Use the Master Key Entry panels to enter each key part. You can enter as many key parts as you like. When the new master key register is empty, the first key part must be identified as FIRST. Subsequent intermediate key parts must be identified as MIDDLE. To close the new master key register to prevent additional key parts from being loaded, the final key part must be identified as FINAL.
If you use the random number generator utility to generate key parts, enter each key part directly after you generate the key part data and prior to generating another key part.
The ICSF Coprocessor Management panel appears (Figure 1).
CSFGCMPOO ---------------- ICSF Coprocessor Management -------- Row 1 to 2 of 2
COMMAND ===>
Select the cryptographic features to be processed and press ENTER.
Action characters are: A, D, E, K, R, and S. See the help panel for details
CRYPTO SERIAL
FEATURE NUMBER STATUS AES DES ECC RSA P11
------- -------- -------------------- --- --- --- --- ---
. 5C00 16BA6173 Active I A A A
. 5A01 N/A Active
. 5C02 16BA6175 Master key incorrect I A C E
. 5A03 N/A Active
******************************* Bottom of data ********************************
COMMAND ===> SCROLL ===> PAGE
The coprocessor management panels shows all accelerators and coprocessors, their status, and the state of the master keys for coprocessors. The panel shows a CEX5 accelerator (5A03) and coprocessor (5C02), and a CEX5 accelerator (5A01) and coprocessor (5C00). Accelerators do not have master keys and the states are blank. When a coprocessor does not support a master key, a hyphen (-) is used for its state. The master key state for coprocessors shows U (uninitialized), C (correct), A (active), E (error), and I (ignored).
Coprocessor activation uses the master key verification patterns (MKVP) in the header record of the CKDS and PKDS to determine which coprocessors become active. If the MKVP of a master key is in the CKDS or PKDS, that master key must be loaded and the verification pattern of the current master key register must match the MKVP in the CKDS or PKDS. If all of the MKVPs in the CKDS and PKDS match the current master key registers, the coprocessor will become active. Otherwise, the status of the coprocessor is 'Master key incorrect'.
This applies to all master keys that the coprocessor supports. When there is a MKVP in the CKDS or PKDS and the coprocessor doesn't support that master key, it is ignored. When a MKVP is not in the CKDS or PKDS, the master key is ignored.
CSFDKE50------------- ICSF - Master Key Entry -----------------
COMMAND ===>
AES new master key register : EMPTY
DES new master key register : EMPTY
ECC new master key register : EMPTY
RSA new master key register : EMPTY
Specify information below
Key Type ===> ___ (AES-MK, DES-MK, ECC-MK, RSA-MK)
Part ===> ______ (RESET, FIRST, MIDDLE, FINAL)
Checksum ===> 40
Key Value ===> 51ED9CFA90716CFB
===> 58403BFA02BD13E8
===> 0000000000000000 (AES-MK, ECC-MK and RSA-MK only)
===> 0000000000000000 (AES-MK, ECC-MK only)
Press ENTER to process.
Press END to exit to the previous menu.
In this example we are entering the DES-MK master key.
If the checksum entered in the checksum field matches the checksum that the master key entry utility calculated, the key part is accepted. The message at the top of the panel states KEY PART LOADED, as shown in Figure 3. The new master key register status changes to PART FULL. The verification pattern and hash pattern that are calculated for the key part appear near the bottom of the panel. Compare them with the patterns generated by the random number generator or provided by the person who gave you the key part value to enter.
CSFDKE60 -------------- ICSF - Master Key Entry --- KEY PART LOADED
COMMAND ===>
AES new master key register : EMPTY
DES new master key register : PART FULL
ECC new master key register : EMPTY
RSA new master key register : EMPTY
Specify information below
Key Type ===> DES-MK (AES-MK, DES-MK, ECC-MK, RSA-MK)
Part ===> FIRST (RESET, FIRST, MIDDLE, FINAL)
Checksum ===> 00
Key Value ===> 0000000000000000
===> 0000000000000000
===> 0000000000000000 (AES-MK, ECC-MK, and RSA-MK only)
===> 0000000000000000 (AES-MK, ECC-MK only)
Entered key part VP: 0CCE190A63546489 HP: 9C92A343479D33F2 66229FCD55B49C26
(Record and secure these patterns)
Press ENTER to process.
Press END to exit to the previous menu.