Checklist for loading a TKE machine - passphrase

Expectations
  • You are working with CCA host crypto modules
  • The support element has enabled TKE on these host crypto modules
  • LPARs are established
  • TKE licensed internal code (LIC) is loaded on the TKE workstation
  • Segments 1, 2, and 3 have been loaded on the TKE workstation crypto adapter
  • The TKE host transaction program has been configured and started in the host TKE LPAR
  • ICSF is started in each LPAR
Setup
  • 2 TKEs both running the same level of software
    • One for production
    • One for backup
  • 2 Central electronic complex (CEC) cards being shared
    • One Test LPARs (Domain 0)
    • Three Production LPARs (Domain 1, 2, 3)

    TKE can load the master key in a group of domains as defined by a domain group.

  • Host TKE LPAR 1

    When defining the LPAR activation profile, the usage domain will be 1 and the control domain will be 0, 1, 2, 3.

The following User IDs are used to restrict access to the TKE workstation crypto adapter:
  • TKEUSER - can run the main TKE application
  • TKEADM - can create and update TKE roles and profiles
  • KEYMAN1 - can clear TKE new master keys and load first master key parts
  • KEYMAN2 - can load TKE middle and last key parts and reencipher TKE workstation key storage

Authorities are used to restrict access to the CCA crypto modules on the host machine.

One way to control access to CCA host crypto modules is with a minimum of seven host authorities.

  • ISSUER
    • Disable host crypto module
    • Enable host crypto module issue
    • Access control issue
    • Zeroize domain issue
    • Domain control change issue
  • COSIGN
    • Access control co-sign
    • Enable host crypto module co-sign
    • Zeroize domain co-sign
    • Domain control change co-sign
  • MKFIRST
    • AES, DES, ECC (APKA), or RSA load first master key part
    • Clear new master key register
    • Clear old master key register
  • MKMIDDLE
    • AES, DES, ECC (APKA), or RSA combine middle master key parts
  • MKLAST
    • AES, DES, ECC (APKA), or RSA combine final master key part
    • Set RSA master key
  • FIRSTCLEAR
    • Load first operational key part
    • Clear operational key register
  • ADDCOMP
    • Load additional operational key part
    • Complete key

The following tasks should be run using the TKE workstation to set up the TKE workstation and the host crypto modules for use. Be aware that the Service Management tasks available to you will vary depending on the console user name you used to log on. Refer to Service Management tasks for more information.

  1. Customize Network Settings
  2. Customize Console Date/Time
  3. Initialize the TKE workstation crypto adapter for passphrase use
    1. Predefined TKE roles and profiles are loaded.
    2. The TKE master keys are set and TKE key storages are initialized.
  4. Logon to CNM with KEYMAN1 - OPTIONAL
    1. Clear the new DES/PKA and AES master key registers
    2. Enter known first master key parts for the DES/PKA and AES master keys.
    3. Logoff
  5. Logon to CNM with KEYMAN2 - OPTIONAL
    1. Enter known middle and last master key parts for the DES/PKA and AES master keys.
    2. Reencipher DES, PKA, and AES key storage
    3. Logoff
  6. Logon to CNM with TKEADM
    1. Create user defined roles - OPTIONAL
    2. Create user defined profiles - OPTIONAL
    3. Create groups and add users - OPTIONAL
      Note: Group members should already be defined.
    4. Change the passphrases for all of the predefined profiles - TKEADM, TKEUSER, KEYMAN1, and KEYMAN2
  7. Log on to the main TKE application with TKEUSER profile or another profile with the same authority
    1. Load the default authority key for key index 0
    2. Change these options of your security policy via the TKE preferences menu
      • Blind Key Entry
      • Removable media only
    3. Create a Host
    4. Create domain groups - OPTIONAL
    5. Open a host or a domain group (requires host logon)
    6. Open a crypto module notebook or domain group notebook
    7. Create role or roles
    8. Generate authority key or keys and save them to binary file or files
    9. Create different authorities using the different authority key or keys that were just generated.
    10. Delete the authority 00 or change the authority key to a key that is not the default key. If you delete authority 00 make sure that you have 2 other known authority keys that have the Domain control change issue and co-sign.
  8. Configure 3270 Emulators
  9. Backup Critical Console Data onto a USB flash memory drive.
  10. Customize Scheduled Operations to schedule the backup critical console data task