PTF Cover Letter
PTF ( Program Temporary Fixes ) Cover letter
OSP-CRYPTO: AES MASTER KEY NOT LOADED WITH CORRECT KEY PARTS
Pre/Co-Requisite PTF / Fix List
REQ LICENSED PTF/FIX LEVEL
TYPE PROGRAM REL NUMBER MIN/MAX OPTION
---- -------- --- ------- ------- ------
Application of this PTF may disable or render ineffective programs that
use system memory addresses not generated by the IBM translator,
including programs that circumvent control technology designed to limit
interactive capacity to purchased levels. This PTF may be a prerequisite
for future PTFs. By applying this PTF you authorize and agree to the
This PTF is subject to the terms of the license agreement which
accompanied, or was contained in, the Program for which you are obtaining
the PTF. You are not authorized to install or use the PTF except as part
of a Program for which you have a valid Proof of Entitlement.
SUBJECT TO ANY WARRANTIES WHICH CAN NOT BE EXCLUDED OR EXCEPT AS EXPLICITLY
AGREED TO IN THE APPLICABLE LICENSE AGREEMENT OR AN APPLICABLE SUPPORT
AGREEMENT, IBM MAKES NO WARRANTIES OR CONDITIONS EITHER EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OR CONDITIONS OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON INFRINGEMENT,
REGARDING THE PTF.
The applicable license agreement may have been provided to you in printed
form and/or may be viewed using the Work with Software Agreements (WRKSFWAGR)
APAR Error Description / Circumvention
A problem exists storing master key parts into the cryptographic
coprocessor that may require the key parts to be reentered and
existing encrypted keys in keystores to be re-encrypted. The
issue only occurs if using the Cryptographic Coprocessor
Configuration GUI to manually load AES or APKA master key parts.
This issue does not apply for DES or PKA master keys or if
entering master key parts using a program that calls API CSNBMKP
(Master Key Process) in library QCCA.
CORRECTION FOR APAR 'BE00014' :
The Cryptographic Coprocessor Configuration GUI to load master
key values has been updated to correctly store the key parts
that are typed on the load master key GUI. To ensure all keys
currently encrypted under the incorrect master key are using the
desired master key parts, you must re-encrypt all keys in the
AES keystore with updated AES and APKA master keys.
CIRCUMVENTION FOR APAR 'BE00014' :
If you are not using or do not intend to use a cryptographic
coprocessor, nothing further needs to be done.
There are 3 master key registers: New, Current, and Old.
When "Loading" master key parts, only the New master key register
gets updated. The Current and Old registers are not changed.
When "Setting" master key parts, the Current master key gets moved
to the Old master key register, and the New master key gets moved to
the Current master key register.
When "Re-encrypting" keys in a keystore that are encrypted with a
master key, the Old master key is used to decrypt the keys, the
Current master key is used to encrypt the keys. It is therefore very
important to re-encrypt keys residing in a keystore immediately after
setting the master key to ensure the correct Old master key is
accessible for decryption.
The following steps describe how to load and set the master key parts.
The process to load, set, and re-encrypt keys is performed using the
Cryptographic Coprocessor Configuration web-based utility found by
clicking on IBM i Tasks page link on the IBM Navigator for i welcome
page at http://server-name:2001.
- Click on "Manage configuration".
- Click on "Master keys" and provide information to manage keys on
- Click on "Load".
- Select "AES" and click on "Manual load".
- Fill in the four 8-byte values and click "Continue" to set the
First key part.
- Repeat to set the Middle and Last key parts, and then click
- Click "Set", select "AES", and then click "Continue" to have the
new master key set as the current master key.
- Click "Done" to complete the Master key entering process.
- Click on "AES keys", specify the key store name and library, and
click "Continue" to manage the existing AES keys.
- Click on "Re-encrypt" and provide profile information, then click
"Re-encrypt" to have the keys enciphered using the current master
If you have keys that are not in a keystore or if you would prefer to
write your own application to re-encrypt keys, you can do so by using
the key token change (CSNBKTC) API verb.
After applying or removing this PTF,
end and restart the HTTP administration server.
THIS PTF CAN BE APPLIED IMMEDIATE OR DELAYED.
PTF/FIX NO(S). APAR TITLE LINE
SI52187 CCA-INCORROUT RE-ENCRYPT FUNCTION IN CCA CRYPTO GUI FAILS
|APAR Fixed..........................||View details for APAR BE00014|
|MRI Feature ........................||NONE|
12 April 2017