In the scenario, this task must be performed sequentially by both key administrators
using their different smart cards.
About this task
This task must be performed by the involved key administrators holding the pertaining smart
cards where to independently store the key parts.
Procedure
In the Trusted Key Entry application, open the host and
the desired cryptographic coprocessor (actions Open
Host and Open Crypto Module ) to reach the Crypto
Module Administration dialog. Then select the domain where to set the AES master
key.
Click on the Domains tab and then click on your domain on the right side
(Figure 1). In this
document, the domain with index 26 is used on the attached coprocessor. Domains are assigned during
LPAR definition on the support element (SE).
When clicking on index 26, the window for domain 26 opens as shown in Figure 2.
Figure 1. Domain selection for setting the master key
Press the Keys button at the lower edge of the dialog from Figure 2.
Figure 2. Setting master key on selected domain
The window shown in Figure 3 opens. In this scenario, you generate two key parts for an AES master key:
Key part 1 is generated by the key administrator who owns the TKE smart card for role CCAFst with authority
20.
Key part 2 is generated by the key administrator who owns the TKE smart card for role CCAMl1 with authority
21.
Select the key type AES Master Key from Figure 3, and from the context
menu, select Generate multiple key parts to… -> Smart card.
Figure 3. Generate multiple key parts on a smart card
You are now guided through the process by a series of prompts.
Enter the number of key parts to be generated for the final master key.
Figure 4. Enter the total number of key parts to be generated
Press OK on the Generate Key Part message
dialog.
Figure 5. Generate first key part
Create the first master key part and place it on the smart card that has the authority
signature key for authority 20 (for role CCAFst).
Insert this smart card into reader 1.
You are now asked if you want to use the same smart card reader for the whole process. Select
No in Figure 6, because in the scenario, you use two different smart card readers.
Figure 6. Use different same smart card readers for the entire process
Then the wizard prompts you to insert the smart card for key part 1 into reader 1 and to enter
the smart card PIN.
Enter a key part description.
Figure 7. Enter key part description
Pressing Continue displays a confirmation about the successful creation
of the key part.
Now the second key administrator is guided through the same dialogs to create key part 2 on his
smart card.
Note: Ensure to use smart card reader 2 for the second and third key part.
After
pressing OK when saving the second key part, the program returns to the
Crypto Module Administration dialog.
Results
The smart cards now contain the signature key and key parts needed to perform a key load
operation. You can verify the generated key parts on the smart cards using the Smart Card
Utility Program (File -> Display smart card information)
.
The window shown in Figure 3 opens. In this scenario, you generate two key parts for an AES master key:
