Steps for entering the final key part

When you enter the first key part, and any intermediate key parts, you then enter the final master key part.
  1. Select option 1, COPROCESSOR MGMT, on the ICSF Primary menu and press ENTER.

    The Coprocessor Management panel appears.

  2. Select the coprocessor or coprocessors to be processed by entering an 'E' on the Coprocessor Management panel.
  3. When pressing ENTER, the Master Key Entry panel appears.
    Figure 1. The Master Key Entry Panel when entering Final Key Values
    CSFDKE50 -------------- ICSF - Master Key Entry ---------
     COMMAND ===> 
    
                  AES new master key register                      : EMPTY
                  DES new master key register                      : PART FULL
                  ECC new master key register                      : EMPTY
                  RSA new master key register                      : EMPTY
    
    
      Specify information below
        Key Type  ===> ___          (AES-MK, ASYM-MK, DES-MK)
    
        Part      ===> ______       (RESET, FIRST, MIDDLE, FINAL)
    
        Checksum  ===> 65
    
        Key Value ===> 1939040919720419
                  ===> EA10111975BB5312
                  ===> 0000000000000000  (AES-MK, ECC-MK and RSA-MK only)
                  ===> 0000000000000000  (AES-MK, ECC-MK only)
    
                  Press ENTER to process.
      Press END   to exit to the previous menu.
  4. Fill in the panel
    1. Enter the master key type in the Key Type field.

      In this example we are continuing to enter the DES-MK master key.

    2. Enter FINAL in the Part field.
    3. Enter the two-digit checksum and the two 16-digit key values (if you did not use random number generate).
    4. Make sure you have recorded the two 16-digit key values. You may need to reenter these same values at a later date to restore master key values that have been cleared. Make sure all master key parts you enter are recorded and saved in a secure location.
    5. When all the fields are complete, press ENTER.

      If the checksum entered in the checksum field matches the checksum that the master key entry utility calculated, the key part is accepted. The message at the top of the panel states KEY PART LOADED, as shown in Figure 2. The new master key register status changes to FULL. The verification pattern and hash pattern that are calculated for the key part appear near the bottom of the panel. Compare them with the patterns generated by the random number generator or provided by the person who gave you the key part value to enter.

    6. Record the verification pattern and hash pattern.
      Figure 2. The Master Key Entry Panel with Final Key Values
      CSFDKE60 -------------- ICSF - Master Key Entry ---------KEY PART LOADED
       COMMAND ===> 
      
                    AES new master key register                      : EMPTY
                    DES new master key register                      : FULL 
                    ECC new master key register                      : EMPTY
                    RSA new master key register                      : EMPTY
      
      
        Specify information below
          Key Type  ===> DES-MK        (AES-MK, DES-MK, ECC-MK, RSA-MK)
      
          Part      ===>  FINAL        (RESET, FIRST, MIDDLE, FINAL)
      
          Checksum  ===>  00
      
          Key Value ===> 0000000000000000
                    ===> 0000000000000000
                    ===> 0000000000000000  (AES-MK, ECC-MK and RSA-MK only)
                    ===> 0000000000000000  (AES-MK, ECC-MK only)
      
      
        Entered key part VP: 8D8A000BE067EBF7 HP: 9D92F343479D77F2 229FD4CDB49C2679
        Master Key       VP: 8F887096A8D4922C HP: 4C887096A8D4922B 33387096A8D4922B
                           (Record and secure these patterns)
      
        Press ENTER to process.
        Press END   to exit to the previous menu.
  5. If the checksums do not match, the message Invalid Checksum appears. If this occurs, follow this sequence to resolve the problem:
    1. Reenter the checksum.
    2. If you still get a checksum error, recalculate the checksum.
    3. If your calculations result in a different value for the checksum, enter the new value.
    4. If your calculations result in the same value for the checksum, or if a new checksum value does not resolve the error, reenter the key part halves and checksum.
  6. When you have entered the final key part successfully, it is combined with the first key part and any intermediate key parts in the new master key register.

    The new master key register status is now FULL, and the panel displays two verification patterns and two hash patterns. It gives you verification patterns and hash patterns for both the final key part and the new master key, since it is now complete.

  7. Check that the key part verification pattern or hash pattern you may have previously calculated matches the verification pattern or hash pattern that is shown on the panel. If they do not, you may want to restart the key entry process. For information on how to restart the key entry process, see Steps for restarting the key entry process.
  8. Record the verification pattern and hash pattern for the new master key, because you may want to verify it at another time.
    Note: When you initialize or reencipher a CKDS, ICSF places the verification pattern for the DES-MK and AES-MK master key into the CKDS header record.
When you have entered the master keys correctly, they are in the new master key registers and are not active on the system.
Note: Ensure that the new master key is installed on all cryptographic coprocessors.
When you enter the master keys, you should do one of these: