Displaying coprocessor hardware status

You can use the ICSF panels to view the status of the cryptographic coprocessor key registers, the master key verification patterns, and other information about the cryptographic hardware. You can use this information for master key management.

When you enter and activate an AES, DES, ECC or RSA master key, you change the status of the registers. The cryptographic facility contains three key registers: one for the old master key, one for the new, and one for the current. The current master key register contains the active master key. The old master key is not lost when a new master key is loaded.

To display coprocessor hardware status:
  1. From the Coprocessor Management panel, select the coprocessors to be processed by typing an 'S'.
    Figure 1. Selecting the coprocessor on the Coprocessor Management Panel
     CSFGCMPOO ---------------- ICSF Coprocessor Management -------- Row 1 to 7 of 7
     COMMAND ===> 
    
    Select the cryptographic features to be processed and press ENTER.
    Action characters are: A, D, E, K, R, and S. See the help panel for details.
    
      CRYPTO         SERIAL
      FEATURE        NUMBER         STATUS              AES DES ECC RSA P11
      -------       --------        --------------–---- --- --- --- --- ---
    . 4C00          16BA6173        Active               I   A   A   A
    . 4C01          16BA6174        Master key incorrect I   A   C   E
    . 4C02          16BA6175        Master key incorrect I   A   C   E
    . 4A03          N/A             Active
    . 4C04          16BA6199        Deactivated
    . 4P05          16BA6200        Active                               A
    . 4P06          16BA6201        Master key incorrect                 U
    ******************************* Bottom of data ******************************** 
  2. Depending on the coprocessor type, one of two different Hardware Status panels appears. Panel CSFCMP40 is displayed for CCA coprocessors (Figure 2). When more than two coprocessors are requested, the status display can be scrolled down to show the other coprocessors. You can scroll down using PFKey 8 and up using PFKey 7.
    Figure 2. Coprocessor Hardware Status Panel
     CSFCMP40 ----------- ICSF - Coprocessor Hardware Status  ----------------
     OPTION ===>
    
                                                           CRYPTO DOMAIN: 8
    
    
     REGISTER STATUS                  COPROCESSOR 4C02                    
                                                                         
      Crypto Serial Number          : 42-K0111                            
      Status                        : ACTIVE                              
     AES Master Key                                                      
        New Master Key register     : EMPTY                               
          Verification pattern      :                                     
        Old Master Key register     : VALID                               
          Verification pattern      : BF494FF74B86343F                    
        Current Master Key register : VALID                               
          Verification pattern      : 2058C870E9D3194F
    
     DES Master Key                                                      
        New Master Key register     : EMPTY                               
          Verification pattern      :                                     
          Hash pattern              :                                     
                                    :                                     
        Old Master Key register     : VALID                               
          Verification pattern      : 1D08F1C67A1B709A                    
          Hash pattern              : 2B0C723D1AB9C948                    
                                    : E9C9E32E7FF3B7F4                    
        Current Master Key register : VALID                               
          Verification pattern      : CA6B408A02371B1D                    
          Hash pattern              : DF3A50AE35466123                    
                                    : 96EF557E8BD074C1                    
     ECC Master Key                                          
        New Master Key register     : EMPTY                               
          Verification pattern      :                 
        Old Master Key register     : VALID                               
          Verification pattern      : 9999999999999999
        Current Master Key register : VALID                               
          Verification pattern      : 9999999999999999                    
                         
     RSA Master Key                                          
        New Master Key register     : EMPTY                               
          Verification pattern      :                                     
                                    :                                     
        Old Master Key register     : VALID                               
          Verification pattern      : EF4C65754B5088C2                    
                                    : 2D03480BC7B952B2                    
        Current Master Key register : VALID                               
          Verification pattern      : E83F158521FEEA23                    
                                    : 986CC9483DAFD711
The coprocessor hardware status fields on this panel contain this information:
CRYPTO DOMAIN
This field displays the value that is specified for the DOMAIN keyword in the installation options data set at ICSF startup. This is the domain in which your system is currently working. It specifies which one of several separate sets of master key registers you can currently access. A system programmer can use the DOMAIN keyword in the installation options data set to specify the domain value to use at ICSF startup. For more information see the DOMAIN installation option.
Crypto Serial Number
The serial number is a number for the 'coprocessor.
Status
This field displays the status of the 'coprocessor.
State
Indication
ACTIVE
The verification pattern for the DES-MK matches the verification pattern of the CKDS. Requests for services can be routed to the coprocessor.
ONLINE
The coprocessor is online. The DES-MK verification pattern does not match the verification pattern in the CKDS. Requests for services cannot be routed to the coprocessor.
DES Master Key
New Master Key Register
This field shows the state of the DES new master key register.
This key register can be in any of these states:
State
Indication
EMPTY
You have not entered any key parts for the initial master key, or you have just transferred the contents of this register into the master key register. Or you have RESET the registers. Or you have zeroized the domain from a TKE workstation or the Support Element.
PART FULL
You have entered one or more key parts but not the final key part.
FULL
You have entered an entire new master key, but have not transferred it to the master key register yet.
Verification Pattern
When you use the master key panels to enter a new master key, record the verification pattern that appears for the master key when the final key part has been entered. You can compare the verification pattern you record with this one to ensure that the key entered and the key in the new master key register are the same.

If your system is using multiple cryptographic coprocessors, you must enter the same master key into all units. If the status of the new master key registers are valid, the NMK verification patterns for each unit should match, because the patterns verify the same key.

Hash Pattern
If the master key register is not EMPTY, the panel displays a hash pattern for the key. When you enter a new master key, record the hash pattern that appears on the panel. When the master key becomes active, you can compare the hash patterns to ensure that the one you entered and set is in the master key register.

If your system is using multiple cryptographic coprocessors, you enter the same master key into all units. If the status of the new master key registers are valid, the master key register hash patterns for each unit should match, because the patterns verify the same key.

Old Master Key register
This field shows the states of the DES old master key register.
State
Indication
EMPTY
You have never changed the master key and, therefore, never transferred a master key to the old master key register. Or you have zeroized the domain from a TKE workstation or the Support Element.
VALID
You have changed the master key. The master key that was current when you changed the master key was placed in the old master key register.
Verification Pattern
When you use the master key panels to enter a new master key, record the verification pattern that appears for the master key when the final key part has been entered. You can compare the verification pattern you record with this one to ensure that the key entered and the key in the new master key register are the same.

If your system is using multiple cryptographic coprocessors, you must enter the same master key into all units. If the status of the new master key registers are valid, the DES-MK verification patterns for each unit should match, because the patterns verify the same key.

Hash Pattern
If the master key register is not EMPTY, the panel displays a hash pattern for the key. When you enter a new master key, record the hash pattern that appears on the panel. When the master key becomes active, you can compare the hash patterns to ensure that the one you entered and set is in the master key register.

If your system is using multiple cryptographic coprocessors, you enter the same master key into all units. If the status of the new master key registers are valid, the master key register hash patterns for each unit should match, because the patterns verify the same key.

Current Master Key register
This field shows the states of the DES master key register.
State
Indication
EMPTY
You have never entered and set an initial symmetric master key. Or you have zeroized the domain from a TKE workstation or the Support Element.
VALID
You have entered a new symmetric master key on this coprocessor and chosen either the set or change option.
Verification Pattern
When you use the master key panels to enter a new master key, record the verification pattern that appears for the master key when the final key part has been entered. You can compare the verification pattern you record with this one to ensure that the key entered and the key in the new master key register are the same.

If your system is using multiple cryptographic coprocessors, you must enter the same master key into all units. If the status of the new master key registers are valid, the NMK verification patterns for each unit should match, because the patterns verify the same key.

Hash Pattern
If the master key register is not EMPTY, the panel displays a hash pattern for the key. When you enter a new master key, record the hash pattern that appears on the panel. When the master key becomes active, you can compare the hash patterns to ensure that the one you entered and set is in the master key register.

If your system is using multiple cryptographic coprocessors, you enter the same master key into all units. If the status of the new master key registers are valid, the master key register hash patterns for each unit should match, because the patterns verify the same key.

AES Master Key
New Master Key Register
This field shows the state of the new master key register.
This key register can be in any of these states:
State
Indication
EMPTY
You have not entered any key parts for the initial master key, or you have just transferred the contents of this register into the master key register. Or you have RESET the registers. Or you have zeroized the domain from a TKE workstation or the Support Element.
PART FULL
You have entered one or more key parts but not the final key part.
FULL
You have entered an entire new master key, but have not transferred it to the master key register yet.
Verification Pattern
When you use the master key panels to enter a new master key, record the verification pattern that appears for the master key when the final key part has been entered. You can compare the verification pattern you record with this one to ensure that the key entered and the key in the new master key register are the same.

If your system is using multiple cryptographic coprocessors, you must enter the same master key into all units. If the status of the new master key registers are valid, the NMK verification patterns for each unit should match, because the patterns verify the same key.

Old Master Key register
This field shows the states of the AES old master key register.
State
Indication
EMPTY
You have never changed the master key and, therefore, never transferred a master key to the old master key register. Or you have zeroized the domain from a TKE workstation or the Support Element.
VALID
You have changed the master key. The master key that was current when you changed the master key was placed in the old master key register.
Verification Pattern
When you use the master key panels to enter a new master key, record the verification pattern that appears for the master key when the final key part has been entered. You can compare the verification pattern you record with this one to ensure that the key entered and the key in the new master key register are the same.

If your system is using multiple cryptographic coprocessors, you must enter the same master key into all units. If the status of the new master key registers are valid, the AES-MK verification patterns for each unit should match, because the patterns verify the same key.

Current Master Key register
This field shows the states of the AES master key register.
State
Indication
EMPTY
You have never entered and set an initial symmetric master key. Or you have zeroized the domain from a TKE workstation or the Support Element.
VALID
You have entered a new symmetric master key on this coprocessor and chosen either the set or change option.
Verification Pattern
When you use the master key panels to enter a new master key, record the verification pattern that appears for the master key when the final key part has been entered. You can compare the verification pattern you record with this one to ensure that the key entered and the key in the new master key register are the same.

If your system is using multiple cryptographic coprocessors, you must enter the same master key into all units. If the status of the new master key registers are valid, the NMK verification patterns for each unit should match, because the patterns verify the same key.

ECC Master Key
New Master Key Register
This field shows the state of the new master key register.
This key register can be in any of these states:
State
Indication
EMPTY
You have not entered any key parts for the initial master key, or you have just transferred the contents of this register into the master key register. Or you have RESET the registers. Or you have zeroized the domain from a TKE workstation or the Support Element.
PART FULL
You have entered one or more key parts but not the final key part.
FULL
You have entered an entire new master key, but have not transferred it to the master key register yet.

For the CEX2C or CEX3C, there can be an old, new and current master key.

Verification Pattern
When you use the master key panels to enter a new master key, record the verification pattern that appears for the master key when the final key part has been entered. You can compare the verification pattern you record with this one to ensure that the key entered and the key in the new master key register are the same.

If your system is using multiple cryptographic coprocessors, you must enter the same master key into all units. If the status of the new master key registers are valid, the NMK verification patterns for each unit should match, because the patterns verify the same key.

Old Master Key register
This field shows the states of the ECC old master key register.
State
Indication
EMPTY
You have never changed the master key and, therefore, never transferred a master key to the old master key register. Or you have zeroized the domain from a TKE workstation or the Support Element.
VALID
You have changed the master key. The master key that was current when you changed the master key was placed in the old master key register.
Verification Pattern
When you use the master key panels to enter a new master key, record the verification pattern that appears for the master key when the final key part has been entered. You can compare the verification pattern you record with this one to ensure that the key entered and the key in the new master key register are the same.

If your system is using multiple cryptographic coprocessors, you must enter the same master key into all units. If the status of the new master key registers are valid, the ECC-MK verification patterns for each unit should match, because the patterns verify the same key.

Current Master Key register
This field shows the states of the ECC master key register.
State
Indication
EMPTY
You have never entered and set an initial symmetric master key. Or you have zeroized the domain from a TKE workstation or the Support Element.
VALID
You have entered a new symmetric master key on this coprocessor and chosen either the set or change option.
Verification Pattern
When you use the master key panels to enter a new master key, record the verification pattern that appears for the master key when the final key part has been entered. You can compare the verification pattern you record with this one to ensure that the key entered and the key in the new master key register are the same.

If your system is using multiple cryptographic coprocessors, you must enter the same master key into all units. If the status of the new master key registers are valid, the NMK verification patterns for each unit should match, because the patterns verify the same key.

RSA Master Key
New Master Key register
This field shows the state of the RSA new master key register.
This key register can be in any of these states:
State
Indication
EMPTY
You have not entered any key parts for the initial RSA master key, or you have just transferred the contents of this register into the RSA master key register. Or you have RESET the registers. Or you have zeroized the domain from a TKE workstation or the Support Element.
PART FULL
You have entered one or more key parts but not the final key part.
Verification Pattern
If the master key register is not EMPTY, a verification pattern is displayed.
Old Master Key register
This field shows the state of the RSA old master key register.
State
Indication
EMPTY
You have never changed the RSA master key and, therefore, never transferred an RSA master key to the RSA old master key register. Or you have zeroized the domain from a TKE workstation or the Support Element.
VALID
You have changed the RSA master key. The RSA master key that was current when you changed the master key was placed in the RSA old master key register.
Verification Pattern
If the old asymmetric master key register is valid, the panel displays a verification pattern for the RSA old master key.
Current Master Key register
This field shows the states of the RSA master key register.
State
Indication
EMPTY
You have never entered an initial RSA master key on the coprocessor. Or you have zeroized the domain from a TKE workstation or the Support Element.
VALID
You have entered a new RSA master key on this coprocessor.
Verification Pattern
If the RSA master key registers are valid, the panel displays a verification pattern for the key. When you enter a new RSA master key, record the verification pattern that appears on the panel. When the RSA master key becomes active, you can compare the verification patterns to ensure that the one you entered and set is in the master key register.

The RSA master key must be the same on all the PCI X cards. If the status of all these cryptographic coprocessors is valid, the MK verification patterns for each unit should match, because the patterns verify the same key.

Note: An audit trail of the verification patterns that the PCIXCC, CEX2C, or CEX3C calculates appears in SMF record type 82.
Panel CSFCMP41 is displayed for Enterprise PKCS #11 coprocessor. Similar to panel CSFCMP40, except that there is only one master key type, the P11 master key, with two registers instead of three:
Figure 3. PKCS #11 Coprocessor Hardware Status Panel
  CSFCMP41 -------- ICSF – PKCS #11 Coprocessor Hardware Status  ------------     
  OPTION ===>                                                                     
                                                         CRYPTO DOMAIN: 8          
  REGISTER STATUS                  COPROCESSOR 4P08                               
                                                                                   
  Crypto Serial Number           : 97006090                                       
  Status                         : ACTIVE                                         
  Compliance Mode                : FIPS: 2011                                     
                                 : BSI:  2009                                     
  P11 Master Key                                                                  
     New Master Key register     : EMPTY                                          
       Verification pattern      :                                                
                                 :                                                
     Current Master Key register : VALID                                          
       Verification pattern      : 2058C870E9D3194F                               
                                 : 4FE11A79AB122EB2