z/OS Cryptographic Services ICSF Administrator's Guide
Previous topic | Next topic | Contents | Index | Contact z/OS | Library | PDF


Steps for running PPINIT on a CCF system

z/OS Cryptographic Services ICSF Administrator's Guide
SA22-7521-17

The Pass Phrase MK/KDS Initialization panel appears. See Figure 11.

Figure 11. ICSF Pass Phrase MK/CKDS/PKDS Initialization Panel 
 CSFPMC00 ------- ICSF - Pass Phrase MK/KDS Initialization ---
 Command ===>
 Enter your pass phrase and the names of the CKDS and PKDS:

 Pass Phrase (16 to 64 characters)
 ===>

 CKDS
 ===>

 PKDS
 ===>

 Initialize the CKDS and PKDS? (Y/N) ===> Y
 Signature MK = Key Management MK? (Y/N) ===> Y
 Initialize new PCICCs only? (Y/N) ===> N



 Press ENTER to process.
 Press END   to exit to the previous menu.
  1. Type the pass phrase and the data set name in the spaces that are provided. Make sure you save the pass phrase and store it in a secure place.

    The CKDS and PKDS names must be valid VSAM data sets.

    Notes:
    1. The same pass phrase will always produce the same master key values, and is therefore as critical and sensitive as the master key values themselves. Make sure you save the pass phrase so that you can later reenter it if needed (for example, if you need to restore master key values that have been cleared). Because of the sensitive nature of the pass phrase, make sure you secure it in a safe place.
    2. If you are reentering master keys when they have been cleared, use the same pass phrase as when you originally entered the keys.
  2. Answer the "Initialize the CKDS and PKDS?" question by typing your response in the space following the question.
    1. If the CKDS and PKDS have not been initialized, type Y.

      If you select Y, the CKDS and PKDS names must refer to a valid, uninitialized CKDS and PKDS.

    2. If this is an existing CKDS and PKDS, type N.

      If you select N, the CKDS and PKDS must have already been initialized with the pass phrase initialization utility and the identical pass phrase.

      ICSF checks and refreshes the existing CKDS.

  3. Answer the "Signature MK = Key Management MK?" question by typing your response in the space following the question.
    1. If you have a new system with PCI Cryptographic Coprocessors installed, type Y.

      The signature master key and the key management master key will have the same value as the ASYM master key on the PCI Cryptographic Coprocessors. This increases the flexibility in routing services among the cryptographic coprocessors.

    2. If you have previously used pass phrase initialization and you have PKA key tokens that are encrypted under a key management master key that cannot be recreated, type N.
    3. If none of these two scenarios apply to you, type Y.
  4. Answer the "Initialize new PCICCs only?" question by typing your response in the space following the question.
    1. If you have already initialized your system with the Pass Phrase Initialization utility and now want to initialize new PCI cards, type Y.
    2. If this is the first time you are running the Pass Phrase Initialization Utility, type N.
    Figure 12. Entering Options on the Pass Phrase MK/KDS Initialization Panel 
     CSFPMC00 --------- ICSF - Pass Phrase MK/KDS Initialization ----------------

 Enter your pass phrase and the names of the CKDS and PKDS:

 Pass Phrase (16 to 64 characters)
 ===> winnie the pooh and tigger too

 CKDS
 ===> 'CRYPTO.HCRICSF.CKDS'

 PKDS
 ===> 'CRYPTO.HCRICSF.PKDS'

 Initialize the CKDS and PKDS? (Y/N) ===> Y
 Signature MK = Key Management MK? (Y/N) ===> Y
 Initialize new PCICCs only? ===> N
  5. Press ENTER to run the utility.

    This utility uses the pass phrase, a series of constants, and the MD5 hash algorithm to:

    • Calculate the DES master key and load the new master key registers on the Cryptographic Coprocessor Features with the value.
    • Use the value of the DES master key as the value of the DES-MK key and load the new master key registers on the PCI Cryptographic Coprocessors with the value.
    • Calculate the PKA master keys and set the PKA signature master key register and the PKA key management master key register with these values. If you specified "Y" for the question about making the signature master key equal to the key management master key, then the value calculated for the key management master key will be used for both PKA master keys.
    • Use the value of the PKA signature master key as the value of the ASYM-MK and set the new asymmetric-keys master key registers on the PCI Cryptographic Coprocessors with the value.
    • Set the master key register.
    • Initialize the CKDS or refresh an existing CKDS.
    • Initialize the PKDS.

    For details of these calculations, refer to Pass Phrase Initialization master key calculations.

    Messages on the bottom half of the panel display the progress of the utility.

  6. When the utility has completed successfully, press END to return to the primary menu.

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014