z/OS Trusted Key Entry Workstation Everything you need to get started quickly. Get started

The z/OS® Trusted Key Entry Workstation allows you to manage IBM Z® host cryptographic modules running in Common Cryptographic Architecture (CCA) or IBM Enterprise PKCS#11 (EP11) mode, using compliant-level hardware-based key management techniques. IBM Z host crypto modules must be managed according to strict policies, which are influenced by various legal, regulator, and compliance requirements. In many cases, the final policies must include dual control management and hardware-based master key part protection to pass internal and external security audits.

If you are new to the crypto world or having trouble defining your policy, no problem. TKE provides a set of wizards that help you define and implement a set of security policies for managing your TKE appliance and your host crypto modules.

Related solution Pervasive Encryption for IBM Z

Enable extensive encryption of data in-flight and at-rest.

Big picture 1. Install the TKE console and ensure that it is up and running. 2. Establish the security policies for your system. 3. Run the TKE Smart Card wizard to create all the smart cards needed by the other TKE wizards. 4. Run the TKE Workstation Logon Profile Wizard to manage access to the TKE workstation. 5. Run the other TKE security policy wizards to set up administrator access to manage host crypto modules. How to get started
Overview

Set up TKE by installing the console.

Planning

Identify the TKE console and plan to configure the TKE Cryptographic Coprocessor Adapter. (See Chapter 2 for information).

Steps

Install the TKE console, configure the TKE Cryptographic Coprocessor Adapter, connect it to the system, and perform any necessary maintenance.

TKE setup and customization
Overview

Establish the security policies for your system.

Defining your security policy Learn about TKE
Planning

After a TKE has been configured according to your TKE security policy, the TKE local crypto adapter contains user-defined profiles and sometimes user-defined roles.

TKE planning considerations z/OS Cryptographic Services ICSF Trusted Key Entry Workstation User's Guide
Steps

Update TCP/IP profiles for TKE, customize TKE Host Program started procs (delivered with ICSF), ensure RACF administration is complete, and start ICSF and TKE.

TKE setup and customization
Overview

After the service representative and the security administer have completed their tasks, use the TKE security policy wizards to implement security policies for managing access to the TKE workstation and managing host crypto modules.

Requirements TKE concepts and mechanisms Learn about TKE
Planning

Before using the TKE security policy wizards, analyze your environment and decide which of the policies you need to implement.

TKE planning considerations TKE operational considerations
Steps
  1. Run the TKE Smart Card Wizard to create all the smart cards needed by the other TKE security policy wizards. This wizard can also help you define your policies.
  2. Run the TKE Workstation Logon Profile Wizard to control access to the TKE workstation.
  3. Run the Setup Module Policy Wizard to control who can manage CCA legacy settings.
  4. Run the Setup PCI Environment Wizard to control who can manage CCA PCI-compliant domain settings.
  5. Run the Setup Module Policy Wizard to control who can manage EP11 module-wide settings.
  6. Run the Setup Domain Policy Wizard to control who can manage EP11 domain-specific settings.
TKE security policy wizards TKE best practices
Documentation z/OS Trusted Key Entry Workstation Documentation

Find a comprehensive collection of content about z/OS Trusted Key Entry Workstation.

Explore the collection
Technical resources

The TKE Hardware Support and Migration Information white paper introduces key concepts.

Read the document

Streamline Management of the IBM z Systems Host Cryptographic Module Using IBM Trusted Key Entry.

Read the redbook

Trusted Key Entry (TKE) Workstation publications

Read the TKE technical documentation

IBM z14 features enhance performance, encryption, and flexibility to accelerate your digital transformation.

Read the announcement

IBM Z Service Guide for Trusted Key Entry Workstations. Note: You need an IBM ID for Resource Link to view and download this publication.

Read the TKE service guide

TKE has a set of wizards for you to use to help manage your IBM Z host crypto modules.

Read the Hot Topics article
Initialize your new Trusted Key Entry (TKE)

This video shows you how to set up your TKE workstation using the Trusted Key Entry Workstation Setup Wizard.

Watch the video
Trusted Key Entry (TKE) CCA Playlist

An 8-video series that shows you everything you need to do in order to load master keys from the TKE product.

Watch the videos
IBM TKE easy way to migrate or clone a TKE workstation

This video shows you how to migrate or clone a TKE workstation.

Watch the video
Overview of the IBM TKE host crypto module migration feature

This video provides an introduction to the host crypto module migration feature of the IBM Trusted Key Entry (TKE) product.

Watch the video
Using Trusted Key Entry (TKE) to initialize smart cards

This video shows you how to initialize all the smart cards you will need to access your TKE workstation and manage CCA host crypto module and domains.

Watch the video
Create TKE local crypto adapter profiles using the TKE workstation logon profile wizard

This video shows you how to create the profiles you need to access your TKE workstation. These profiles are used when you open TKE applications and utilities.

Watch the video
Related solutions Pervasive Encryption for IBM Z

Enable extensive encryption of data in-flight and at-rest.

What's new

Links to IBM Documentation have been updated to use the z/OS 2.5 library.

The Big Picture section has been modified for accessibility.

The link to a Hot Topics article on the Other resources tab in the Technical resources section was updated to find the article in the archives of the new IBM Z Hot Topics website.

Rate this content solution