CCF with PCICCs

SMK equal to KMMK

Using Master Key Entry
1. Start ICSF on a non-CCF system, pointing to the initialized CKDS/PKDS.
  You will see one or more of these messages depending on your system's cryptographic features: CSFM124I MASTER KEY xxx ON CRYPTO EXPRESSn COPROCESSOR xxnn, SERIAL NUMBER nnnnnnnn, NOT INITIALIZED.
2. Using Master Key Entry, load the value of the CCF DES master key into the new DES-MK register. Load the value of the CCF SMK/KMMK master key into the new RSA-MK register. You will need the checksums for each of these values.
3. If the non-CCF system has coprocessors (CEX3C or later) with the September, 2011 LIC or later, set the DES-MK and RSA-MK using the SET MK utility.
4. If the non-CCF system has coprocessors (CEX3C or earlier) without the September, 2011 LIC, do the following steps:
  - Set the DES-MK using the SET MK utility.
  - The RSA-MK will have already been set when the last master key value was entered.

SMK not equal to KMMK

Make the SMK equal to KMMK prior to sharing the CKDS and PKDS on a non-CCF system.

Using Master Key Entry
1. Define an empty PKDS.
2. On the CCF system, disable the PKA Callable Services control.
3. Using Master Key Entry, reset ALL-PKA registers. Load the value of the CCF KMMK master key into the SMK/KMMK/ASYM-MK registers on all CCF and PCICC coprocessors. You will need the checksum. The ASYM-MK is automatically set when the final key part is loaded.
4. Reencipher the PKDS to the empty PKDS.
5. Activate the new PKDS.
6. Enable the PKA Callable Services and Dynamic PKDS Access controls.
7. Update the options data set to point to the new PKDS.
8. Start ICSF on the non-CCF system pointing to initialized CKDS and PKDS.
9. Load the value of the CCF DES master key into the new DES-MK register.
10. Set the DES-MK using the SET MK utility.
If the non-CCF system has coprocessors (CEX3C or later) with the September, 2011 LIC or later, do the following steps:
- Load the value of the CCF KMMK master key into the new RSA-MK register. You will need the checksum.
- Set the RSA-MK using the SET MK utility.
If the non-CCF system has coprocessors (CEX3C or earlier) without the September, 2011 LIC, do the following steps:
- Load the value of the CCF KMMK master key into the new RSA-MK register. You will need the checksum. The RSA-MK is automatically set when the final key part is loaded.
- Enable the PKA Callable Services and Dynamic PKDS Access controls. The current RSA-MK now has the same value as the SMK/KMMK on the CCF.
Using Pass Phrase Initialization
1. On the CCF system, use PPKEYS to get the clear key values of the SMK and KMMK from a pass phrase. You will also need the checksum for each of these values.
2. Define an empty PKDS. Disable PKA Callable Services.
3. Using Master Key Entry, load the value of the CCF KMMK master key into the new ASYM-MK register on the PCICC or PCICCs. You will need the checksum. Load a final key part of zeroes. The ASYM-MK is automatically set when the final key part is loaded. The current ASYM-MK is now the same as the KMMK value.
4. Load the value of the CCF SMK into the new ASYM-MK register on the PCICC or PCICCs. You will need the checksum. Load a final key part of zeroes. The ASYM-MK is automatically set when the final key part is loaded. The current ASYM-MK is now the same as the SMK value. The KMMK value is now in the old ASYM-MK register.
5. Reset the KMMK register on the CCFs. Load the SMK value into the KMMK register. Now the KMMK = SMK.
6. Reencipher the PKDS to the empty PKDS.
7. Activate the new PKDS.
8. Enable the PKA Callable Services and Dynamic PKDS Access controls.
9. Update options data set to point to the new PKDS.
10. Start ICSF on a non-CCF system, pointing to the initialized CKDS and PKDS (the one just reenciphered previously).
11. Using PPINIT, type in the same pass phrase used to initialize CCF system, select the Reinitialize system option and type in the CKDS and PKDS names.