z/OS Cryptographic Services ICSF Application Programmer's Guide
Previous topic | Next topic | Contents | Index | Contact z/OS | Library | PDF


PKA Master Keys

z/OS Cryptographic Services ICSF Application Programmer's Guide
SA22-7522-16

PKA master keys protect private keys.

  • On the Cryptographic Coprocessor Feature, there are two PKA master keys: the Signature Master Key (SMK) and the RSA Key Management Master Key (KMMK). The SMK protects PKA private keys used only in digital signature services. The KMMK protects PKA private keys used in digital signature services and in the DES DATA key distribution functions.
  • On the PCI Cryptographic Coprocessor, PKA keys are protected by the Asymmetric-Keys Master Key (ASYM-MK). The ASYM-MK is a triple-length DES key used to protect PKA keys.

    In order for the PCI Cryptographic Coprocessor to function, the hash pattern of the ASYM-MK must match the hash pattern of the SMK on the Cryptographic Coprocessor Feature. The ICSF administrator installs the PKA master keys on the Cryptographic Coprocessor Feature and the ASYM-MK on the PCI Cryptographic Coprocessor by using either the pass phrase initialization routine, the Clear Master Key Entry panels, or the optional Trusted Key Entry (TKE) workstation.

    Prior to PKA services being enabled on the PCI Cryptographic Coprocessor, these conditions must be met:

    • The Symmetric-Keys Master Key (SYM-MK) must be installed on the PCI Cryptographic Coprocessor. It must match the Cryptographic Coprocessor Feature DES master key and match the master key that the CKDS was enciphered with.
    • The PKA master keys (SMK and KMMK) on the Cryptographic Coprocessor Feature must be installed and valid.
    • The ASYM-MK PKA master key on the PCI Cryptographic Coprocessor must be installed and valid.
    • The hash pattern of the ASYM-MK on the PCI Cryptographic Coprocessor must match the hash pattern of the SMK on the Cryptographic Coprocessor Feature.
    • The PKDS must be initialized with the PKA master keys installed on the Cryptographic Coprocessor Feature.
  • On the PCI X Cryptographic Coprocessor, Crypto Express2 Coprocessor, or Crypto Express3 Coprocessor, PKA keys are protected by the Asymmetric-Keys Master Key (ASYM-MK). The ASYM-MK is a triple-length DES key used to protect PKA private keys. On the PCIXCC, CEX2C and CEX3C, the ASYM-MK protects RSA private keys. On the z196 with a CEX3C, there are two PKA master keys: RSA and ECC. The RSA master key is the same as the ASYM-MK. The ECC master key is a 256-bit AES key used to protect ECC private keys.
  • In order for PKA services to function on the PCIXCC, CEX2C, or CEX3C, the Asymmetric-Keys/RSA and/or ECC master keys must be installed. The ICSF administrator installs the master keys on the PCIXCC, CEX2C, or CEX3C by using either the pass phrase initialization routine, the Clear Master Key Entry panels, or the optional Trusted Key Entry (TKE) workstation.

    Prior to PKA services being enabled on the PCIXCC, CEX2C, or CEX3C, these conditions must be met:

    • The ASYM-MK/RSA and/or ECC master keys on the PCIXCC, CEX2C, or CEX3C must be installed.
    • The PKDS must be initialized with the ASYM-MK/RSA and/or ECC master keys installed on the PCIXCC, CEX2C, or CEX3C.

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014