The pass phrase initialization utility allows the casual user of
ICSF to install the necessary master keys on the cryptographic coprocessors,
and initialize the CKDS and PKDS with a minimal effort. This topic
describes how to use this utility to get up and running quickly.
Note: The pass phrase initialization utility is used to install the
master keys for CCA coprocessors only. The master key for Enterprise
PKCS #11 coprocessors can only be entered via a TKE workstation as
explained in
Managing Enterprise PKCS #11 Master Keys.
The pass phrase is case sensitive and should be chosen according
to these rules:
- It can contain a minimum of 16 and a maximum of 64 characters.
- It can include any characters in the EBCDIC character set.
- It can contain imbedded blanks, but leading and trailing blanks
are truncated.
Important: The same pass phrase will always produce the
same master key values, and is therefore as critical and sensitive
as the master key values themselves. Make sure you save the pass phrase
so that you can later reenter it if needed (for example, if you need
to restore master key values that have been cleared). Because of the
sensitive nature of the pass phrase, make sure you secure it in a
safe place.
The pass phrase initialization utility can:
- Initialize a system for the first time (Initialize system).
- Reinitialize a system where the master keys have been cleared
(Reinitialize system).
- Initialize a new system when migrating to a new server with an
existing CKDS and PKDS (Reinitialize system).
- Load the master keys on CCA coprocessors that are brought online
after system initialization (Add coprocessors).
- Add new master keys to the system after migrating to a newer server
(Add AES-MK or Add missing MKs).
You cannot use this utility to change master keys. To change
master keys you need to use either the master key entry panels or
the TKE workstation.
If you plan on sharing your CKDS or PKDS within
your sysplex, refer to Running in a Sysplex Environment for important
information.
Starting with release HCR77A0, the DES master key may be 16 or
24 bytes long. If the DES master key – 24-byte key access
control point is enabled, the pass phrase initialization utility will
load a 24-byte value to the DES master key. A TKE workstation is required
to enable access control points.