CCA Master Key administration: choosing the right method or tool
Read the provided information why it is important to choose the correct tool to administer your cryptographic coprocessors.
There are several factors that influence the procedure of CCA master key administration:
- security requirements
- regulatory requirements
- characteristics of your environment
Available methods are listed in Table 1.
Method | Description | Security | Environment |
---|---|---|---|
TKE |
|
|
|
z/OS® exchange method | An operator temporarily assigns the domains to a z/OS partition, where ICSF user IDs and configuration panels are used to configure the master keys. | Since the z/OS tool is a host
utility the users' key parts are potentially exposed:
|
There is no conflict with any key storage approach you might use, but application use of key storage should be taken into account as you update keys and re-assign domains. |
user application | A user application built to use the libcsulccamk.so library for
this purpose, which can be programmed to:
|
Security features would depend on the implementation, but may have host memory or communication channel exposures. | Environment considerations would depend on the implementation. |
panel.exe (included in RPM or DEB) | A general purpose simple utility that can be used to set the master keys. Keys are set one
part at a time to one card at a time, which has some implications. Note: If a domain on
a cryptographic coprocessor is set to PCI-HSM 2016 compliance mode, you can perform master key
changes only on a TKE. You cannot use
panel.exe for this purpose.
|
Since panel.exe is a host utility that runs natively on the Linux instance, a local terminal and
communication session are required. The users' key parts are potentially exposed:
|
While panel.exe is installed by default from the CCA RPM, because of the simple nature of panel.exe, conflicts can occur in a multi-card environment. Especially, key storage conflicts occurred in prior releases when loading a master key to multiple adapters. This has been fixed as of CCA 6.0 (see Changing the master key for two or more adapters that have the same master key, with shared CCA key storage ). |