Step 6. Loading master keys and initializing the CKDS through ICSF panels

Note: When defining a master key by specifying master key parts, make sure that the key parts are recorded and saved in a secure location. When you are entering the key parts for the first time, be aware that you might need to reenter these same key values at a later date to restore master key values that have been cleared. If defining a master key by using a pass phrase, realize that the same pass phrase always produces the same master key values and is therefore as critical and sensitive as the master key values themselves. Make sure that you save the pass phrase so that you can later reenter it if needed. Because of the sensitive nature of the pass phrase, make sure that you secure it in a safe place.

If you are using TKE, proceed to the next step.

Process
Passphrase Initialization to load and SET master keys and initialize CKDS and PKDS

- OR -

Clear Master Key Entry
Note: Using the Coprocessor Management panel, the master keys can be loaded into all the coprocessors at the same time.
  • Load DES New Master Key (optional)
  • Load RSA New Master Key (optional)
  • Load New AES master key if running on z10 or newer servers with a CCA Crypto Express coprocessor and the Nov. 2008 or newer licensed internal code. (optional)
  • Load New ECC master key if running on z10 or newer servers with a CCA Crypto Express coprocessor and the Sept. 2011 or newer licensed internal code. (optional)
  • Initialize CKDS
  • Initialize the PKDS
  • Enable PKA Callable Services control
    Note: The PKA Callable Services control is disabled if the system has a CEX3C or newer with the Sept. 2011 or newer licensed internal code.
Responsible
ICSF Administrator and Key Officers
Where
ICSF Panels
Verify
In System Log (Systems with CCA Crypto Express coprocessors and accelerators): 
CSFM608I A CKDS KEY STORE POLICY IS NOT DEFINED.               
CSFM608I A PKDS KEY STORE POLICY IS NOT DEFINED.               
CSFM610I GRANULAR KEYLABEL ACCESS CONTROL IS DISABLED.     
CSFM611I XCSFKEY EXPORT CONTROL FOR AES IS DISABLED.       
CSFM611I XCSFKEY EXPORT CONTROL FOR DES IS DISABLED.       
CSFM612I PKA KEY EXTENSIONS CONTROL IS DISABLED.           
CSFM654I KEY ARCHIVING USE CONTROL IS DISABLED.            
CSFM015I FIPS 140 SELF CHECKS FOR PKCS11 SERVICES SUCCESSFUL.                                                             
CSFM111I CRYPTOGRAPHIC FEATURE IS ACTIVE. CRYPTO EXPRESS5 ACCELERATOR 5Axx, SERIAL NUMBER N/A.                                    
CSFM111I CRYPTOGRAPHIC FEATURE IS ACTIVE. CRYPTO EXPRESS5 COPROCESSOR 5Czz, SERIAL NUMBER ssssssss.                               
CSFM133I THERE ARE NO ACTIVE PKCS11 COPROCESSORS.          
CSFM100E CRYPTOGRAPHIC KEY DATA SET, CSF.CSFCKDS IS NOT INITIALIZED.                                                        
CSFM101E PKA KEY DATA SET, CSF.CSFPKDS IS NOT INITIALIZED.                                                            
CSFM126I CRYPTOGRAPHY - FULL CPU-BASED SERVICES ARE AVAILABLE.                                                              
CSFM001I ICSF INITIALIZATION COMPLETE

Message CSFM111I is issued for each active Crypto Express coprocessor and accelerator.

Message CSFM122I is not issued when your system has any CEX3C coprocessors (with the Sept. 2011 or later LIC) online. The PKA callable services control will not be active. The availability of RSA callable services depend on the status of the RSA master key. CSFM130I is issued when the RSA master key is active and RSA callable services are available.

In System Log (without coprocessors and accelerators): 
CSFM608I A CKDS KEY STORE POLICY IS NOT DEFINED.
CSFM608I A PKDS KEY STORE POLICY IS NOT DEFINED.
CSFM610I GRANULAR KEYLABEL ACCESS CONTROL IS DISABLED.
CSFM611I XCSFKEY EXPORT CONTROL FOR AES IS DISABLED.
CSFM611I XCSFKEY EXPORT CONTROL FOR DES IS DISABLED.
CSFM612I PKA KEY EXTENSIONS CONTROL IS DISABLED.
CSFM654I KEY ARCHIVING USE CONTROL IS DISABLED.
CSFM015I FIPS 140 SELF CHECKS FOR PKCS11 SERVICES SUCCESSFUL.
CSFM505I CRYPTOGRAPHY - THERE ARE NO ACTIVE CRYPTOGRAPHIC COPROCESSORS.
CSFM133I THERE ARE NO ACTIVE PKCS11 COPROCESSORS.
CSFM100E CRYPTOGRAPHIC KEY DATA SET, CSF.CSFCKDS IS NOT INITIALIZED.
CSFM101E PKA KEY DATA SET, CSF.CSFPKDS IS NOT INITIALIZED.
CSFM507I CRYPTOGRAPHY - THERE ARE NO CRYPTOGRAPHIC COPROCESSORS ONLINE.
CSFM508I CRYPTOGRAPHY - THERE ARE NO CRYPTOGRAPHIC ACCELERATORS ONLINE.
CSFM126I CRYPTOGRAPHY - FULL CPU-BASED SERVICES ARE AVAILABLE.
CSFM001I ICSF INITIALIZATION COMPLETE
References
For information on using the Pass Phrase Initialization Utility and managing master keys, refer to z/OS Cryptographic Services ICSF Administrator's Guide.
Completed