CCA token
A CCA token is a secure key token. Any key generation is processed inside an IBM® cryptographic coprocessor. A clear key is generated and wrapped by a master key which resides only within the cryptographic coprocessor. The clear key is then deleted and is never visible outside the coprocessor. The wrapped clear key is called a secure key and can only be unwrapped by using the master key within the coprocessor. Secure keys can safely be stored on a system, because they cannot be used for decrypting or encrypting without the master key.
A list of PKCS #11 mechanisms supported by the CCA token is provided, as well as information about the purpose and use of the pkcscca tool.
Prerequisites for exploiting a CCA token:
As a prerequisite for an operational CCA token, the CCA library (also called CCA host library in other documentations) must be installed (see Figure 3).
Additionally, a running CCA token requires certain types of master keys to be set on the applicable cryptographic adapters:
- Up to openCryptoki 3.15: AES, SYM, and ASYM master keys are required.
- Starting with openCryptoki 3.15: AES, SYM, and APKA master keys are required.
panel.exe --mk-query --mktype=SYM --mkregister=CURRENT[ASYM|SYM|AES|APKA] and
--mkregister must be CURRENT to query the information from the
currently active master key.Or you can use the ivp.e utility. This is an easy-to-use utility which you can invoke without any arguments. It is used to verify an installation, and among others, provides information about current master keys for all available CEX*C features on the system.
For AES and APKA master keys, you can also find the master key verification patterns in
sysfs using the following command:
$ cat /sys/bus/ap/devices/<card>.<domain>/mkvps
For information on how to install the CCA library and on how to use the panel.exe and ivp.e utilities, read Secure Key Solution with the Common Cryptographic Architecture Application Programmer's Guide.