Using the pass phrase initialization utility

The pass phrase initialization utility allows the casual user of ICSF to install the necessary master keys on the cryptographic coprocessors, and initialize the CKDS and PKDS with a minimal effort. This topic describes how to use this utility to get up and running quickly.

Note: The pass phrase initialization utility is used to install the master keys for CCA coprocessors only. The master key for Enterprise PKCS #11 coprocessors can only be entered via a TKE workstation as explained in Managing Enterprise PKCS #11 Master Keys.

The pass phrase is case sensitive and should be chosen according to these rules:

It can contain a minimum of 16 and a maximum of 64 characters.
It can include any characters in the EBCDIC character set.
It can contain imbedded blanks, but leading and trailing blanks are truncated.

Important: The same pass phrase will always produce the same master key values, and is therefore as critical and sensitive as the master key values themselves. Make sure you save the pass phrase so that you can later reenter it if needed (for example, if you need to restore master key values that have been cleared). Because of the sensitive nature of the pass phrase, make sure you secure it in a safe place.

The pass phrase initialization utility can:

Initialize a system for the first time (Initialize system).
Reinitialize a system where the master keys have been cleared (Reinitialize system).
Initialize a new system when migrating to a new server with an existing CKDS and PKDS (Reinitialize system).
Load the master keys on CCA coprocessors that are brought online after system initialization (Add coprocessors).
Add new master keys to the system after migrating to a newer server (Add AES-MK or Add missing MKs).

You cannot use this utility to change master keys. To change master keys you need to use either the master key entry panels or the TKE workstation.

If you plan on sharing your CKDS or PKDS within your sysplex, refer to Running in a Sysplex Environment for important information.

Starting with release HCR77A0, the DES master key may be 16 or 24 bytes long. If the DES master key – 24-byte key access control point is enabled, the pass phrase initialization utility will load a 24-byte value to the DES master key. A TKE workstation is required to enable access control points.