Question & Answer
Question
Cause
Answer
If the Default profile has been disabled or Roles reduced so that it can't be used to synchronize the time on the crypto feature with the system clock, an option that may be considered is to change the system clock to be in sync with the crypto card. Once the two clocks are in sync (within 4 minutes of each other), the profiles defined will be able to signin (if not expired) and perform tasks within their Roles defined. This would allow the clock on the Crypto feature to be manually set to the correct time. Then the System time can be also set back to the correct time and still allow the crypto feature profiles to maintain access.
In the event that the Default profile has been disabled or Roles reduced so that it can't be used to correct the Time and/or Expired Profile issue, access to the crypto feature is not possible. At this point we are in a similar situation to a hacker attempting to break into the crypto feature, which is not going to work. The only option is to initialize the crypto feature and re-enter the original configuration information, roles, profiles, master key(s), and certificates to regain access to prior operations.
Note: If for some reason the original configuration information can't be found or wasn't archived, the recommendation is to contact IBM Lab Services and/or your secure services providers for assistance in identifying and reverse engineering the requirements and contents of the crypto feature that will need to be re-created.
The general initialization and setup of a crypto feature if the information is available is fairly straightforward:
- WRKCFGSTS CFGTYPE(*DEV): Vary Off the crypto card
- STRSST: Use HSM to find and initialize the crypto card (URLreference below valid for all releases)
- WRKCFGSTS CFGTYPE(*DEV): Vary On the crypto card
- Crypto Configuration GUI under ADMIN: Run Basic Configuration wizard
- Enter the Master Keys from previous configuration
- Enter EID used previously
- Crypto Configuration GUI under ADMIN: Expand Manage Configuration
- Enter Roles as they were in the prior configuration
- Enter Profiles as the were in the prior configuration (verify activation and expiration dates are correct)
- Attributes: Set the time to match the system time
- Attributes: Load FCV
- If you have other keys to load (AES, DES, PKA, etc.) you would load those at this time
- If you had SSL certificates stored in the Crypto feature: These can be imported back into the crypto resource using the same method as before (They can be imported via Digtial Certificate Manager however some applications use other methods.)
Was this topic helpful?
Document Information
Modified date:
13 June 2024
UID
nas8N1019893