When you enter the first key part, and any intermediate key parts,
you then enter the final master key part.
- Select option 1, COPROCESSOR MGMT, on the ICSF Primary
menu and press ENTER.
The Coprocessor Management panel appears.
- Select the coprocessor or coprocessors to be processed by entering
an 'E' on the Coprocessor Management panel.
- When pressing ENTER, the Master Key Entry panel appears.
Figure 1. The Master Key Entry Panel when
entering Final Key ValuesCSFDKE50 -------------- ICSF - Master Key Entry ---------
COMMAND ===>
AES new master key register : EMPTY
DES new master key register : PART FULL
ECC new master key register : EMPTY
RSA new master key register : EMPTY
Specify information below
Key Type ===> ___ (AES-MK, ASYM-MK, DES-MK)
Part ===> ______ (RESET, FIRST, MIDDLE, FINAL)
Checksum ===> 65
Key Value ===> 1939040919720419
===> EA10111975BB5312
===> 0000000000000000 (AES-MK, ECC-MK and RSA-MK only)
===> 0000000000000000 (AES-MK, ECC-MK only)
Press ENTER to process.
Press END to exit to the previous menu.
- Fill in the panel
- Enter the master key type in the Key Type field.
In this example
we are continuing to enter the DES-MK master key.
- Enter FINAL in the Part field.
- Enter the two-digit checksum and the two 16-digit key values (if
you did not use random number generate).
- Make sure you have recorded the two 16-digit key values. You may
need to reenter these same values at a later date to restore master
key values that have been cleared. Make sure all master key parts
you enter are recorded and saved in a secure location.
- When all the fields are complete, press ENTER.
If the checksum
entered in the checksum field matches the checksum that the master
key entry utility calculated, the key part is accepted. The
message at the top of the panel states KEY PART LOADED,
as shown in Figure 2. The new master
key register status changes to FULL.
The verification pattern and hash pattern that are calculated
for the key part appear near the bottom of the panel. Compare them
with the patterns generated by the random number generator or provided
by the person who gave you the key part value to enter.
- Record the verification pattern and hash pattern.
Figure 2. The Master Key Entry Panel with
Final Key ValuesCSFDKE60 -------------- ICSF - Master Key Entry ---------KEY PART LOADED
COMMAND ===>
AES new master key register : EMPTY
DES new master key register : FULL
ECC new master key register : EMPTY
RSA new master key register : EMPTY
Specify information below
Key Type ===> DES-MK (AES-MK, DES-MK, ECC-MK, RSA-MK)
Part ===> FINAL (RESET, FIRST, MIDDLE, FINAL)
Checksum ===> 00
Key Value ===> 0000000000000000
===> 0000000000000000
===> 0000000000000000 (AES-MK, ECC-MK and RSA-MK only)
===> 0000000000000000 (AES-MK, ECC-MK only)
Entered key part VP: 8D8A000BE067EBF7 HP: 9D92F343479D77F2 229FD4CDB49C2679
Master Key VP: 8F887096A8D4922C HP: 4C887096A8D4922B 33387096A8D4922B
(Record and secure these patterns)
Press ENTER to process.
Press END to exit to the previous menu.
- If the checksums do not match, the message Invalid Checksum appears.
If this occurs, follow this sequence to resolve the problem:
- Reenter the checksum.
- If you still get a checksum error, recalculate the checksum.
- If your calculations result in a different value for the checksum,
enter the new value.
- If your calculations result in the same value for the checksum,
or if a new checksum value does not resolve the error, reenter the
key part halves and checksum.
- When you have entered the final key part successfully, it is combined
with the first key part and any intermediate key parts in the new
master key register.
The new master key register
status is now FULL, and the panel displays two verification patterns
and two hash patterns. It gives you verification patterns and hash
patterns for both the final key part and the new master key, since
it is now complete.
- Check that the key part verification pattern or hash pattern
you may have previously calculated matches the verification pattern
or hash pattern that is shown on the panel. If they do not, you may
want to restart the key entry process. For information on how to restart
the key entry process, see Steps for restarting the key entry process.
- Record the verification pattern and hash pattern for the
new master key, because you may want to verify it at another time.
Note: When
you initialize or reencipher a CKDS, ICSF places
the verification pattern for the DES-MK and AES-MK master
key into the CKDS header record.
When you have entered the master keys correctly, they are in the
new master key registers and are not active on the system.
Note: Ensure
that the new master key is installed on all cryptographic coprocessors.
When
you enter the master keys, you should do
one of these:
- If you are defining the DES or AES master keys for the first time,
initialize the CKDS with the DES and AES master keys. For a description
of the process of initializing a CKDS on your system, see Initializing the CKDS and PKDS at First-Time Startup.
- If you are defining an AES, DES, ECC or RSA master key when it
was cleared, set the master keys to make them active. For a description
of the process of recovering from tampering, see Reentering master keys when they have been cleared.
- If you are changing a DES-MK master key, reencipher the
CKDS under the new DES-MK or AES-MK master key and
make it active. For a description of the process of changing a DES-MK or
AES-MK master key, see Changing the master keys.
- If you are defining the ECC or RSA master keys for the first time,
initialize the PKDS with the master keys. For a description of the
process of initializing a PKDS on your system, see Initializing the CKDS and PKDS at First-Time Startup.
- If you are changing an ECC or RSA master keys, reencipher the
PKDS under the new ECC or RSA master key and make it active. For a
description of the process of changing a ECC or RSA master key, see Changing the master keys.