Value fields.

2. If you did not use the Random Number Generator panel to generate random numbers, enter the numbers for which you want to create checksum, verification pattern, or hash patterns into the key value fields. Because these will be the key part values you will specify in the Master Key Entry panels, make sure you record the numbers.
3. In the Key Type field, specify either:
   • MASTER or DES-MK to generate a checksum and hash and verification pattern for a DES master key part
   • AES-MK to generate a checksum and verification pattern for an AES master key part
   • RSA-MK or PKAMSTR to generate a checksum and verification pattern for an RSA master key part
   • ECC-MK to generate a checksum and verification pattern for an ECC master key part.

   If you leave the Key Type field blank and press ENTER, the Key Type Selection panel appears. See Figure 83.

   Figure 83. Key Type Selection Panel Displayed During Hardware Key Entry

    CSFMKV10 ------------- ICSF - Key Type Selection Panel ---- ROW 1 to 9 OF 9
    COMMAND ===>                                               SCROLL ===> PAGE
   
    Select one key type only
        KEY TYPE      DESCRIPTION
       AES-MK     AES Master key
       DES-MK     DES Master key  
       ECC-MK     ECC Master key
       EXPORTER   Export key encrypting key
       IMP-PKA    Limited authority importer key
       IMPORTER   Import key encrypting key
       IPINENC    Input PIN encrypting key
   s   MASTER     DES Master key
       OPINENC    Output PIN encrypting key
       PINGEN     PIN generation key
       PINVER     PIN verification key
       PKAMSTR    PKA/Asymmetric Master key
       RSA-MK     RSA Master key
    ***************************** BOTTOM OF DATA *****************************
    

4. Type 'S' to the left of the MASTER key type, and press ENTER to return to the Checksum and Verification Pattern panel as shown in Figure 84.

   In this example, we have selected the DES-MK master key.

   Figure 84. ICSF Checksum and Verification Pattern Panel

    CSFMKV00 ------ ICSF - Checksum and Verification and Hash Pattern ---
    COMMAND ===>
   
   
    Enter data below:
   
   Key Type      ===> MASTER            (Selection panel displayed if blank)
   
      Key Value     ===> 51ED9CFA90716CFB  Input key value 1
                    ===> 58403BFA02BD13E8  Input key value 2
                    ===> 0000000000000000  Input key value 3 (AES & ECC & RSA Keys)
                    ===> 0000000000000000  Input key value 4 (AES & ECC Keys only)
   
      Checksum         : 40                   Check digit for key part
      Key Part VP      : 0CCE190A635A6C89  Verification Pattern
      Key Part HP      : EA58E51179754FB7  Hash Pattern
                       : C102957465CE479E

5. Record the checksum, verification pattern, and hash pattern.

   Save these values in a secure place along with the key part values in case of a tamper. If the PCIXCC, CEX2C, or CEX3C detects tampering, it clears the master key, and you have to reenter the same master key again.

6. Press END to return to the Utilities panel.
7. Press END again to return to the ICSF Primary menu.

Continue with the appropriate topic for steps to enter the master key part you have just generated.

• If you have generated the first master key part, continue with Steps for entering the first master key part.
• If you have generated an intermediate master key part, continue with Steps for entering intermediate key parts.
• If you have generated a final master key part, continue with Steps for entering the final key part.