Steps for entering the first master key part

Use the Master Key Entry panels to enter each key part. You can enter as many key parts as you like. When the new master key register is empty, the first key part must be identified as FIRST. Subsequent intermediate key parts must be identified as MIDDLE. To close the new master key register to prevent additional key parts from being loaded, the final key part must be identified as FINAL.

Important: When entering the key part values, be aware that you may need to reenter these same key values at a later date to restore master key values that have been cleared. Make sure the key part values are recorded and saved in a secure location.

If you use the random number generator utility to generate key parts, enter each key part directly after you generate the key part data and prior to generating another key part.

To enter master key parts:
  1. Select option 1, COPROCESSOR MGMT, on the ICSF Primary Menu panel, and press ENTER.

    The ICSF Coprocessor Management panel appears (Figure 1).

  2. Select the coprocessor or coprocessors to be processed by entering an 'E' and then pressing ENTER. Select as many coprocessors as required. This loads the same master key for all coprocessors selected.
    Note: During first time initialization, the coprocessor status will be ONLINE. When master key (AES, DES, ECC, or RSA) has been set, the status will be ACTIVE.
    Figure 1. Selecting the coprocessor on the Coprocessor Management Panel
     CSFGCMPOO ---------------- ICSF Coprocessor Management -------- Row 1 to 2 of 2
     COMMAND ===> 
    
    Select the cryptographic features to be processed and press ENTER.
    Action characters are: A, D, E, K, R, and S. See the help panel for details
    CRYPTO    SERIAL
    FEATURE   NUMBER     STATUS                 AES  DES  ECC  RSA  P11
    -------   --------   --------------------   ---  ---  ---  ---  ---
    . 5C00    16BA6173   Active                  I    A    A    A
    . 5A01    N/A        Active                                  
    . 5C02    16BA6175   Master key incorrect    I    A    C    E
    . 5A03    N/A        Active
    ******************************* Bottom of data ********************************
    COMMAND ===>                                                  SCROLL ===> PAGE 

    The coprocessor management panels shows all accelerators and coprocessors, their status, and the state of the master keys for coprocessors. The panel shows a CEX5 accelerator (5A03) and coprocessor (5C02), and a CEX5 accelerator (5A01) and coprocessor (5C00). Accelerators do not have master keys and the states are blank. When a coprocessor does not support a master key, a hyphen (-) is used for its state. The master key state for coprocessors shows U (uninitialized), C (correct), A (active), E (error), and I (ignored).

    Coprocessor activation uses the master key verification patterns (MKVP) in the header record of the CKDS and PKDS to determine which coprocessors become active. If the MKVP of a master key is in the CKDS or PKDS, that master key must be loaded and the verification pattern of the current master key register must match the MKVP in the CKDS or PKDS. If all of the MKVPs in the CKDS and PKDS match the current master key registers, the coprocessor will become active. Otherwise, the status of the coprocessor is 'Master key incorrect'.

    This applies to all master keys that the coprocessor supports. When there is a MKVP in the CKDS or PKDS and the coprocessor doesn't support that master key, it is ignored. When a MKVP is not in the CKDS or PKDS, the master key is ignored.

  3. The ICSF Master Key Entry panel appears. See Figure 2.
    Figure 2. Master Key Entry Panel
    CSFDKE50------------- ICSF - Master Key Entry -----------------
    COMMAND ===> 
    
                  AES new master key register                : EMPTY
                  DES new master key register                : EMPTY
                  ECC new master key register                : EMPTY 
                  RSA new master key register                : EMPTY
                 
      Specify information below
        Key Type  ===> ___              (AES-MK, DES-MK, ECC-MK, RSA-MK)
    
        Part      ===> ______           (RESET, FIRST, MIDDLE, FINAL)
    
        Checksum  ===> 40
    
        Key Value ===> 51ED9CFA90716CFB
                  ===> 58403BFA02BD13E8
                  ===> 0000000000000000   (AES-MK, ECC-MK and RSA-MK only)
                  ===> 0000000000000000   (AES-MK, ECC-MK only) 
    
    
    
    
      Press ENTER to process.
      Press END   to exit to the previous menu.
     
  4. Fill in the panel
    1. Enter the master key type in the Key Type field.

      In this example we are entering the DES-MK master key.

    2. Enter FIRST in the Part field.
    3. Enter the two-digit checksum and the two 16-digit key values (if you did not use random number generate).
    4. Make sure you have recorded the two 16-digit key values. You may need to reenter these same values at a later date to restore master key values that have been cleared. Make sure all master key parts you enter are recorded and saved in a secure location.
    5. When all the fields are complete, press ENTER.

      If the checksum entered in the checksum field matches the checksum that the master key entry utility calculated, the key part is accepted. The message at the top of the panel states KEY PART LOADED, as shown in Figure 3. The new master key register status changes to PART FULL. The verification pattern and hash pattern that are calculated for the key part appear near the bottom of the panel. Compare them with the patterns generated by the random number generator or provided by the person who gave you the key part value to enter.

    6. Record the verification pattern and hash pattern.
      Figure 3. The Master Key Entry Panel Following Key Part Entry
       CSFDKE60 -------------- ICSF - Master Key Entry --- KEY PART LOADED
       COMMAND ===> 
      
                  AES new master key register                      : EMPTY
                  DES new master key register                      : PART FULL 
                  ECC new master key register                      : EMPTY
                  RSA new master key register                      : EMPTY 
                   
      
        Specify information below
          Key Type  ===> DES-MK      (AES-MK, DES-MK, ECC-MK, RSA-MK)
      
          Part      ===> FIRST       (RESET, FIRST, MIDDLE, FINAL)
      
          Checksum  ===> 00
      
          Key Value ===> 0000000000000000
                    ===> 0000000000000000
                    ===> 0000000000000000   (AES-MK, ECC-MK, and RSA-MK only)
                    ===> 0000000000000000   (AES-MK, ECC-MK only)
      
      
      
      
      Entered key part VP: 0CCE190A63546489  HP: 9C92A343479D33F2 66229FCD55B49C26
      
                           (Record and secure these patterns)
       
        Press ENTER to process.
        Press END   to exit to the previous menu.
  5. If the checksums do not match, the message Invalid Checksum appears. If this occurs, follow this sequence to resolve the problem:
    1. Reenter the checksum.
    2. If you still get a checksum error, recalculate the checksum.
    3. If your calculations result in a different value for the checksum, enter the new value.
    4. If your calculations result in the same value for the checksum, or if a new checksum value does not resolve the error, reenter the key part halves and checksum.
When you have entered the first key part successfully, continue with: