The Trusted Key Entry (TKE) workstation is an optional feature. It offers an alternative to clear key entry. You can use the TKE workstation to load:

• DES master key, AES master key, PKA master keys, and operational keys in a secure way. CCF only supports Operational Transport and PIN keys. On the PCIXCC/CEX2C, all operational keys may be loaded with TKE V4.1 or higher. AES master key and AES operational keys may be loaded with TKE V5.3. On the CEX3C, all operational keys may be loaded with TKE 6.0 or later.
• DES-MK and ASYM-MK master keys on the PCICC, PCIXCC, CEX2C, or CEX3C.
• AES master keys are only on z9 and z10 systems running with the Nov. 2008 or later licensed internal code (LIC).

You can load keys remotely and for multiple PCICCs, PCIXCCs, CEX2Cs, or CEX3Cs. The TKE workstation eases the administration for using one Cryptographic Coprocessor Feature or PCIXCC/CEX2C/CEX3C as a production machine and as a test machine at the same time, while maintaining security and reliability.

The TKE workstation can be used for enabling/disabling access control points for callable services executed on PCICCs, PCIXCCs, CEX2Cs, and CEX3Cs. See Appendix H. Access Control Points and Callable Services for additional information.

For complete details about the TKE workstation see z/OS Cryptographic Services ICSF TKE Workstation User’s Guide.

TKE Version 4.0 or higher is required if using a PCIXCC/CEX2C.

TKE Version 6.0 or higher is required is using a CEX3C.

On z890, z990 z9 EC, z9 BC, z10 EC and z10 BC systems running with May 2004 or higher version of Licensed Internal Code or an z9 EC, z9 BC, z10 EC and z10 BC with MCL 029 Stream J12220 or higher of Licensed Internal Code, you must enable TKE commands for each PCIXCC/CEX2C/CEX3C card from the Support Element. This is true for new TKE users and those upgrading from TKE V4.0 to V4.1, V4.2 or V5.x when the new LIC is installed. See Support Element Operations Guide and z/OS Cryptographic Services ICSF TKE Workstation User’s Guide for more information.