PKA master keys protect private keys.
- On the Cryptographic Coprocessor Feature, there are two PKA master keys: the Signature Master
Key (SMK) and the RSA Key Management Master Key (KMMK). The SMK protects
PKA private keys used only in digital signature services. The KMMK
protects PKA private keys used in digital signature services and in
the DES DATA key distribution functions.
- On the PCI Cryptographic Coprocessor, PKA keys are protected by the Asymmetric-Keys Master
Key (ASYM-MK). The ASYM-MK is a triple-length DES key used
to protect PKA keys.
In order for the PCI Cryptographic Coprocessor to function, the hash
pattern of the ASYM-MK must match the hash pattern of the SMK on the Cryptographic Coprocessor Feature.
The ICSF administrator installs the PKA master keys on the Cryptographic Coprocessor Feature and
the ASYM-MK on the PCI Cryptographic Coprocessor by using either the pass phrase initialization
routine, the Clear Master Key Entry panels, or the optional Trusted
Key Entry (TKE) workstation.
Prior to PKA services being enabled
on the PCI Cryptographic Coprocessor, these conditions must be met:
- The Symmetric-Keys Master Key (SYM-MK) must be installed on the PCI Cryptographic Coprocessor.
It must match the Cryptographic Coprocessor Feature DES master key and match the master key that
the CKDS was enciphered with.
- The PKA master keys (SMK and KMMK) on the Cryptographic Coprocessor Feature must be installed
and valid.
- The ASYM-MK PKA master key on the PCI Cryptographic Coprocessor must be installed and
valid.
- The hash pattern of the ASYM-MK on the PCI Cryptographic Coprocessor must match the hash
pattern of the SMK on the Cryptographic Coprocessor Feature.
- The PKDS must be initialized with the PKA master keys installed
on the Cryptographic Coprocessor Feature.
- On the PCI X Cryptographic Coprocessor, Crypto Express2 Coprocessor,
or Crypto Express3 Coprocessor, PKA keys are protected by the
Asymmetric-Keys Master Key (ASYM-MK). The ASYM-MK is a triple-length
DES key used to protect PKA private keys. On the PCIXCC, CEX2C and
CEX3C, the ASYM-MK protects RSA private keys. On the z196 with
a CEX3C, there are two PKA master keys: RSA and ECC. The RSA master
key is the same as the ASYM-MK. The ECC master key is a 256-bit AES
key used to protect ECC private keys.
- In order for PKA services to function on the PCIXCC,
CEX2C, or CEX3C, the Asymmetric-Keys/RSA and/or ECC master keys must
be installed. The ICSF administrator installs the master keys on the
PCIXCC, CEX2C, or CEX3C by using either the pass phrase initialization
routine, the Clear Master Key Entry panels, or the optional Trusted
Key Entry (TKE) workstation.
Prior to PKA services being enabled
on the PCIXCC, CEX2C, or CEX3C, these conditions must be
met:
- The ASYM-MK/RSA and/or ECC master keys on the PCIXCC, CEX2C, or
CEX3C must be installed.
- The PKDS must be initialized with the ASYM-MK/RSA and/or ECC master
keys installed on the PCIXCC, CEX2C, or CEX3C.
|