Step 6. Loading master keys and initializing the CKDS through ICSF panels

Note: When defining a master key by specifying master key parts, make sure the key parts are recorded and saved in a secure location. When you are entering the key parts for the first time, be aware that you may need to reenter these same key values at a later date to restore master key values that have been cleared. If defining a master key using a pass phrase, realize that the same pass phrase will always produce the same master key values, and is therefore as critical and sensitive as the master key values themselves. Make sure you save the pass phrase so that you can later reenter it if needed. Because of the sensitive nature of the pass phrase, make sure you secure it in a safe place.

If you are using TKE, proceed to the next step.

Process
Passphrase Initialization to load and SET master keys and initialize CKDS and PKDS

- OR -

Clear Master Key Entry
Note: Using the Coprocessor Management panel, the master keys can be loaded into all the coprocessors at the same time.
  • Load DES New Master Key
  • Load RSA New Master Key
  • Load New AES master key if running on z10 or newer servers with a CCA Crypto Express coprocessor and the Nov. 2008 or newer licensed internal code.
  • Load New ECC master key if running on z10 or newer servers with a CCA Crypto Express coprocessor and the Sept. 2011 or newer licensed internal code.
  • Initialize CKDS
  • Initialize the PKDS
  • Enable PKA Callable Services control
    Note: The PKA Callable Services control is disabled if the system has a CEX3C or newer with the Sept. 2011 or newer licensed internal code.
Responsible
ICSF Administrator and Key Officers
Where
ICSF Panels
Verify
In System Log (Systems with PCIXCC and PCICA): 
 CSFM608I A CKDS KEY STORE POLICY IS NOT DEFINED.
 CSFM608I A PKDS KEY STORE POLICY IS NOT DEFINED.
 CSFM610I GRANULAR KEYLABEL ACCESS CONTROL IS DISABLED.
 CSFM611I XCSFKEY EXPORT CONTROL FOR AES IS DISABLED.
 CSFM611I XCSFKEY EXPORT CONTROL FOR DES IS DISABLED.
 CSFM612I PKA KEY EXTENSIONS CONTROL IS DISABLED.
 CSFM654I KEY ARCHIVING USE CONTROL IS DISABLED.
 CSFM015I FIPS 140 SELF CHECKS FOR PKCS11 SERVICES SUCCESSFUL.
 CSFM111I CRYPTOGRAPHIC FEATURE IS ACTIVE. PCI X CRYPTO COPROCESSOR X32, SERIAL NUMBER 93X06008.
 CSFM111I CRYPTOGRAPHIC FEATURE IS ACTIVE. PCI CRYPTO ACCELERATOR A33, SERIAL NUMBER N/A.
 CSFM505I CRYPTOGRAPHY - THERE ARE NO ACTIVE CRYPTOGRAPHIC COPROCESSORS.
 CSFM133I THERE ARE NO ACTIVE PKCS11 COPROCESSORS.
 CSFM100E CRYPTOGRAPHIC KEY DATA SET, CSF.CKDS IS NOT INITIALIZED.
 CSFM101E PKA KEY DATA SET, CSF.PKDS IS NOT INITIALIZED.
 CSFM126I CRYPTOGRAPHY - FULL CPU-BASED SERVICES ARE AVAILABLE.
*CSFM122I PKA SERVICES WERE NOT ENABLED DURING ICSF INITIALIZATION.
 CSFM001I ICSF INITIALIZATION COMPLETE
Message CSFM111I will be issued for each active PCIXCC and PCICA.
In System Log (CCA Crypto Express coprocessors and accelerators): 
 CSFM608I A CKDS KEY STORE POLICY IS NOT DEFINED.
 CSFM608I A PKDS KEY STORE POLICY IS NOT DEFINED.
 CSFM610I GRANULAR KEYLABEL ACCESS CONTROL IS DISABLED.
 CSFM611I XCSFKEY EXPORT CONTROL FOR AES IS DISABLED.
 CSFM611I XCSFKEY EXPORT CONTROL FOR DES IS DISABLED.
 CSFM612I PKA KEY EXTENSIONS CONTROL IS DISABLED.
 CSFM654I KEY ARCHIVING USE CONTROL IS DISABLED.
 CSFM015I FIPS 140 SELF CHECKS FOR PKCS11 SERVICES SUCCESSFUL.
 CSFM111I CRYPTOGRAPHIC FEATURE IS ACTIVE. CRYPTO EXPRESS4
   COPROCESSOR SC32, SERIAL NUMBER 93X06008.
 CSFM111I CRYPTOGRAPHIC FEATURE IS ACTIVE. CRYPTO EXPRESS4
   ACCELERATOR SA33, SERIAL NUMBER N/A.
 CSFM133I THERE ARE NO ACTIVE PKCS11 COPROCESSORS.
 CSFM100E CRYPTOGRAPHIC KEY DATA SET, CSF.CKDS IS NOT INITIALIZED.
 CSFM101E PKA KEY DATA SET, CSF.PKDS IS NOT INITIALIZED.
 CSFM126I CRYPTOGRAPHY - FULL CPU-BASED SERVICES ARE AVAILABLE.
 CSFM001I ICSF INITIALIZATION COMPLETE
Message CSFM111I will be issued for each active Crypto Express coprocessors and accelerators.

Message CSFM122I will not be issued when your system has any CEX3C coprocessors (with the Sep. 2011 or later LIC) online. The PKA callable services control will not be active. The availability of RSA callable services will depend on the status of the RSA master key. CSFM130I is issued when the RSA master key is active and RSA callable services are available.

In System Log (without coprocessors or accelerators): 
 CSFM608I A CKDS KEY STORE POLICY IS NOT DEFINED.
 CSFM608I A PKDS KEY STORE POLICY IS NOT DEFINED.
 CSFM610I GRANULAR KEYLABEL ACCESS CONTROL IS DISABLED.      
 CSFM611I XCSFKEY EXPORT CONTROL FOR AES IS DISABLED.        
 CSFM611I XCSFKEY EXPORT CONTROL FOR DES IS DISABLED.        
 CSFM612I PKA KEY EXTENSIONS CONTROL IS DISABLED.            
 CSFM654I KEY ARCHIVING USE CONTROL IS DISABLED.
 CSFM015I FIPS 140 SELF CHECKS FOR PKCS11 SERVICES SUCCESSFUL.
 CSFM505I CRYPTOGRAPHY - THERE ARE NO ACTIVE CRYPTOGRAPHIC COPROCESSORS.
 CSFM133I THERE ARE NO ACTIVE PKCS11 COPROCESSORS.           
 CSFM100E CRYPTOGRAPHIC KEY DATA SET, CSF.CKDS IS NOT INITIALIZED.
 CSFM101E PKA KEY DATA SET, CSF.PKDS IS NOT INITIALIZED.
 CSFM507I CRYPTOGRAPHY - THERE ARE NO CRYPTOGRAPHIC COPROCESSORS ONLINE.
 CSFM508I CRYPTOGRAPHY - THERE ARE NO CRYPTOGRAPHIC ACCELERATORS ONLINE.
 CSFM126I CRYPTOGRAPHY - FULL CPU-BASED SERVICES ARE AVAILABLE.
 CSFM001I ICSF INITIALIZATION COMPLETE
References
For information on using the Pass Phrase Initialization Utility and managing master keys, refer to z/OS Cryptographic Services ICSF Administrator's Guide.
Completed
Parent topic: Checklist for first-time startup of ICSF