Step 7. Customizing TKE and loading master keys

If you are not using TKE, proceed to the next step.

Process
TKE Administrator's and Key Officers
  • Define Host IDs
  • Define Roles
  • Define coprocessor Authorities
  • Load New DES master Key
  • Load New RSA master Key
  • Set New RSA master key
    Note: The setting of the RSA master key is disabled if the system has a CEX3C or newer with the Sept. 2011 or later licensed internal code.
  • Load New AES master key if running on z10 or newer servers with a CCA Crypto Express coprocessor and the Nov. 2008 or later licensed internal code.
  • Load New ECC master key if running on z10 or newer servers with a CCA Crypto Express coprocessor and the Sept. 2011 or later licensed internal code.
Note: If you have more than one coprocessor, repeat the process for each, unless Groups have been defined.
Responsible
ICSF Administrator
  • Initialize CKDS and SET the DES and AES (if applicable) master keys
  • Initialize PKDS and SET the RSA and ECC (if applicable) master keys
  • Enable PKA Callable Services control
    Note: The PKA Callable Services control is disabled if the system has a CEX3C or newer with the Sept. 2011 or newer licensed internal code.
Where
TKE Workstation and ICSF Panels
Verify
In System Log (Systems with PCIXCC and PCICA): 
 CSFM608I A CKDS KEY STORE POLICY IS NOT DEFINED.          
 CSFM608I A PKDS KEY STORE POLICY IS NOT DEFINED.          
 CSFM610I GRANULAR KEYLABEL ACCESS CONTROL IS DISABLED.     
 CSFM611I XCSFKEY EXPORT CONTROL FOR AES IS DISABLED.       
 CSFM611I XCSFKEY EXPORT CONTROL FOR DES IS DISABLED.       
 CSFM612I PKA KEY EXTENSIONS CONTROL IS DISABLED.           
 CSFM654I KEY ARCHIVING USE CONTROL IS DISABLED.
 CSFM015I FIPS 140 SELF CHECKS FOR PKCS11 SERVICES SUCCESSFUL.
 CSFM111I CRYPTOGRAPHIC FEATURE IS ACTIVE. PCI X CRYPTO COPROCESSOR X32, SERIAL NUMBER 93X06008.
 CSFM111I CRYPTOGRAPHIC FEATURE IS ACTIVE. PCI CRYPTO ACCELERATOR A33, SERIAL NUMBER N/A.
 CSFM133I THERE ARE NO ACTIVE PKCS11 COPROCESSORS.         
 CSFM100E CRYPTOGRAPHIC KEY DATA SET, CSF.CKDS IS NOT INITIALIZED.
 CSFM101E PKA KEY DATA SET, CSF.PKDS IS NOT INITIALIZED.    
 CSFM126I CRYPTOGRAPHY - FULL CPU-BASED SERVICES ARE AVAILABLE.
*CSFM122I PKA SERVICES WERE NOT ENABLED DURING ICSF INITIALIZATION.
 CSFM001I ICSF INITIALIZATION COMPLETE
Message CSFM111I will be issued for each active PCIXCC and PCICA.
In System Log (systems with Crypto Express coprocessors and accelerators): 
 CSFM608I A CKDS KEY STORE POLICY IS NOT DEFINED.
 CSFM608I A PKDS KEY STORE POLICY IS NOT DEFINED.
 CSFM610I GRANULAR KEYLABEL ACCESS CONTROL IS DISABLED.      
 CSFM611I XCSFKEY EXPORT CONTROL FOR AES IS DISABLED.        
 CSFM611I XCSFKEY EXPORT CONTROL FOR DES IS DISABLED.        
 CSFM612I PKA KEY EXTENSIONS CONTROL IS DISABLED.            
 CSFM654I KEY ARCHIVING USE CONTROL IS DISABLED.
 CSFM015I FIPS 140 SELF CHECKS FOR PKCS11 SERVICES SUCCESSFUL.
 CSFM111I CRYPTOGRAPHIC FEATURE IS ACTIVE. CRYPTO EXPRESS2
   COPROCESSOR E32, SERIAL NUMBER 93X06008.
 CSFM111I CRYPTOGRAPHIC FEATURE IS ACTIVE. CRYPTO EXPRESS2
   ACCELERATOR F33, SERIAL NUMBER N/A.
 CSFM131E CRYPTOGRAPHY - DES SERVICES ARE NOT AVAILABLE.     
 CSFM131E CRYPTOGRAPHY - RSA SERVICES ARE NOT AVAILABLE.     
 CSFM131E CRYPTOGRAPHY - ECC SERVICES ARE NOT AVAILABLE.     
 CSFM131E CRYPTOGRAPHY - AES SERVICES ARE NOT AVAILABLE.     
 CSFM133I THERE ARE NO ACTIVE PKCS11 COPROCESSORS.
 CSFM131E CRYPTOGRAPHY - SECURE KEY PKCS11 SERVICES ARE NOT AVAILABLE.
 CSFM100E CRYPTOGRAPHIC KEY DATA SET, CSF.CKDS IS NOT INITIALIZED.
 CSFM101E PKA KEY DATA SET, CSF.PKDS IS NOT INITIALIZED.
 CSFM126I CRYPTOGRAPHY - FULL CPU-BASED SERVICES ARE AVAILABLE.
*CSFM122I PKA SERVICES WERE NOT ENABLED DURING ICSF INITIALIZATION.
 CSFM001I ICSF INITIALIZATION COMPLETE
Message CSFM111I will be issued for each active Crypto Express coprocessors and accelerators.

Message CSFM122I will not be issued when your system has any CEX3C or newer coprocessors (with the Sep. 2011 or later LIC) online. The PKA callable services control will not be active. The availability of RSA callable services will depend on the status of the RSA master key. CSFM130I is issued when the RSA master key is active and RSA callable services are available.

In System Log (Systems without coprocessors or accelerators): 
 CSFM608I A CKDS KEY STORE POLICY IS NOT DEFINED.
 CSFM608I A PKDS KEY STORE POLICY IS NOT DEFINED.
 CSFM610I GRANULAR KEYLABEL ACCESS CONTROL IS DISABLED.
 CSFM611I XCSFKEY EXPORT CONTROL FOR AES IS DISABLED.
 CSFM611I XCSFKEY EXPORT CONTROL FOR DES IS DISABLED.
 CSFM612I PKA KEY EXTENSIONS CONTROL IS DISABLED.
 CSFM654I KEY ARCHIVING USE CONTROL IS DISABLED.
 CSFM015I FIPS 140 SELF CHECKS FOR PKCS11 SERVICES SUCCESSFUL.
 CSFM505I CRYPTOGRAPHY - THERE ARE NO ACTIVE CRYPTOGRAPHIC COPROCESSORS.
 CSFM131E CRYPTOGRAPHY - DES SERVICES ARE NOT AVAILABLE.
 CSFM131E CRYPTOGRAPHY - RSA SERVICES ARE NOT AVAILABLE.
 CSFM131E CRYPTOGRAPHY - ECC SERVICES ARE NOT AVAILABLE.
 CSFM131E CRYPTOGRAPHY - AES SERVICES ARE NOT AVAILABLE.
 CSFM133I THERE ARE NO ACTIVE PKCS11 COPROCESSORS.
 CSFM131E CRYPTOGRAPHY - SECURE KEY PKCS11 SERVICES ARE NOT AVAILABLE.
 CSFM100E CRYPTOGRAPHIC KEY DATA SET, CSF.CKDS IS NOT INITIALIZED.
 CSFM101E PKA KEY DATA SET, CSF.PKDS IS NOT INITIALIZED.
 CSFM507I CRYPTOGRAPHY - THERE ARE NO CRYPTOGRAPHIC COPROCESSORS ONLINE.
 CSFM508I CRYPTOGRAPHY - THERE ARE NO CRYPTOGRAPHIC ACCELERATORS ONLINE.
 CSFM126I CRYPTOGRAPHY - FULL CPU-BASED SERVICES ARE AVAILABLE.
 CSFM001I ICSF INITIALIZATION COMPLETE
References

For information on managing master keys, refer to z/OS Cryptographic Services ICSF Administrator's Guide.

Completed
Parent topic: Checklist for first-time startup of ICSF