Scenario: Creating a test node

In this scenario, a single programmer sets up a node to allow unlimited access to cryptographic services.

Important: The resulting cryptographic node must not be considered secure because under this scenario many sensitive commands are permitted with unrestricted use.

To create a test node, complete the following steps:

1. Install the coprocessor and the IBM® Cryptographic Coprocessor Support Program as described in Installing the Support Program.
2. Start the CCA Node Management utility by entering the csufcnm command. The CNM utility logo and the main panel displays.
3. If you have more than one coprocessor with CCA installed, specify to the CNM utility which coprocessor you want to use. From the Crypto Node menu, select Select Adapter. A list of available adapter numbers (1 - 8) is displayed. Select an adapter (coprocessor) from the list. If you do not use the Select Adapter list to select an adapter, the default adapter (coprocessor) is used.
4. Synchronize the clock within the coprocessor and host computer. From the Crypto Node menu, click Time. From the resulting submenu, click Set. The clocks are synchronized.
5. Use the CNM utility to permit all commands in the DEFAULT role:
   1. From the Access Control menu, click Roles.
   2. Highlight the DEFAULT entry and click Edit. A window displays the commands that are enabled and those that are not enabled by the DEFAULT role.
   3. Click Permit All.
   4. Load the modified role back into the coprocessor by clicking Load, select OK.
   5. Save a copy of the role by clicking the Save button and name the role.
6. Load the function-control vector (FCV) into the coprocessor. From the Crypto Node menu, click Authorization. From the resulting submenu, click Load to specify and load the FCV.

   The FCV file is the one that was placed on your server during the installation process. FCVs usually have file names such as fcv_td4kECC521.crt and is searched using the file search utility available with your operating system.

7. Install a master key from the Master Key menu, click either DES / PKA Master Keys or AES Master Keys, and click Yes. The coprocessor generates and sets a random master key.

   The master key that was installed with the Auto Set option has actually passed through the main memory of your system processor as key parts. For production purposes, use a more secure method of establishing a master key, such as random generation or installation of known key parts entered by two or more individuals. These options are also accessed from the menus mentioned previously.

8. Initialize the key storage files. For information on initializing the key storage files, see Creating or initializing key storage

   Key storage is a CCA term that describes a place where the Support Program can store Data Encryption Standard (DES), Rivest-Shamir-Adleman algorithm (RSA), and Advanced Encryption Standard (AES) cryptographic keys under names that you (or your applications) define. If you intend to use key storage, you must initialize the key storage file or files that correspond to the type of keys that you are using: DES, RSA (PKA), or AES. For example, if you intend to use only DES keys, you must initialize the DES key storage file but not the others. If you intend to use DES and PKA keys, you must initialize the DES and PKA key storage files but not the AES key storage file. If you intend to use all three, you must initialize all three.