Migrating to the Cryptographic Coprocessor

If you have worked with cryptography before, you might have a requirement to migrate from a previous cryptography product to the Start of change4769End of change Cryptographic Coprocessor.

The IBM Start of change4767End of change Cryptographic Coprocessor is no longer available, but it is still supported.

Start of changeMigrating from the 4767 to the 4769:End of change

Start of changeIf you are replacing your 4767 Cryptographic Coprocessor with the 4769 Cryptographic Coprocessor, then ensure that the roles and profiles for the 4769 Coprocessor are set up similarly to those used with the 4767 Coprocessor. This includes configuring your "DFLT0000" role (4769) to be equivalent to your "DEFAULT " role (4767). For more information on defining roles and profiles see Creating and defining roles and profile. The 4764, 4765, 4767, and 4769 Cryptographic Coprocessors can all use the same CCA APIs and keystore files.End of change

The goal in migrating from one cryptographic coprocessor to another is to set the same master key into the new coprocessor that currently resides in the old coprocessor so the new coprocessor can be used to decrypt the keys that are encrypted with the master key. This goal is achieved by performing one of the following tasks.
  • Load and set the master key using known master key values. For more information on setting a master key, see Loading and setting a master key.
  • If the current master key values are not known and therefore cannot be simply loaded and set on the new coprocessor, then a new master key must first be set on the old coprocessor and all keys encrypted with the master key must be re-encrypted. With the master key now known, you can load and set the master key on the new coprocessor. For more information on setting a master key and re-encrypting keys with a new master key, see Loading and setting a master key.
  • A master key residing in the old coprocessor can be securely copied to the new coprocessor without exposing the master key value using a cloning method. This method is used when no human knowledge of the master key can be known. For more information on cloning the master key to another coprocessor, see Cloning master keys.