Managing the master keys

Edit online

A master key is used to encrypt local-node working keys while they are stored external to the coprocessor.

CCA defines three master-key registers:
  • The current-master-key register stores the master key currently used by the coprocessor to encrypt and decrypt local keys.
  • The old-master-key register stores the previous master key and is used to decrypt keys enciphered by that master key.
  • The new-master-key register is an interim location that is used to store master-key information as accumulated to form a new master key.

The IBM Common Cryptographic Architecture (CCA) Support Program uses three sets of master key registers, one set for ciphering DES (symmetric) keys, one set for ciphering PKA private (asymmetric) keys, and one set for ciphering AES (symmetric) keys.

Notes:
  1. The Master_Key_Distribution master-key-administration verb does not support AES master keys. Programs that use the CCA Master_Key_Process and Master_Key_Distribution, master-key-administration verbs can use the ASYM-MK keyword to steer operations to the PKA asymmetric master-key registers, the SYM-MK keyword to steer to the DES symmetric master-key registers, or both the DES symmetric and PKA asymmetric sets of master-key registers. The CNM utility uses the BOTH option. If you use another program to load master keys and if this program specifically operates on either the SYM-MK or ASYM-MK master-key registers, in general, you will no longer be able to use the CNM utility to administer these master keys. Note that AES master keys work independently from DES and PKA master keys.
  2. If your installation has multiple cryptographic coprocessors loaded with CCA, you need to independently administer the master keys in each coprocessor.
  3. If your installation has a server with multiple cryptographic coprocessors that are loaded with CCA, those coprocessors need to be installed with identical master keys.