IBM Support

SI64478 - OSP-CRYPTO: AES MASTER KEY NOT LOADED WITH CORRECT KEY PARTS

PTF Cover Letter


PTF ( Program Temporary Fixes ) Cover letter


Order this fix

Abstract

OSP-CRYPTO: AES MASTER KEY NOT LOADED WITH CORRECT KEY PARTS


Pre/Co-Requisite PTF / Fix List

REQ  LICENSED      PTF/FIX  LEVEL

TYPE PROGRAM  REL  NUMBER   MIN/MAX  OPTION
---- -------- ---  -------  -------  ------
NONE



NOTICE:
-------
Application of this PTF may disable or render ineffective programs that
use system memory addresses not generated by the IBM translator,
including programs that circumvent control technology designed to limit
interactive capacity to purchased levels.  This PTF may be a prerequisite
for future PTFs.  By applying this PTF you authorize and agree to the
foregoing.

This PTF is subject to the terms of the license agreement which
accompanied, or was contained in, the Program for which you are obtaining
the PTF.  You are not authorized to install or use the PTF except as part
of a Program for which you have a valid Proof of Entitlement.

SUBJECT TO ANY WARRANTIES WHICH CAN NOT BE EXCLUDED OR EXCEPT AS EXPLICITLY
AGREED TO IN THE APPLICABLE LICENSE AGREEMENT OR AN APPLICABLE SUPPORT
AGREEMENT, IBM MAKES NO WARRANTIES OR CONDITIONS EITHER EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OR CONDITIONS OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON INFRINGEMENT,
REGARDING THE PTF.

The applicable license agreement may have been provided to you in printed
form and/or may be viewed using the Work with Software Agreements (WRKSFWAGR)
CL command.


APAR Error Description / Circumvention

-------------------------------------------------
A problem exists storing master key parts into the cryptographic
coprocessor that may require the key parts to be reentered and
existing encrypted keys in keystores to be re-encrypted.  The
issue only occurs if using the Cryptographic Coprocessor
Configuration GUI to manually load AES or APKA master key parts.
This issue does not apply for DES or PKA master keys or if
entering master key parts using a program that calls API CSNBMKP
(Master Key Process) in library QCCA.

CORRECTION FOR APAR 'BE00014' :
-------------------------------
The Cryptographic Coprocessor Configuration GUI to load master
key values has been updated to correctly store the key parts
that are typed on the load master key GUI.  To ensure all keys
currently encrypted under the incorrect master key are using the
desired master key parts, you must re-encrypt all keys in the
AES keystore with updated AES and APKA master keys.

CIRCUMVENTION FOR APAR 'BE00014' :
----------------------------------
None.


Activation Instructions

If you are not using or do not intend to use a cryptographic
coprocessor, nothing further needs to be done.

There are 3 master key registers: New, Current, and Old.
When "Loading" master key parts, only the New master key register
gets updated.  The Current and Old registers are not changed.
When "Setting" master key parts, the Current master key gets moved
to the Old master key register, and the New master key gets moved to
the Current master key register.
When "Re-encrypting" keys in a keystore that are encrypted with a
master key, the Old master key is used to decrypt the keys, the
Current master key is used to encrypt the keys.  It is therefore very
important to re-encrypt keys residing in a keystore immediately after
setting the master key to ensure the correct Old master key is
accessible for decryption.

The following steps describe how to load and set the master key parts.
The process to load, set, and re-encrypt keys is performed using the
Cryptographic Coprocessor Configuration web-based utility found by
clicking on IBM i Tasks page link on the IBM Navigator for i welcome
page at http://server-name:2001.

-  Click on "Manage configuration".
-  Click on "Master keys" and provide information to manage keys on
desired coprocessor.
-  Click on "Load".
-  Select "AES" and click on "Manual load".
-  Fill in the four 8-byte values and click "Continue" to set the
First key part.
-  Repeat to set the Middle and Last key parts, and then click
"Done".
-  Click "Set", select "AES", and then click "Continue" to have the
new master key set as the current master key.
-  Click "Done" to complete the Master key entering process.
-  Click on "AES keys", specify the key store name and library, and
click "Continue" to manage the existing AES keys.
-  Click on "Re-encrypt" and provide profile information, then click
"Re-encrypt" to have the keys enciphered using the current master
key.

If you have keys that are not in a keystore or if you would prefer to
write your own application to re-encrypt keys, you can do so by using
the key token change (CSNBKTC) API verb.




Special Instructions


After applying or removing this PTF,
end and restart the HTTP administration server.


Default Instructions

THIS PTF CAN BE APPLIED IMMEDIATE OR DELAYED.



Supersedes

PTF/FIX NO(S).  APAR TITLE LINE
--------------  ------------------------------------------------------------
   SI52187      CCA-INCORROUT RE-ENCRYPT FUNCTION IN CCA CRYPTO GUI FAILS

Summary Information

System..............................i
Models..............................
Release.............................V7R1M0
Licensed Program...............5770SS1
APAR Fixed..........................View details for APAR BE00014
Superseded by:......................
Recompile...........................N
Library.............................QCCA
MRI Feature ........................NONE
Cum Level...........................C7192710


System i Support

IBM disclaims all warranties, whether express or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. By furnishing this document, IBM grants no licenses to any related patents or copyrights. Copyright © 1996,1997,1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017 IBM Corporation. Any trademarks and product or brand names referenced in this document are the property of their respective owners. Consult the Terms of use link for trademark information.

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG15V","label":"PTF Cover Letters - OS\/400 General"},"Component":"","ARM Category":[],"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"V7R1M0","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG16D","label":"PTF Cover Letters - IBM i 7.1 environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"V7R1M0","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
12 April 2017