Table of Contents (exploded view)
Cryptographic Services ICSF Trusted Key Entry Workstation User's Guide
Summary of changes
Changes made in z/OS Version 2 Release 2 as updated April 2017
Changes made in z/OS Version 2 Release 2
Changes made in z/OS V2R1 as updated April 2015
Changes made in z/OS V2R1 as updated February 2015
Changes made in z/OS Version 2 Release 1, as updated December 2013
Changes made in z/OS V2R1
Changes made in z/OS Version 1 Release 13, as updated September 2012
Changes made in z/OS Version 1 Release 13
Changes made in z/OS Version 1 Release 12
Overview
Trusted Key Entry components
TKE hardware
TKE software
Supported host cryptographic card features
Host crypto module
TKE concepts and mechanisms
Integrity
Authorities
Authority signature key
Authority default signature key
Roles
Administrators
Crypto module OA signature key
Command signatures
Command signatures for CCA host crypto modules
Command signatures for EP11 host crypto modules
Key-exchange protocol
Domain controls and domain control points
TKE operational considerations
Logically partitioned (LPAR) mode considerations
Multiple hosts
Multiple TKE workstations
Defining your security policy
TKE enablement
Trusted Key Entry console
Trusted Key Entry console navigation
TKE workstation crypto adapter roles and profiles
Authority checking on the TKE
Types of profiles
Initializing a TKE workstation crypto adapter
Initial adapter conditions
Initial adapter conditions on new TKE workstations
Initial adapter conditions on upgraded TKE workstations
Verify current crypto adapter settings
IBM-supplied roles and profiles on TKE workstation crypto adapters:
Initializing for use with smart card profiles
Initializing for use with passphrase profiles
Roles and profiles definition files
Role definition files
IBM-supplied role definition files
Customer-defined role definition files
Profile definition files
IBM-supplied profile definition files
Customer-defined profile definition files
IBM-supplied role access control points (ACPs)
ACP considerations for user-defined roles
ACPs assigned to IBM-supplied roles
Using smart cards with TKE
Terminology
Preparation and planning
Using the OmniKey smart card reader
Smart card compatibility issues
Applet version
Zone key length
Smart card usage
Datakey card usage
Zone concepts
Authentication and secure communication
Zone creation
CA smart cards
Zone description
Zone identifier (ID)
Multiple zones
Enrolling an entity
TKE smart cards
EP11 smart cards
Steps to set up a smart card installation
TKE migration and recovery installation
Using files from a TKEDATA DVD-RAM on a TKE 7.2 or later system
Copying files to the TKE 7.0 or TKE 7.1 hard drive
Copying files to a USB flash memory drive while on a TKE 7.0 or TKE 7.1 system
General migration information
Upgrading an existing TKE workstation to TKE 8.1
Migrating TKE Version 5.x, 6.0, 7.x, 8.0 to a new workstation at TKE 8.1
Overview of the migration process
Step 1: Collecting data from the source TKE workstation
Option 1: Using the TKE Workstation Setup wizard to collect data about roles and profiles
Procedure for TKE 8.0 or later using the cryptographic node management utility
Procedure for TKE 7.3 or later using the TKE workstation setup wizard
Option 2: Using the Cryptographic Node Management (CNM) utility to collect data about roles and profiles
Step 2 - Performing a frame roll installation
Step 3 - Completing the workstation setup
Option 1: Using the single-step method to complete workstation setup
Option 2: Using the multiple-step method to complete workstation setup
Recovery installation
TKE setup and customization
TKE TCP/IP setup
TKE host transaction program setup
Cancel the TKE server
TKE workstation setup and customization
The TKE Workstation Setup wizard
Overview of the TKE Workstation Setup wizard
Wizard tasks to load and save customer-defined roles and profiles
Running the TKE Workstation Setup wizard
Configuring TCP/IP
Customize network settings
Customize console date and time
Initializing the TKE workstation crypto adapter
Initializing the TKE workstation crypto adapter for use with passphrase profiles
Initializing the TKE workstation crypto adapter for use with smart card profiles
TKE workstation crypto adapter post-initialization tasks
Verifying that the function control vector (FCV) has been loaded
Reloading the function control vector
Changing the passwords for IBM-supplied passphrase profiles created on the TKE workstation crypto adapter
Loading previously created user-defined roles and profiles from role and profile definition files
Creating new user-defined roles and profiles
Loading a known master key instead of using the randomly generated key
Redefining the DEFAULT role when the TKE workstation crypto adapter has been initialized for use with smart card profiles
Adding new ACPs to existing roles using the Migrate Roles utility
TKE 7.1 role migration considerations
TKE 7.1 role migration considerations for IBM-supplied roles
TKE 7.1 role migration considerations for customer-defined roles
TKE 7.3 role migration considerations for customer-defined roles
TKE 8.0 role migration considerations for customer-defined roles
TKE 8.1 role migration considerations for customer-defined roles
Customize the TKE application
Configure 3270 emulators
Using an SSL 3270 emulation session
Configuring the TKE workstation to use SSL for 3270 emulation
Adding a 3270 emulator session
TKE up and running
Crypto adapter logon: passphrase or smart card
Passphrase and passphrase group logon
Smart card and smart card group logon
Automated crypto module recognition
Authenticating host crypto modules
Initial authorities
Backing up files
Host file to back up
Main window
Working with hosts
Creating a host
Changing host entries
Deleting host entries
Logging on to a host
Closing a host
Understanding crypto modules and domain groups
Working with crypto modules
Working with domain groups
Creating a domain group
Changing a domain group
Viewing a domain group
Checking domain group overlap
Comparing groups
TKE functions supporting domain groups
Crypto module groups
Function menu
Load signature key
Unload signature key
Display signature key information
Define transport key policy
Exit
Exit and logoff
Utilities menu
Manage workstation DES keys
Deleting an entry
Manage workstation PKA keys
Deleting an entry
Manage workstation AES keys
Deleting an entry
Manage smart card contents
Copy smart card contents
Copy binary file key part
TKE customization
Using the Crypto Module Notebook to administer CCA crypto modules
Notebook mode
Crypto Module Notebook function menu
Tabular pages
Crypto Module Notebook General tab
Intrusion latch
Crypto Module Notebook Details tab
Crypto Module Notebook Roles tab
Dual-signature commands
Domain access
Creating or changing a role
Deleting a role
Using Guided Create Roles
Crypto Module Notebook Authorities tab
Generating authority signature keys
Create authority
Change authority
Delete authority
Using Guided Create Authorities
Crypto Module Notebook Domains tab
Domain General page
Zeroize domain
Domain Keys page
Master keys - AES, ECC (APKA), DES, or RSA
Generate single key part
Generate multiple key parts
Generate a set of master key parts
Load single key part
Load from TKE smart card
Load from keyboard
Load from binary file
Load all key parts from
Load all new master keys
Clear
Set
Set, immediate
Coordinated change master keys and CKDS (AES and DES master keys only)
Coordinated change master keys and PKDS (ECC (APKA) and RSA master keys only)
Operational keys
Generate single key part
Generate multiple key parts
Load single key part
Load first DES operational key part
Add DES operational key part
Complete DES operational key part
AES operational keys and HMAC operational keys
Load all key parts
View
Clear
DES operational key: Load to Key Storage
AES operational key: Load to Key Storage
Secure key part entry
RSA keys
Generate RSA Key
Encipher RSA Key
Load RSA Key to PKDS
Load RSA key to host dataset
Domain Controls pages
Working with Domain Controls settings
ISPF Services
Coprocessor Configuration
API Cryptographic Services
UDXs
Access Control Tracking
Domain Decimalization Tables page
Load table
Activate or Activate All
Delete or Delete All
Domain Restricted PINs page
Crypto Module Notebook Co-Sign tab
Host crypto module index values
Using the Crypto Module Notebook to administer EP11 crypto modules
Notebook mode
Imprint mode
Crypto Module Notebook Function menu
Tabular pages
Crypto Module Notebook Module General tab
Intrusion latch
Crypto Module Notebook Module Details tab
Crypto Module Notebook Module Administrators tab
Generate signature key
Add administrator
Remove administrator
Crypto Module Notebook Module Attributes tab
Crypto Module Notebook Domains tab
Domain General page
Domain Administrators page
Domain Attributes page
Domain Keys page
Generate key part
Load new master key
Coordinated change master key and TKDS
Secure key part entry
Domain Control Points page
Auditing
TKE Audit Configuration utility
Service Management auditing functions
View security logs
Audit and log management
Archive security logs
TKE Audit Record Upload Configuration utility
Starting the TKE Audit Record Upload Configuration utility
Configure TKE for audit data upload
Uploading audit records
Enabling and disabling automatic audit record upload
Managing keys using TKE and ICSF
Changing master keys
Adding host crypto modules after ICSF initialization
Loading operational keys to the CKDS
Installing RSA keys in the PKDS from a data set
Cryptographic Node Management utility (CNM)
Crypto adapter logon
File menu
Crypto Node menu
TKE crypto adapter clock-calendar
Read clock-calendar
Synchronize clock-calendar
Access Control menu
Managing roles
Creating a new role or role definition
Editing a role on the TKE workstation crypto adapter
Opening a role definition file
Making changes to a role or role definition file
Managing profiles
Creating a new profile or profile definition
Editing a profile on the TKE workstation crypto adapter
Opening a profile definition file
Making changes to a profile or profile definition file
Making changes to a passphrase profile or passphrase profile definition file
Making changes to a smartcard profile or smartcard profile definition file
Making changes to a group profile or group profile definition file
Master Key menu
Auto Set and Create Random Master Key
Clear new
Parts — Loading a new master key from clear key parts
Smart card parts — generating master key parts to a smart card
Smart card parts — loading master key parts from a smart card
Set — setting the master key value
Verify — verifying the master key
Key Storage menu
Reenciphering key storage
Smart card menu
Change PIN
Generate TKE crypto adapter logon key
Display smart card details
Manage smart card contents
Copy smart card
CNM common errors
Smart Card Utility Program (SCUP)
General information
File menu functions
Display smart card information
Display smart card key identifiers
CA smart card menu functions
Initialize and personalize the CA smart card
Back up a CA smart card
Change PIN of a CA smart card
TKE smart card menu functions
Initialize and enroll a TKE smart card
Personalize a TKE smart card
Unblock PIN on a TKE smart card
Change PIN of a TKE smart card
EP11 smart card menu functions
Initialize and enroll an EP11 smart card
Personalize an EP11 smart card
Unblock PIN on an EP11 smart card
Change PIN of an EP11 smart card
Crypto adapter menu functions
Enroll a TKE cryptographic adapter
Local crypto adapter enrollment
Remote crypto adapter enrollment
Formatting a USB flash memory drive for Trusted Key data (task 1)
Creating a remote zone enrollment request (task 2)
Processing the remote zone enrollment request (task 3)
Completing the remote zone enrollment (task 4)
View current zone
Secure key part entry
Steps for secure key part entry
Steps for secure key part entry for a TKE smart card
Steps for secure key part entry for a EP11 smart card
Entering a key part on the smart card reader
LPAR considerations
Trusted Key Entry - workstation crypto adapter initialization
Cryptographic Node Management Batch Initialization
CCA CLU (Code Load utility)
CLU processing
Checking coprocessor status
Loading coprocessor code
Validating coprocessor code
Checking system status
Resetting coprocessor
Removing coprocessor CCA code and zeroizing CCA
Help menu
Clear RSA key format
Trusted Key Entry applications and utilities
Using USB flash memory drives with TKE applications and utilities
Begin zone remote enroll process
CCA CLU
Complete zone remote enroll process
Configure Displayed Hash Size
z/OS Enhanced Password Encryption Policy
Configure Printers
Cryptographic Node Management batch initialization
Cryptographic Node Management utility
Edit TKE files
Migrate Roles utility
Smart Card Utility Program
TKE Audit Configuration utility
TKE Audit Record Upload Configuration utility
TKE File Management utility
TKE workstation code information
Configuration migration
Migrate IBM Host Crypto Module Public Configuration Data
Configuration migration tasks
Signature collection
Window actions
Instructions for migrating key material
OA proxy
Smart card applet level for configuration migration
Service Management tasks
Analyze console internal code
Archive security logs
Authorize internal code changes
Backup critical console data
Change console internal code
Change password
Password requirements
Customize scheduled operations
Format media
Audit and log management
Hardware messages
Lock console
Manage print screen files
Network diagnostic information
Rebuild vital product data
Offload virtual RETAIN data to removable media
Password protect console
Save/restore customizable console data
Save upgrade data
Shutdown or restart
Transmit console service data
Users and tasks
View console events
View console information
View console service history
View console tasks performed
View licenses
View security logs
TKE best practices
Checklist for loading a TKE machine - passphrase
Checklist for loading a TKE machine - smart card
TKE hardware support and migration information
TKE release and feature codes available by CEC levels
Smart card readers and smart cards orderable by TKE release
TKE (LIC) upgrade paths
Host cryptographic modules managed by TKE