Migrating to the Cryptographic Coprocessor
If you have worked with cryptography before, you might have a requirement to migrate from a previous cryptography product to the 4769 Cryptographic Coprocessor.
The IBM 4767 Cryptographic Coprocessor is no longer available, but it is still supported.
Migrating from the 4767 to the 4769:
If you are replacing your 4767 Cryptographic Coprocessor with the 4769 Cryptographic Coprocessor, then ensure that the roles and profiles for the 4769 Coprocessor are set up similarly to those used with the 4767 Coprocessor. This includes configuring your "DFLT0000" role (4769) to be equivalent to your "DEFAULT " role (4767). For more information on defining roles and profiles see Creating and defining roles and profile. The 4764, 4765, 4767, and 4769 Cryptographic Coprocessors can all use the same CCA APIs and keystore files.
- Load and set the master key using known master key values. For more information on setting a master key, see Loading and setting a master key.
- If the current master key values are not known and therefore cannot be simply loaded and set on the new coprocessor, then a new master key must first be set on the old coprocessor and all keys encrypted with the master key must be re-encrypted. With the master key now known, you can load and set the master key on the new coprocessor. For more information on setting a master key and re-encrypting keys with a new master key, see Loading and setting a master key.
- A master key residing in the old coprocessor can be securely copied to the new coprocessor without exposing the master key value using a cloning method. This method is used when no human knowledge of the master key can be known. For more information on cloning the master key to another coprocessor, see Cloning master keys.