Entering master key parts

z/OS Cryptographic Services ICSF Administrator's Guide

Entering master key parts

z/OS Cryptographic Services ICSF Administrator's Guide
SA22-7521-17

You can use the Master Key Entry panels to enter clear master key parts. The way you obtain master key parts depends on the security guidelines in your enterprise. You may receive master key parts from a key distribution center or you may generate your own key parts using the ICSF random number utility.

Important:

Regardless of how you get the master key parts, make sure the key parts are recorded and saved in a secure location. When you are entering the key parts for the first time, be aware that you may need to reenter these same key values at a later date to restore master key values that have been cleared.

When you enter the RSA master key (RSA-MK) the first time, the PKA callable services control is initially disabled. Once you have entered the RSA-MK and initialized the PKDS, the PKA callable services control will be enabled automatically. When you change the RSA-MK, you need to disable the PKA callable services control. To enable and disable the PKA callable services control refer to Steps for enabling and disabling PKA callable services and PKDS updates.

Note:

If your system has any CEX3C coprocessors with the Sep. 2011 or later LIC, the PKA callable services control will not be active.

To enter master key parts that you do not generate using the random number utility, continue with Steps for entering the first master key part.

To begin master key entry by generating random numbers for the key parts, continue with Generating master key data for master key entry.

Notices | Terms of use | Support | Contact z/OS | zFavorites