Step 6. Loading master keys and initializing the CKDS through ICSF panels
Note: When defining a master key by specifying master key parts, make sure that the key parts are
recorded and saved in a secure location. When you are entering the key parts for the first time, be
aware that you might need to reenter these same key values at a later date to restore master key
values that have been cleared. If defining a master key by using a pass phrase, realize that the
same pass phrase always produces the same master key values and is therefore as critical and
sensitive as the master key values themselves. Make sure that you save the pass phrase so that you
can later reenter it if needed. Because of the sensitive nature of the pass phrase, make sure that
you secure it in a safe place.
If you are using TKE, proceed to the next step.
- Process
- Passphrase Initialization to load and SET master keys and initialize
CKDS and PKDS
- OR -
Clear Master Key EntryNote: Using the Coprocessor Management panel, the master keys can be loaded into all the coprocessors at the same time.- Load DES New Master Key (optional)
- Load RSA New Master Key (optional)
- Load New AES master key if running on z10 or newer servers with a CCA Crypto Express coprocessor and the Nov. 2008 or newer licensed internal code. (optional)
- Load New ECC master key if running on z10 or newer servers with a CCA Crypto Express coprocessor and the Sept. 2011 or newer licensed internal code. (optional)
- Initialize CKDS
- Initialize the PKDS
- Enable PKA Callable Services controlNote: The PKA Callable Services control is disabled if the system has a CEX3C or newer with the Sept. 2011 or newer licensed internal code.
- Responsible
- ICSF Administrator and Key Officers
- Where
- ICSF Panels
- Verify
- In System Log (Systems with CCA Crypto Express coprocessors and accelerators):
CSFM608I A CKDS KEY STORE POLICY IS NOT DEFINED. CSFM608I A PKDS KEY STORE POLICY IS NOT DEFINED. CSFM610I GRANULAR KEYLABEL ACCESS CONTROL IS DISABLED. CSFM611I XCSFKEY EXPORT CONTROL FOR AES IS DISABLED. CSFM611I XCSFKEY EXPORT CONTROL FOR DES IS DISABLED. CSFM612I PKA KEY EXTENSIONS CONTROL IS DISABLED. CSFM654I KEY ARCHIVING USE CONTROL IS DISABLED. CSFM015I FIPS 140 SELF CHECKS FOR PKCS11 SERVICES SUCCESSFUL. CSFM111I CRYPTOGRAPHIC FEATURE IS ACTIVE. CRYPTO EXPRESS5 ACCELERATOR 5Axx, SERIAL NUMBER N/A. CSFM111I CRYPTOGRAPHIC FEATURE IS ACTIVE. CRYPTO EXPRESS5 COPROCESSOR 5Czz, SERIAL NUMBER ssssssss. CSFM133I THERE ARE NO ACTIVE PKCS11 COPROCESSORS. CSFM100E CRYPTOGRAPHIC KEY DATA SET, CSF.CSFCKDS IS NOT INITIALIZED. CSFM101E PKA KEY DATA SET, CSF.CSFPKDS IS NOT INITIALIZED. CSFM126I CRYPTOGRAPHY - FULL CPU-BASED SERVICES ARE AVAILABLE. CSFM001I ICSF INITIALIZATION COMPLETE
Message CSFM111I is issued for each active Crypto Express coprocessor and accelerator.
Message CSFM122I is not issued when your system has any CEX3C coprocessors (with the Sept. 2011 or later LIC) online. The PKA callable services control will not be active. The availability of RSA callable services depend on the status of the RSA master key. CSFM130I is issued when the RSA master key is active and RSA callable services are available.
In System Log (without coprocessors and accelerators):CSFM608I A CKDS KEY STORE POLICY IS NOT DEFINED. CSFM608I A PKDS KEY STORE POLICY IS NOT DEFINED. CSFM610I GRANULAR KEYLABEL ACCESS CONTROL IS DISABLED. CSFM611I XCSFKEY EXPORT CONTROL FOR AES IS DISABLED. CSFM611I XCSFKEY EXPORT CONTROL FOR DES IS DISABLED. CSFM612I PKA KEY EXTENSIONS CONTROL IS DISABLED. CSFM654I KEY ARCHIVING USE CONTROL IS DISABLED. CSFM015I FIPS 140 SELF CHECKS FOR PKCS11 SERVICES SUCCESSFUL. CSFM505I CRYPTOGRAPHY - THERE ARE NO ACTIVE CRYPTOGRAPHIC COPROCESSORS. CSFM133I THERE ARE NO ACTIVE PKCS11 COPROCESSORS. CSFM100E CRYPTOGRAPHIC KEY DATA SET, CSF.CSFCKDS IS NOT INITIALIZED. CSFM101E PKA KEY DATA SET, CSF.CSFPKDS IS NOT INITIALIZED. CSFM507I CRYPTOGRAPHY - THERE ARE NO CRYPTOGRAPHIC COPROCESSORS ONLINE. CSFM508I CRYPTOGRAPHY - THERE ARE NO CRYPTOGRAPHIC ACCELERATORS ONLINE. CSFM126I CRYPTOGRAPHY - FULL CPU-BASED SERVICES ARE AVAILABLE. CSFM001I ICSF INITIALIZATION COMPLETE
- References
- For information on using the Pass Phrase Initialization Utility and managing master keys, refer to z/OS Cryptographic Services ICSF Administrator's Guide.
- Completed