IBM Support

Cryptographic resource not accessible using any profiles and passphases

Question & Answer


Question

Cannot access 4765, 4767 or 4769 feature using known profiles and passphases (passwords). Either passphases (passwords) have expired or the time skew between the system clock and the clock resident on the Cryptographic feature has reached or exceeded five minutes.

Cause

Expired Passphases or Clock Skew makes Crypto feature access impossible

Answer

The first thing to check is to see if the DEFAULT profile used in the original configuration setup is still enabled. If this profile is accessible and still has the default role. It is possible to set the clock to be synchronized with the system clock and modify the existing profiles so they have an expiration date in the future allowing those profiles to regain their normal function.
If you are encountering a clock skew, please review technote 7157399 (https://www.ibm.com/support/pages/node/7157399)
If you need to set the expiration date to a date in the future for expired/expiring profiles , please review technote 7157405 (https://www.ibm.com/support/pages/node/7157405)

If the Default profile has been disabled or Roles reduced so that it can't be used to synchronize the time on the crypto feature with the system clock, an option that may be considered is to change the system clock to be in sync with the crypto card. Once the two clocks are in sync (within 4 minutes of each other), the profiles defined will be able to signin (if not expired) and perform tasks within their Roles defined. This would allow the clock on the Crypto feature to be manually set to the correct time. Then the System time can be also set back to the correct time and still allow the crypto feature profiles to maintain access.

In the event that the Default profile has been disabled or Roles reduced so that it can't be used to correct the Time and/or Expired Profile issue, access to the crypto feature is not possible. At this point we are in a similar situation to a hacker attempting to break into the crypto feature, which is not going to work. The only option is to initialize the crypto feature and re-enter the original configuration information, roles, profiles, master key(s), and certificates to regain access to prior operations.

Note: If for some reason the original configuration information can't be found or wasn't archived, the recommendation is to contact IBM Lab Services and/or your secure services providers for assistance in identifying and reverse engineering the requirements and contents of the crypto feature that will need to be re-created.

The general initialization and setup of a crypto feature if the information is available is fairly straightforward:

  1. WRKCFGSTS CFGTYPE(*DEV): Vary Off the crypto card
  2. STRSST: Use HSM to find and initialize the crypto card (URLreference below valid for all releases)
  3. WRKCFGSTS CFGTYPE(*DEV): Vary On the crypto card
  4. Crypto Configuration GUI under ADMIN: Run Basic Configuration wizard
    • Enter the Master Keys from previous configuration
    • Enter EID used previously
  5. Crypto Configuration GUI under ADMIN: Expand Manage Configuration
    • Enter Roles as they were in the prior configuration
    • Enter Profiles as the were in the prior configuration (verify activation and expiration dates are correct)
    • Attributes: Set the time to match the system time
    • Attributes: Load FCV
    • If you have other keys to load (AES, DES, PKA, etc.) you would load those at this time
  6. If you had SSL certificates stored in the Crypto feature: These can be imported back into the crypto resource using the same method as before (They can be imported via Digtial Certificate Manager however some applications use other methods.)
Once

[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z000000cwGcAAI","label":"Cryptography-\u003ECryptographic Co-Processor"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions"}]

Document Information

Modified date:
13 June 2024

UID

nas8N1019893