Prerequisites

You need to start the catcher.exe program, which is the Linux TKE daemon to handle administrative commands between the TKE and the cryptographic coprocessors. You can use the CSUTKEcat system initialization script to handle the daemon via systemctl. The catcher.exe daemon is automatically started by the CSUTKEcat system initialization script when Linux starts. You can also use this script to start or stop the catcher.exe from the command line. To start the catcher.exe, use the command:

# systemctl start CSUTKEcat.service

You must ensure that the firewall of your Linux system allows to access the catcher.exe via port 50003, because this daemon listens for TKE commands on this port. These commands are translated into ioctl commands which communicate with the zcrypt device driver.

To verify whether the catcher.exe daemon is running on your system, enter the following command and look for the daemon in the output list:

# ps ax  

...
 9689 ?        Ss     0:11 /opt/IBM/CCA/bin/catcher.exe
...

This description shows how to set a master key on a cryptographic coprocessor that is running in CCA mode. From the support element (SE), you must at first enable such coprocessors to perform TKE commands.

Therefore, logon to the appropriate support element. Open Systems Management, then select the system with the attached cryptographic coprocessor. In the list of Tasks, navigate to Configuration and open the Cryptographic Configuration dialog (Figure 1). Select the appropriate cryptographic coprocessor and press the TKE Commands... button. In the upcoming dialog, select the Permit TKE commands check box and confirm your request when prompted. This action changes the text entry in the TKE commands column in Figure 1 from Denied to Permitted.

Fast path: Logon SE → System Management → Tasks → Configuration → Cryptographic Configuration