CCF only system

SMK equal to KMMK

Using Master Key Entry
1. Start ICSF on a non-CCF system, pointing to the initialized CKDS/PKDS.
  You will see one or more of these messages depending on your system's cryptographic features: CSFM124I MASTER KEY xxx ON CRYPTO EXPRESSn COPROCESSOR xxnn, SERIAL NUMBER nnnnnnnn, NOT INITIALIZED.
2. Using Master Key Entry, load the value of the CCF DES master key into the new DES-MK register. Load the value of the CCF SMK/KMMK master key into the new RSA-MK register. You will need the checksums for each of these values.
3. If the non-CCF system has coprocessors (CEX3C or later) with the September, 2011 LIC or later, set the DES and RSA master keys using the SET MK utility.
4. If the non-CCF system has coprocessors (CEX3C or earlier) without the September, 2011 LIC, do the following steps.
  - Set the DES master key using the SET MK utility.
  - The ASYM-MK will have already been set when the last master key value was entered.
  - Enable the Dynamic PKDS Access control and the PKA Callable Services control.
Using Pass Phrase Initialization
1. Start ICSF on a non-CCF system, specifying the initialized CKDS and PKDS in the options data set.
2. Using PPINIT, type in the same pass phrase used to initialize CCF system, select the Reinitialize system option and type in the CKDS and PKDS names.

SMK not equal to KMMK

Without a PCICC, the PKDS reencipher must run on any CCA Cryptographic coprocessor. If it is not, the non-CCF system will not be able to use the tokens encrypted under the KMMK. This procedure requires that you switch between your CCF and non-CCF TSO sessions.

Using Master Key Entry
If the non-CCF system has coprocessors (CEX3C or later) with the September, 2011 LIC or later, you must reencipher to the KMMK. On older systems, it does not matter whether you reencipher to the KMMK or the SMK.
This procedure reenciphers to the KMMK.
1. Start ICSF on a non-CCF system, pointing to the initialized CKDS and PKDS.
2. Define an empty PKDS.
3. Load the value of the CCF DES master key into the new DES-MK register. You will need the checksum.
4. Set the DES master key using the SET MK utility.
5. Load the value of the CCF SMK master key into the new RSA-MK register. You will need the checksum.
  If the non-CCF system has coprocessors (CEX3C or later) with the September, 2011 LIC or later, do the following steps:
  - Set the RSA-MK using the SET MK utility
  - Load the value of the CCF KMMK master key into the new RSA-MK register. You will need the checksum.
  - Reencipher the active PKDS to the empty PKDS.
  - Change the RSA-MK using the CHANGE ASYM MK utility.
  If the non-CCF system has coprocessors (CEX3C or earlier) without the September, 2011 LIC, do the following steps:
  - Load the value of the CCF KMMK master key into the new RSA-MK register. You will need the checksum. The RSA-MK will be set automatically when the last key part is loaded.
  - Reencipher the active PKDS to the empty PKDS.
  - Refresh the new PKDS. Enable PKA Callable Services and Dynamic PKDS Access control.
6. Update options data set to point to the new PKDS.
7. On CCF system, disable PKA Callable Services.
8. Reset the SMK register.
9. Load the value of the CCF KMMK master key into the SMK register.
10. Activate the new PKDS.
11. Enable PKA Callable Services and Dynamic PKDS Access controls.
12. Update options data set to point to the new PKDS.
Using Pass Phrase Initialization
1. On a CCF system, use PPKEYS utility to get the clear key values of the SMK and KMMK from a pass phrase. You will need the checksum for each of these values.
2. On a non-CCF system, start ICSF pointing to initialized CKDS and PKDS.
3. Define an empty PKDS.
  If the non-CCF system has coprocessors (CEX3C or later) with the September, 2011 LIC or later, do the following steps:
  1. Using PPINIT, type in the same pass phrase used to initialize CCF system, select the Reinitialize system option and type in the CKDS and PKDS names.
  2. Using Master Key Entry, load the value of the CCF KMMK master key into the new RSA-MK register. You will need the checksum. Load a final key part of zeroes.
  3. Reencipher the PKDS to the empty PKDS.
  4. Change the RSA-MK using the CHANGE ASYM MK utility
  5. Update the options data set to point to the new PKDS.
  6. On a CCF system, disable PKA Callable Services.
  7. Using Master Key Entry, reset the SMK register.
  8. Load the value of the KMMK into the SMK register. You can get the clear key value of the KMMK using the PPKEYS utility. You will need the KMMK checksum.
  9. Activate the new PKDS.
  10. Enable PKA Callable Services/Dynamic PKDS Access.
  11. Update the options data set to point to the new PKDS.
  If the non-CCF system has coprocessors (CEX3C or earlier) without the September, 2011 LIC, do the following steps:
  1. Using Master Key Entry, load the value of the CCF KMMK master key into the new RSA-MK register. You will need the checksum. Load a final key part of zeroes. The RSA-MK is automatically set when the final key part is loaded.
  2. Using PPINIT, type in the same pass phrase used to initialize CCF system, select the Reinitialize system option and type in the CKDS and PKDS names.
  3. Reencipher the PKDS to the empty PKDS.
  4. Refresh the new PKDS.
  5. Update the options data set to point to the new PKDS.
  6. On a CCF system, disable PKA Callable Services.
  7. Using Master Key Entry, reset the KMMK register.
  8. Load the value of the SMK into the KMMK register. You can get the clear key value of the SMK using the PPKEYS utility. You will need the SMK checksum.
  9. Activate the new PKDS.
  10. Enable PKA Callable Services/Dynamic PKDS Access.
  11. Update the options data set to point to the new PKDS.