You can use the ICSF panels to view the status of the cryptographic
coprocessor key registers, the master key verification patterns, and
other information about the cryptographic hardware. You can use this
information for master key management.
When you enter and activate an AES, DES, ECC or RSA master key,
you change the status of the registers. The cryptographic facility
contains three key registers: one for the old master key, one for
the new, and one for the current. The current master key register
contains the active master key. The old master key is not lost when
a new master key is loaded.
To display coprocessor hardware status:
- From the Coprocessor Management panel, select the coprocessors
to be processed by typing an 'S'.
Figure 1. Selecting the coprocessor on the Coprocessor
Management Panel CSFGCMPOO ---------------- ICSF Coprocessor Management -------- Row 1 to 7 of 7
COMMAND ===>
Select the cryptographic features to be processed and press ENTER.
Action characters are: A, D, E, K, R, and S. See the help panel for details.
CRYPTO SERIAL
FEATURE NUMBER STATUS AES DES ECC RSA P11
------- -------- --------------–---- --- --- --- --- ---
. 4C00 16BA6173 Active I A A A
. 4C01 16BA6174 Master key incorrect I A C E
. 4C02 16BA6175 Master key incorrect I A C E
. 4A03 N/A Active
. 4C04 16BA6199 Deactivated
. 4P05 16BA6200 Active A
. 4P06 16BA6201 Master key incorrect U
******************************* Bottom of data ********************************
- Depending on the coprocessor type, one of two different Hardware
Status panels appears. Panel CSFCMP40 is displayed for CCA coprocessors
(Figure 2). When more than two coprocessors
are requested, the status display can be scrolled down to show the
other coprocessors. You can scroll down using PFKey 8 and up using
PFKey 7.
Figure 2. Coprocessor Hardware
Status Panel CSFCMP40 ----------- ICSF - Coprocessor Hardware Status ----------------
OPTION ===>
CRYPTO DOMAIN: 8
REGISTER STATUS COPROCESSOR 4C02
Crypto Serial Number : 42-K0111
Status : ACTIVE
AES Master Key
New Master Key register : EMPTY
Verification pattern :
Old Master Key register : VALID
Verification pattern : BF494FF74B86343F
Current Master Key register : VALID
Verification pattern : 2058C870E9D3194F
DES Master Key
New Master Key register : EMPTY
Verification pattern :
Hash pattern :
:
Old Master Key register : VALID
Verification pattern : 1D08F1C67A1B709A
Hash pattern : 2B0C723D1AB9C948
: E9C9E32E7FF3B7F4
Current Master Key register : VALID
Verification pattern : CA6B408A02371B1D
Hash pattern : DF3A50AE35466123
: 96EF557E8BD074C1
ECC Master Key
New Master Key register : EMPTY
Verification pattern :
Old Master Key register : VALID
Verification pattern : 9999999999999999
Current Master Key register : VALID
Verification pattern : 9999999999999999
RSA Master Key
New Master Key register : EMPTY
Verification pattern :
:
Old Master Key register : VALID
Verification pattern : EF4C65754B5088C2
: 2D03480BC7B952B2
Current Master Key register : VALID
Verification pattern : E83F158521FEEA23
: 986CC9483DAFD711
The coprocessor hardware status fields on this panel contain this
information:
- CRYPTO DOMAIN
- This field displays the value that is specified for the DOMAIN
keyword in the installation options data set at ICSF startup.
This is the domain in which your system is currently working. It specifies
which one of several separate sets of master key registers you can
currently access. A system programmer can use the DOMAIN keyword in
the installation options data set to specify the domain value to use
at ICSF startup.
For more information see the DOMAIN installation option.
- Crypto Serial Number
- The serial number is a number for the 'coprocessor.
- Status
- This field displays the status of the 'coprocessor.
- State
- Indication
- ACTIVE
- The verification pattern for the DES-MK matches the verification
pattern of the CKDS. Requests for services can be routed to the coprocessor.
- ONLINE
- The coprocessor is online. The DES-MK verification pattern
does not match the verification pattern in the CKDS. Requests for
services cannot be routed to the coprocessor.
- DES Master Key
- New Master Key Register
- This field shows the state of the DES new master key
register.
This key register can be in any of these states:
- State
- Indication
- EMPTY
- You have not entered any key parts for the initial master key,
or you have just transferred the contents of this register into the
master key register. Or you have RESET the registers. Or you have
zeroized the domain from a TKE workstation or the Support Element.
- PART FULL
- You have entered one or more key parts but not the final key part.
- FULL
- You have entered an entire new master key, but have not transferred
it to the master key register yet.
- Verification Pattern
- When you use the master key panels to enter a new master key, record
the verification pattern that appears for the master key when
the final key part has been entered. You can compare the verification
pattern you record with this one to ensure that the key entered and
the key in the new master key register are the same.
If your system
is using multiple cryptographic coprocessors, you must enter the same
master key into all units. If the status of the new master key registers
are valid, the NMK verification patterns for each unit should match,
because the patterns verify the same key.
- Hash Pattern
- If the master key register is not EMPTY, the panel displays
a hash pattern for the key. When you enter a new master key, record
the hash pattern that appears on the panel. When the master key becomes
active, you can compare the hash patterns to ensure that the one you
entered and set is in the master key register.
If your system is
using multiple cryptographic coprocessors, you enter the same master
key into all units. If the status of the new master key registers
are valid, the master key register hash patterns for each unit should
match, because the patterns verify the same key.
- Old Master Key register
- This field shows the states of the DES old master key
register.
- State
- Indication
- EMPTY
- You have never changed the master key and, therefore, never transferred
a master key to the old master key register. Or you have zeroized
the domain from a TKE workstation or the Support Element.
- VALID
- You have changed the master key. The master key that was current
when you changed the master key was placed in the old master key register.
- Verification Pattern
- When you use the master key panels to enter a new master key, record
the verification pattern that appears for the master key when
the final key part has been entered. You can compare the verification
pattern you record with this one to ensure that the key entered and
the key in the new master key register are the same.
If your system
is using multiple cryptographic coprocessors, you must enter the same
master key into all units. If the status of the new master key registers
are valid, the DES-MK verification patterns for each unit
should match, because the patterns verify the same key.
- Hash Pattern
- If the master key register is not EMPTY, the panel displays
a hash pattern for the key. When you enter a new master key, record
the hash pattern that appears on the panel. When the master key becomes
active, you can compare the hash patterns to ensure that the one you
entered and set is in the master key register.
If your system is
using multiple cryptographic coprocessors, you enter the same master
key into all units. If the status of the new master key registers
are valid, the master key register hash patterns for each unit should
match, because the patterns verify the same key.
- Current Master Key register
- This field shows the states of the DES master key register.
- State
- Indication
- EMPTY
- You have never entered and set an initial symmetric master key.
Or you have zeroized the domain from a TKE workstation or the Support
Element.
- VALID
- You have entered a new symmetric master key on this coprocessor
and chosen either the set or change option.
- Verification Pattern
- When you use the master key panels to enter a new master key, record
the verification pattern that appears for the master key when
the final key part has been entered. You can compare the verification
pattern you record with this one to ensure that the key entered and
the key in the new master key register are the same.
If your system
is using multiple cryptographic coprocessors, you must enter the same
master key into all units. If the status of the new master key registers
are valid, the NMK verification patterns for each unit should match,
because the patterns verify the same key.
- Hash Pattern
- If the master key register is not EMPTY, the panel displays
a hash pattern for the key. When you enter a new master key, record
the hash pattern that appears on the panel. When the master key becomes
active, you can compare the hash patterns to ensure that the one you
entered and set is in the master key register.
If your system is
using multiple cryptographic coprocessors, you enter the same master
key into all units. If the status of the new master key registers
are valid, the master key register hash patterns for each unit should
match, because the patterns verify the same key.
- AES Master Key
- New Master Key Register
- This field shows the state of the new master key register.
This
key register can be in any of these states:
- State
- Indication
- EMPTY
- You have not entered any key parts for the initial master key,
or you have just transferred the contents of this register into the
master key register. Or you have RESET the registers. Or you have
zeroized the domain from a TKE workstation or the Support Element.
- PART FULL
- You have entered one or more key parts but not the final key part.
- FULL
- You have entered an entire new master key, but have not transferred
it to the master key register yet.
- Verification Pattern
- When you use the master key panels to enter a new master key, record
the verification pattern that appears for the master key when
the final key part has been entered. You can compare the verification
pattern you record with this one to ensure that the key entered and
the key in the new master key register are the same.
If your system
is using multiple cryptographic coprocessors, you must enter the same
master key into all units. If the status of the new master key registers
are valid, the NMK verification patterns for each unit should match,
because the patterns verify the same key.
- Old Master Key register
- This field shows the states of the AES old master key
register.
- State
- Indication
- EMPTY
- You have never changed the master key and, therefore, never transferred
a master key to the old master key register. Or you have zeroized
the domain from a TKE workstation or the Support Element.
- VALID
- You have changed the master key. The master key that was current
when you changed the master key was placed in the old master key register.
- Verification Pattern
- When you use the master key panels to enter a new master key, record
the verification pattern that appears for the master key when
the final key part has been entered. You can compare the verification
pattern you record with this one to ensure that the key entered and
the key in the new master key register are the same.
If your system
is using multiple cryptographic coprocessors, you must enter the same
master key into all units. If the status of the new master key registers
are valid, the AES-MK verification patterns for each unit should match,
because the patterns verify the same key.
- Current Master Key register
- This field shows the states of the AES master key register.
- State
- Indication
- EMPTY
- You have never entered and set an initial symmetric master key.
Or you have zeroized the domain from a TKE workstation or the Support
Element.
- VALID
- You have entered a new symmetric master key on this coprocessor
and chosen either the set or change option.
- Verification Pattern
- When you use the master key panels to enter a new master key, record
the verification pattern that appears for the master key when
the final key part has been entered. You can compare the verification
pattern you record with this one to ensure that the key entered and
the key in the new master key register are the same.
If your system
is using multiple cryptographic coprocessors, you must enter the same
master key into all units. If the status of the new master key registers
are valid, the NMK verification patterns for each unit should match,
because the patterns verify the same key.
- ECC Master Key
- New Master Key Register
- This field shows the state of the new master key register.
This
key register can be in any of these states:
- State
- Indication
- EMPTY
- You have not entered any key parts for the initial master key,
or you have just transferred the contents of this register into the
master key register. Or you have RESET the registers. Or you have
zeroized the domain from a TKE workstation or the Support Element.
- PART FULL
- You have entered one or more key parts but not the final key part.
- FULL
- You have entered an entire new master key, but have not transferred
it to the master key register yet.
For the CEX2C or CEX3C, there can be
an old, new and current master key.
- Verification Pattern
- When you use the master key panels to enter a new master key, record
the verification pattern that appears for the master key when
the final key part has been entered. You can compare the verification
pattern you record with this one to ensure that the key entered and
the key in the new master key register are the same.
If your system
is using multiple cryptographic coprocessors, you must enter the same
master key into all units. If the status of the new master key registers
are valid, the NMK verification patterns for each unit should match,
because the patterns verify the same key.
- Old Master Key register
- This field shows the states of the ECC old master key
register.
- State
- Indication
- EMPTY
- You have never changed the master key and, therefore, never transferred
a master key to the old master key register. Or you have zeroized
the domain from a TKE workstation or the Support Element.
- VALID
- You have changed the master key. The master key that was current
when you changed the master key was placed in the old master key register.
- Verification Pattern
- When you use the master key panels to enter a new master key, record
the verification pattern that appears for the master key when
the final key part has been entered. You can compare the verification
pattern you record with this one to ensure that the key entered and
the key in the new master key register are the same.
If your system
is using multiple cryptographic coprocessors, you must enter the same
master key into all units. If the status of the new master key registers
are valid, the ECC-MK verification patterns for each unit should match,
because the patterns verify the same key.
- Current Master Key register
- This field shows the states of the ECC master key register.
- State
- Indication
- EMPTY
- You have never entered and set an initial symmetric master key.
Or you have zeroized the domain from a TKE workstation or the Support
Element.
- VALID
- You have entered a new symmetric master key on this coprocessor
and chosen either the set or change option.
- Verification Pattern
- When you use the master key panels to enter a new master key, record
the verification pattern that appears for the master key when
the final key part has been entered. You can compare the verification
pattern you record with this one to ensure that the key entered and
the key in the new master key register are the same.
If your system
is using multiple cryptographic coprocessors, you must enter the same
master key into all units. If the status of the new master key registers
are valid, the NMK verification patterns for each unit should match,
because the patterns verify the same key.
- RSA Master Key
- New Master Key register
- This field shows the state of the RSA new master key register.
This
key register can be in any of these states:
- State
- Indication
- EMPTY
- You have not entered any key parts for the initial RSA master
key, or you have just transferred the contents of this register into
the RSA master key register. Or you have RESET the registers. Or
you have zeroized the domain from a TKE workstation or the Support
Element.
- PART FULL
- You have entered one or more key parts but not the final key part.
- Verification Pattern
- If the master key register is not EMPTY, a verification pattern
is displayed.
- Old Master Key register
- This field shows the state of the RSA old master key register.
- State
- Indication
- EMPTY
- You have never changed the RSA master key and, therefore, never
transferred an RSA master key to the RSA old master key register.
Or you have zeroized the domain from a TKE workstation or the Support
Element.
- VALID
- You have changed the RSA master key. The RSA master key that was
current when you changed the master key was placed in the RSA old
master key register.
- Verification Pattern
- If the old asymmetric master key register is valid, the panel
displays a verification pattern for the RSA old master key.
- Current Master Key register
- This field shows the states of the RSA master key register.
- State
- Indication
- EMPTY
- You have never entered an initial RSA master key on the coprocessor.
Or you have zeroized the domain from a TKE workstation or the Support
Element.
- VALID
- You have entered a new RSA master key on this coprocessor.
- Verification Pattern
- If the RSA master key registers are valid, the panel displays
a verification pattern for the key. When you enter a new RSA master
key, record the verification pattern that appears on the panel.
When the RSA master key becomes active, you can compare the verification
patterns to ensure that the one you entered and set is in the master
key register.
The RSA master key must be the same on all the PCI
X cards. If the status of all these cryptographic coprocessors is
valid, the MK verification patterns for each unit should match, because
the patterns verify the same key.
Note: An audit trail of the verification
patterns that the PCIXCC, CEX2C, or CEX3C calculates appears
in SMF record type 82.
Panel CSFCMP41 is displayed for Enterprise PKCS #11 coprocessor.
Similar to panel CSFCMP40, except that there is only one master key
type, the P11 master key, with two registers instead of three:
- The "New Master Key register" - valid states are EMPTY, FULL
UNCOMMITTED, or FULL COMMITTED
- The "Current Master Key register" - valid states are EMPTY
or VALID
Figure 3. PKCS #11 Coprocessor
Hardware Status Panel CSFCMP41 -------- ICSF – PKCS #11 Coprocessor Hardware Status ------------
OPTION ===>
CRYPTO DOMAIN: 8
REGISTER STATUS COPROCESSOR 4P08
Crypto Serial Number : 97006090
Status : ACTIVE
Compliance Mode : FIPS: 2011
: BSI: 2009
P11 Master Key
New Master Key register : EMPTY
Verification pattern :
:
Current Master Key register : VALID
Verification pattern : 2058C870E9D3194F
: 4FE11A79AB122EB2