Copy smart cards.docx

7/25/2019 Copy smart cards.docx

http://slidepdf.com/reader/full/copy-smart-cardsdocx 1/148

Copy smart cards

z/OS Cryptographic Services ICSF TKE Workstation User's !ide

S"#$%##&&%(

This )!nction a**o+s yo! to copy keys and key parts )rom one TKE smart card to another

TKE smart card, -o! can copy these types o) keys.

• Crypto adapter *ogon key

• TKE a!thority signat!re key

• ICSF operationa* key parts

• ICSF master key parts

• Crypto adapter master key parts

otes.

&, The t+o TKE smart cards m!st 0e enro**ed in the same zone1 other+ise the copy +i**

)ai*, To disp*ay the zone o) a TKE smart card2 e3it )rom the TKE app*ication and !se

either the Cryptographic ode 4anagement Uti*ity or the Smart Card Uti*ity 5rogram

)o!nd in the Tr!sted Key Entry category's "pp*ications *ist on the TKE Workstation

Conso*e, See Cryptographic ode 4anagement Uti*ity 6C47 or Smart Card Uti*ity5rogram 6SCU57,

#, To copy ECC key parts2 the app*et version o) the target smart card m!st 0e ,8 or

greater,

To copy a smart card.

&, Se*ect Copy smart card contents... )rom the Utilities men!,

" message 0o3 prompts yo! to 9Insert so!rce TKE smart card in smart card reader &:,

#, Insert the so!rce TKE smart card in smart card reader & and press OK ,

" message 0o3 prompts yo! to 9Insert target TKE smart card in smart card reader #:,

$, Insert the target TKE smart card in smart card reader # and press OK ,

The !ti*ity reads the TKE smart card contents, This may take some time, The card I;

is disp*ayed2 )o**o+ed 0y the card description, <eri)y that these are the TKE smart

cards yo! +ant to +ork +ith,

The Copy smart card contents +indo+ *ists the )o**o+ing in)ormation )or a TKE

smart card.

https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/cnm.htm#cnm


https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/scu.htm#scu







Card I;

Identi)ication o) TKE smart card

=one description

;escription o) the zone in +hich the TKE smart card is enro**ed

Card description

;escription o) the TKE smart card1 entered +hen the smart card +as persona*izedCard contents

Key type2 ;escription2 Origin2 4;C>2 S?"&2 EC%=ero2 "ES%<52 Contro* <ector or

Key "ttri0!tes 6)or operationa* keys on*y72 and @ength,

>, ?igh*ight the keys that yo! +ant to copy, Ay ho*ding do+n the contro* 0!tton on the

key0oard2 yo! can se*ect speci)ic entries on the *ist +ith yo!r mo!se, Ay ho*ding

do+n the shi)t 0!tton on the key0oard2 yo! can se*ect a speci)ic range o) entries on

the *ist +ith yo!r mo!se, C*ick on the Copy 0!tton or right c*ick and se*ect Copy,

ote.

Smart card copy does not over+rite the target TKE smart card, I) there is not eno!gh

room on the target TKE smart card2 yo! +i** get an error message, -o! can either

de*ete some o) the keys on the target TKE smart card 6see 4anage smart cards7 or !se

a di))erent TKE smart card,

Fig!re (8, Se*ect keys to copy

B, "t the prompts2 enter the 5Is )or the TKE smart cards on the smart card reader 5I pads, The keys +i** then 0e copied to the target TKE smart card, The target TKE

https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/msc.htm#msc

https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/csfb6z6003.htm#FT_Figure_86



smart card contents pane* is re)reshed,

ote.

-o! can disp*ay the key attri0!tes associated +ith a CI5?E2 ED5OTE2 or I45OTE

"ES operationa* key part stored on either the so!rce or target smart card, @e)t c*ick to se*ectthe key part2 then right c*ick to disp*ay a pop!p men!, Se*ect the Display key attributes

option to disp*ay the key attri0!tes,

TKE C!stomization


S"#$%##&&%(

")ter insta**ation o) the TKE +orkstation2 the )o**o+ing parameters can 0e c!stomized 0y

!sing the TKE 5re)erences men!,

A*ind Key Entry

Contro*s i) key va*!es entered at the TKE key0oard are disp*ayed or hidden, With

hidden entry2 a character is disp*ayed )or each entered he3adecima* character,

Ens!re the men! item is checked i) yo! +ant hidden entry1 other+ise !ncheck the

men! item,

emova0*e 4edia On*y

@imits )i*e read and +rite operations to remova0*e media on*y,

When this 0o3 is se*ected2 any TKE app*ication )i*es that are 0eing accessed thro!gh a

)*oppy disk are read%on*y, On the other hand2 )i*es 0eing accessed )rom either ;<;%

"4 or a USA )*ash memory drive can 0e either read%on*y or +rita0*e, For ;<;%

"42 +hen yo! mo!nt the ;<; drive thro!gh the TKE 4edia 4anager2 yo! speci)y

+hether yo! +ant to activate it as read%on*y or +rita0*e, For a USA )*ash memory

drive2 the drive is a!tomatica**y mo!nted and is 0oth reada0*e and +rita0*e,

When !nchecked2 the TKE data directory on the TKE *oca* hard drive can a*so 0e

!sed )or )i*e read / +rite operations,

Ena0*e Tracing

"ctivates the trace )aci*ity in TKE, The o!tp!t can 0e !sed to he*p de0!g pro0*ems

+ith TKE, ;o not check this men! item !n*ess an IA4 service representative

instr!cts yo! to do so,

When checked2 TKE prod!ces a trace )i*e named trace,t3t in the TKE ;ata ;irectory,

Every time TKE is restarted2 the trace,t3t )i*e is over+ritten and a ne+ )i*e is created,

Ena0*e Smart Card eaders



Ena0*es the smart card option )or TKE,

I) the men! item is !nchecked2 TKE +i** hide a** smart card options )rom the !ser,

ote.

The TKE app*ication m!st 0e c*osed and reopened )or this change to 0ecomee))ective,

Crypto 4od!*e ote0ook


S"#$%##&&%(

Once yo! se*ect a crypto mod!*e2 gro!p o) crypto mod!*es2 or a domain gro!p2 the crypto

mod!*e note0ook opens on the General ta0!*ar page,

The Crypto 4od!*e ote0ook is the centra* point )or disp*aying and changing a** in)ormation

re*ated to a crypto mod!*e, It is !sed )or sing*e crypto mod!*es2 as +e** as )or gro!ps o)

mod!*es and domain gro!ps, The contents o) some o) the pages +i** vary depending on

+hether yo! have se*ected a sing*e crypto mod!*e2 a gro!p o) crypto mod!*es2 or a domain

gro!p,

Fig!re (, Crypto Coprocessor Crypto 4od!*e "dministration ote0ook % enera* 5age



ote.

4any screen capt!res sho+ Smart Card as an option, I) yo! are not !sing smart card

s!pport2 Smart Card +i** not 0e an option )or se*ection on the app*ica0*e +indo+s,

ote0ook 4ode


S"#$%##&&%(

The note0ook is opened in one o) )o!r possi0*e modes.

• UPDATE MODE




• READ-ONLY MODE

• PENDING COMMAND MODE

• LOCKED READ-ONLY MODE % gro!p note0ooks on*y

The mode is disp*ayed in the *o+er right hand corner on a** o) the Crypto 4od!*e ote0ook

pages,

In UPDATE MODE2 yo! are a0*e to disp*ay crypto mod!*e in)ormation and to per)orm

!pdates to the crypto mod!*e,

In READ-ONLY MODE2 yo! are a0*e to disp*ay crypto mod!*e in)ormation 0!t not !pdate it,

In PENDING COMMAND MODE2 a command is +aiting to 0e co%signed, " m!*ti%signat!recommand iss!ed 0y an a!thority2 0!t not yet e3ec!ted2 is ca**ed a pending command, -o!

m!st per)orm the co%sign, -o! cannot iss!e other commands in this mode, For in)ormation

a0o!t co%signing a pending command2 re)er to Crypto 4od!*e ote0ook Co%Sign Ta0,

In LOCKED READ-ONLY MODE2 yo! are a0*e to disp*ay crypto mod!*e in)ormation )or the

master mod!*e and to compare the red!ced gro!p o) crypto mod!*es, -o! are not a**o+ed to

do !pdates, TKE +as not a0*e to access one or more crypto mod!*es o) the gro!p or domain

gro!p,

Crypto 4od!*e ote0ook F!nction 4en!


S"#$%##&&%(

The se*ections !nder the Function p!**%do+n men! are.

• Refresh Notebook % The content o) the note0ook is re)reshed 0y reading in)ormation

)rom the host, Ae a+are that per)orming a re)resh may change the mode o) the

note0ook,

• Chane Sinature !nde" % The a!thority signat!re inde3 )or the c!rrent*y *oaded

a!thority signat!re key can 0e changed, "n a!thority may !se the same a!thority

signat!re key on di))erent hosts 0!t 0e kno+n 0y a di))erent a!thority inde3 on each

host, Since the a!thority signat!re key is active !nti* another a!thority signat!re key

is *oaded2 the a!thority can change his/her signat!re inde3 to administer di))erent

hosts,

• Release Crypto #odule % " +indo+ disp*ays the !ser I; that c!rrent*y has this

https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/jcos.htm#jcos




crypto mod!*e open, This se*ection re*eases the crypto mod!*e )rom the !pdate *ock,

This se*ection is on*y active i) the note0ook is in read%on*y mode,

Fig!re ((, Windo+ to e*ease Crypto 4od!*e

-o! can con)irm re*ease o) the crypto mod!*e 0y pressing $es,

Warning.

e*easing a crypto mod!*e can damage an on%going operation initiated 0y another

a!thority, Use this option on*y i) yo! are certain that the crypto mod!*e m!st 0e

re*eased,

• Compare Group % This se*ection is on*y disp*ayed i) +orking +ith a gro!p o)

mod!*es or a domain gro!p, For more in)ormation2 see Comparing Crypto 4od!*e

ro!ps,

•

Close % This se*ection c*oses the Crypto 4od!*e ote0ook,

Ta0!*ar 5ages


S"#$%##&&%(

For the host cryptographic mod!*es2 the ta0!*ar pages avai*a0*e are.

• General% see Crypto 4od!*e ote0ook enera* Ta0,

• Details% see Crypto 4od!*e ote0ook ;etai*s Ta0,

• Roles% see Cr ypto 4od!*e ote0ook o*es Ta0,

• &uthorities% see Crypto 4od!*e ote0ook "!thor ities Ta0,

https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/jgen.htm#jgen


https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/jdet.htm#jdet




https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/compg.htm#compg

https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/compg.htm#compg





• Domains% see ;omains Keys 5age,

• Co'sin% see Cry pto 4od!*e ote0ook Co%Sign Ta0,

"s disc!ssed previo!s*y2 the note0ook opens to the enera* ta0,


S"#$%##&&%(

The contents o) this page are.

• Description

"n optiona* )ree te3t description disp*ayed in the crypto mod!*e container at the main

+indo+, This description is saved in the crypto mod!*e data set speci)ied in the TKE

host transaction program started proced!re on the host, In order to change the

description2 edit the )ie*d contents and press Send updates,

• (ost or Group !D

• (ost or Group Description

• Crypto #odule !nde"

Together +ith the crypto mod!*e type2 the inde3 !niG!e*y identi)ies the crypto

mod!*e +ithin a host, The inde3 va*!e is thro!gh 8$, There is no crypto mod!*e

inde3 )or a crypto mod!*e gro!p or a domain gro!p,

• Crypto #odule )ype

•Status

" crypto mod!*e is either ena0*ed or disa0*ed, When a s!pported crypto mod!*e

6CED#C or CED$C7 is ena0*ed2 it is avai*a0*e )or processing, -o! can change the

stat!s o) the mod!*e 0y pressing the *nable Crypto #odule + Disable Crypto

#odule 0!tton, *nable Crypto #odule is a d!a*%signat!re command and another

a!thority may need to co%sign, Disable Crypto #odule is a sing*e signat!re

command,

;isa0*ing a crypto mod!*e disa0*es a** the cryptographic )!nctions )or a sing*e crypto

mod!*e2 a gro!p o) crypto mod!*es2 or a domain gro!p, This disa0*es the crypto

mod!*e )or the entire system2 not H!st the @5" that iss!ed the disa0*e,

https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/jrol.htm#jrol



https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/jaut.htm#jaut


https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/dkgenp.htm#dkgenp







I) yo! press the Disable Crypto #odule 0!tton2 a series o) +indo+s opens, -o! are asked i)

yo! are s!re yo! +ant to disa0*e the mod!*e2 and are then noti)ied i) the command e3ec!tes

s!ccess)!**y, I) the a!thority signat!re key has not 0een *oaded2 yo! +i** 0e asked2 thro!gh a

series o) +indo+s2 to *oad an a!thority signat!re key, Once the mod!*e is disa0*ed2 the

*nable Crypto #odule/Disable Crypto #odule 0!tton changes )rom Disable Crypto#odule to *nable Crypto #odule,

Intr!sion @atch


S"#$%##&&%(

Under norma* operation2 a cryptographic card's intr!sion *atch is tripped +hen the card is

removed, This ca!ses a** insta**ation data2 master keys2 retained keys2 ro*es and a!thorities to

0e zeroized in the card +hen it is reinsta**ed, "ny ne+ ro*es and a!thorities are de*eted and

the de)a!*ts are recreated, The setting )or TKE Ena0*ement is a*so ret!rned to the de)a!*t

va*!e o) Denied +hen the intr!sion *atch is tripped,

" sit!ation may arise +here a cryptographic card needs to 0e removed, For e3amp*e2 yo!

may need to remove a card )or service, I) yo! do have to remove a card2 and yo! do not +ant

the insta**ation data to 0e c*eared2 per)orm the )o**o+ing proced!re to disa0*e the card, This

proced!re +i** reG!ire yo! to s+itch 0et+een the TKE app*ication2 the ICSF Coprocessor

4anagement pane*2 and the S!pport E*ement,

&, Open an Em!*ator Session on the TKE +orkstation and *og on to yo!r TSO/E !ser I;

on the ?ost System +here the card +i** 0e removed,

#, From the ICSF 5rimary Option 4en!2 se*ect Option & )or Coprocessor 4anagement,

$, @eave the Coprocessor 4anagement pane* disp*ayed d!ring the rest o) this proced!re,

-o! +i** 0e reG!ired to hit ETE on the Coprocessor 4anagement pane* at

di))erent times, DO NO) *,!) this panel.

>, Open the TKE ?ost +here the card +i** 0e removed, Open the crypto mod!*e

note0ook )or the CED#C or CED$C, C*ick on the Disable Crypto #odule 0!tton,

B, ")ter the crypto mod!*e has 0een disa0*ed +ithin TKE2 hit ETE on the ICSF

Coprocessor 4anagement pane*, The stat!s sho!*d change to ;IS"A@E;,

ote.

-o! do not need to deactivate a disa0*ed card 0e)ore con)ig!ring it OFF@IE,

8, Confiure Off the card )rom the S!pport E*ement, The S!pport E*ement is a



dedicated +orkstation !sed )or monitoring and operating IA4 System z hard+are, "

!ser a!thorized to per)orm actions on the S!pport E*ement m!st comp*ete this step,

, ")ter the card has 0een taken O))*ine2 hit ETE on the Coprocessor 4anagement

pane*, The stat!s sho!*d change to OFF@IE,

(, emove the card, 5er)orm +hatever operation needs to 0e done, ep*ace the card,

, Confiure On the card )rom the S!pport E*ement, The S!pport E*ement is a

dedicated +orkstation !sed )or monitoring and operating IA4 System z hard+are, "

!ser a!thorized to per)orm actions on the S!pport E*ement m!st comp*ete this step,

&, When the initia*ization process is comp*ete2 hit ETE on the Coprocessor

4anagement pane*, The stat!s sho!*d change to ;IS"A@E;,

&&, From the TKE Workstation Crypto 4od!*e enera* page2 c*ick on the *nableCrypto #odule 0!tton,

&#, ")ter the card has 0een ena0*ed )rom TKE2 hit ETE on the Coprocessor

4anagement pane*, The Stat!s sho!*d ret!rn to its origina* state, I) the Stat!s +as

"CTI<E in step #2 +hen the card is ena0*ed it sho!*d ret!rn to "CTI<E,

"** insta**ation data2 master keys2 retained keys2 ro*es2 and a!thorities sho!*d sti** 0e

avai*a0*e, The data +as not c*eared +ith the card remova* 0eca!se it +as ;IS"A@E; )irst

via the TKE +orkstation,

Crypto 4od!*e ote0ook ;etai*s Ta0


S"#$%##&&%(

The ;etai*s ta0 contains )o!r pages2 t+o )or crypto mod!*es and t+o )or crypto mod!*e and

diagnostic in)ormation, These )o!r pages are accessi0*e thro!gh ta0s )o!nd on the right side

o) the ;etai*s ta0 screen, To vie+ these pages2 c*ick on the corresponding ta0s, The pages andtheir contents are.

• Crypto #odule%

o Crypto #odule !D % UniG!e identi)ier 0!rnt into the crypto mod!*e d!ring

the man!)act!ring process,

o -ublic #odulus % The p!0*ic mod!*!s o) the S" key pair associated +ith

the crypto mod!*e, The p!0*ic portion o) the S" key pair is !sed to veri)y

signed rep*ies )rom the crypto mod!*e,



o Key !dentifier % Identi)ies the S" key pair associated +ith the crypto

mod!*e, The key identi)ier is the S?"%#B8 hash o) the ;E%encoded p!0*ic

mod!*!s and p!0*ic e3ponent o) the S" key pair,

o Sinature Seuence Number % Each signed rep*y )rom the crypto mod!*econtains a !niG!e seG!ence n!m0er1 the c!rrent va*!e is disp*ayed,

o (ash pattern of transport key % 4;C%> va*!e o) the c!rrent ;i))ie%?e**man

generated transport key )or this crypto mod!*e

• Crypto Ser/ices 0Function Control 1ector 1alues2

o Aase CC" services avai*a0i*ity

o C;4F avai*a0i*ity

o B8%0it ;ES avai*a0i*ity

o Trip*e ;ES avai*a0i*ity

o &#(%0it "ES avai*a0i*ity

o &#%0it "ES avai*a0i*ity

o #B8%0it "ES avai*a0i*ity

o SET services

o 4a3im!m *ength o) S" keys !sed to encipher ;ES keys

o 4a3im!m e**iptic c!rve )ie*d size in 0its )or key management

• Other C# !nfo % The )o**o+ing crypto mod!*e in)omation is disp*ayed.

o CC" <ersion

o CC" A!i*d ;ate

o ;ES ?ard+are @eve*

o S" ?ard+are @eve*

o 5o+er%On Se*) Test <ersion 62&2#7

o Operating System ame



o Operating System <ersion

o 5art !m0er

o Engineering Change @eve*

o 4ini0oot <ersion 62&7

o "dapter I;

o 5rocessor Speed

o F*ash 4emory Size

o ;ynamic "4 4emory Size

o Aattery%Aacked 4emory Size

• Dianostic !nfo % The )o**o+ing diagnostic in)ormation is disp*ayed.

o Intr!sion @atch

o Aattery State

oError @og Stat!s

o Command In)ormation

The settings in the Crypto 4od!*e ;etai*s ta0 are *oaded d!ring crypto mod!*e initia*ization,

Crypto 4od!*e ote0ook o*es Ta0


S"#$%##&&%(

The s!pported crypto mod!*es !se ro*e%0ased access contro*, In a ro*e%0ased system2 the

administrator de)ines a set o) ro*es +hich correspond to the c*asses o) coprocessor !sers,

Each a!thority is mapped to one ro*e, In the container2 c!rrent*y de)ined ro*es are disp*ayed

0y their O@E I;s and ;escriptions, -o! can create2 change or de*ete a ro*e,

" ro*e%0ased system is more e))icient than one in +hich the a!thority is assigned individ!a**y

)or each !ser, In genera*2 the !sers can 0e separated into H!st a )e+ di))erent categories o)

access rights, -o! can separate access to domains, -o! can a*so contro* the *oading o) a t+o%

part key2 reG!iring t+o di))erent a!thorities to comp*ete that task,

IIT";4 is a prede)ined ro*e avai*a0*e on yo!r system2 assigned to a!thority , It +as



created +ith 0oth an !ssue access contro* point and a Co'sin access contro* point, ?aving a

prede)ined a!thority +ith 0oth the Iss!e and Co%sign access contro* points ena0*ed a**o+s

yo! to create the necessary ro*es and pro)i*es )or the crypto mod!*es !sing H!st one a!thority2

rather than reG!iring an e3tra a!thority to co%sign,

Once other ro*es and a!thorities are de)ined2 yo! may choose to assign a di))erent ro*e to

"!thority ,

4!*ti%Signat!re Commands


S"#$%##&&%(

4!*ti%signat!re commands )or the s!pported crypto mod!*es a*+ays reG!ire t+o signat!res,

The a!thority a!thorized to iss!e the command a!tomatica**y signs, " signat!re )rom the

a!thority a!thorized to co%sign the command is a*so reG!ired,

I) a ro*e has 0oth iss!e and co%sign a!thority )or a m!*ti%signat!re command2 then the

a!thority assigned to the ro*e a!tomatica**y co%signs the command a)ter iss!ing it, " ro*e is

assigned iss!e or co%sign a!thority or 0oth +hen the ro*e is created or changed,

There are )o!r d!a*%signat!re commands.

• *nable crypto card % This command is iss!ed )rom the enera* ta0 +hen changing

the crypto mod!*e state,

• &ccess Control % This command is iss!ed )rom.

o Create New/Change Role windows % +hen creating or changing a ro*e

o Role Tab % +hen de*eting a ro*e

o Create New/Change Authority windows % +hen creating or changing ana!thority

o Authorities Tab % +hen de*eting an a!thority

• 3eroi4e domain % This command is iss!ed )rom the ;omain enera* page +hen

zeroizing a domain,

• Domain controls % This command is iss!ed )rom the ;omain Contro*s page +hen

!pdating contro* settings,



Sing*e Signat!re Commands


S"#$%##&&%(

The )o**o+ing commands reG!ire on*y one signat!re.

• Disable crypto card

• Set asymmetric master key

• Load first key part % ;ES%4K2 "ES%4K2 "S-4%4K2 and ECC%4K

• Combine middle key parts % ;ES%4K2 "ES%4K2 "S-4%4K2 and ECC%4K

• Combine final key part % ;ES%4K2 "ES%4K2 "S-4%4K2 and ECC%4K

• Clear new master key register % ;ES%4K2 "ES%4K2 "S-4%4K2 and ECC%4K

• Clear old master key register % ;ES%4K2 "ES%4K2 "S-4%4K2 and ECC%4K

• Load first key part % ;ES Operationa* Keys

• Load additional key part % ;ES Operationa* Keys

• Complete key % ;ES Operationa* Keys

• Clear operational key register % ;ES Operationa* Keys

• Load first key part % "ES Operationa* Keys

• Load additional key part % "ES Operationa* Keys

• Complete key % "ES Operationa* Keys

• Clear operational key register % "ES Operationa* Keys

• Change default key wrapping % +rap interna* keys !sing enhanced method

• Change default key wrapping % +rap interna* keys !sing origina* method

• Change default key wrapping % +rap e3terna* keys !sing enhanced method

• Change default key wrapping % +rap e3terna* keys !sing origina* method



• Decimaliation Tables % @oad ;ecima*ization Ta0*es

• Decimaliation Tables % ;e*ete ;ecima*ization Ta0*es

• Decimaliation Tables % "ctivate ;ecima*ization Ta0*es

Creating or Changing a o*e


S"#$%##&&%(

When yo! right c*ick in the o*es ta0 container2 a pop%!p men! appears and yo! can se*ect

Create5 Chane or Delete.

Fig!re (, Create e+ o*e 5age




I) yo! se*ect Create or Chane )rom the pop%!p men!2 a +indo+ opens disp*aying the

)o**o+ing )ie*ds and e*ements.

• Role !D J Enter the o*e I;, I) yo! are creating a ne+ ro*e yo! m!st )i** in a name

)or that ro*e, I) yo! are changing a ro*e2 yo! cannot change this )ie*d,

• Description J Optiona* )ree te3t description,

• )ree structure and check bo"es J avigate the tree str!ct!re and mark the 0o3es

yo! reG!ire )or the ro*e, Fo**o+ing is a *ist o) ro*e categories that can 0e se*ected2

depending on +hat the ro*e reG!ires.



o Crypto #odule *nable

Choose +hether the ro*e can disa0*e the crypto card2 iss!e the ena0*e crypto

card command2 or co%sign the ena0*e crypto card command,

o &ccess Control

Choose +hether the ro*e can iss!e the access contro* command or co%sign the

access contro* command 6needed )or creating ro*es and pro)i*es7,

o &*S #aster Key

Choose +hether the ro*e can *oad the )irst key part2 com0ine midd*e key parts2

com0ine )ina* key part2 c*ear ne+ "ES master key registers2 or c*ear o*d "ES

master key registers,

o *CC #aster Key


com0ine )ina* key part2 c*ear ne+ ECC master key registers2 or c*ear o*d ECC

master key registers,

o D*S #aster Key


com0ine )ina* key part2 c*ear ne+ ;ES master key registers2 or c*ear o*d ;ESmaster key registers,

o &symmetric #aster Key


com0ine )ina* key part2 c*ear ne+ asymmetric master key registers2 c*ear o*d

asymmetric master key registers2 or set the asymmetric master key,

o Domain 3eroi4e

Choose +hether the ro*e can iss!e a zeroize domain command or co%sign a

zeroize domain command,

o Domain Controls

Choose +hether the ro*e can iss!e a domain contro*s change or co%sign a

domain contro*s change 6needed )or administering access to ICSF pane*

services2 access contro* points )or ICSF ca**a0*e services2 and access to User

;e)ined E3tensions 6U;D77,

o &*S Operational Key



Choose +hether the ro*e can *oad First and "dditiona* key parts to "ES key

part registers2 comp*ete key part registers or c*ear key part registers,

o &*S K*K and Cipher Keys

Choose +hether the ro*e can *oad First and "dditiona* key parts to "ES KEK

and Cipher key part registers2 comp*ete key part registers2 or c*ear key part

registers,

o D*S Operational Key

Choose +hether the ro*e can *oad First and "dditiona* key parts to ;ES key

part registers2 comp*ete key part registers or c*ear key part registers,

o Chane Default Key 6rappin

Choose the de)a!*t key +rapping changes a**o+ed 0y the ro*e,

o Confiuration #iration

Choose i) the ro*e is a**o+ed to per)orm con)ig!ration migration operations,

o Domain &ccess

Choose the domains this ro*e can access,

Check 0o3es )or operations that are not s!pported on the crypto mod!*e do not appear,

Operations on "ES master keys and "ES operationa* keys are on*y s!pported on CED#C

crypto mod!*es 6+ith ov, #( or *ater *icensed interna* code7 or on CED$C crypto

mod!*es 6+ith F4I; ?C or *ater o) ICSF7, Operations on ECC master keys and

de)a!*t key +rapping are on*y s!pported on CED$C crypto mod!*es 6+ith F4I; ?C(

or *ater o) ICSF and CC" *eve* >,&, or *ater7, Operations on "ES KEK and Cipher keys are

on*y s!pported on CED$C crypto mod!*es 6+ith F4I; ?C or *ater o) ICSF and CC"

*eve* >,# or *ater7,

5ress Send Updates, This is a d!a*%signat!re command and another a!thority may need to

co%sign,

;e*eting a o*e


S"#$%##&&%(

-o! can choose a crypto mod!*e and de*ete a ro*e, TKE ens!res that access to the crypto



mod!*e is not *ost +hen the ro*e is de*eted,

-o! m!st de*ete or reassign a** a!thorities associated +ith a ro*e 0e)ore yo! de*ete the ro*e,

enerating "!thority Signat!re Keys


S"#$%##&&%(

-o! generate and save an a!thority signat!re key 0y right%c*icking in the "!thorities

container and se*ecting the !enerate Signature "ey action,

The enerate Signat!re Key +indo+ is disp*ayed,

Fo**o+ this proced!re.

&, Enter &uthority inde", This is a mandatory )ie*d +ith the inde3 o) the a!thority,

<a*id range is thro!gh , The a!thority inde3 +i** 0e saved +ith the key and is

ca**ed the ;e)a!*t "!thority inde3, The ;e)a!*t "!thority inde3 )or a saved a!thority

signat!re key can 0e overridden +hen the a!thority signat!re key is *oaded,

#, Enter Name2 -hone2 *'mail2 &ddress and Description to identi)y the a!thority,

These are optiona* )ree te3t )ie*ds, The in)ormation that yo! enter here is saved +iththe key, It +i** 0e )i**ed in a!tomatica**y +hen the key is se*ected )or creating a ne+

a!thority, 5ress Continue,

Fig!re &, Fi**ed In generate signat!re key +indo+

$, " Se*ect Target dia*og 0o3 is disp*ayed2 ena0*ing yo! to se*ect the target destination

)or the generated key, "!thority signat!re keys can 0e saved to a binary file or keystorae2 or generated and saved on a )K* smart card, 4ake yo!r se*ection and





press Continue,

>, Se*ect the *ength o) the a!thority signat!re key yo! +ant to generate, The *ength

choices +i** vary depending on the signat!re key target, I) the signat!re key target is a

smart card2 yo! can generate &#>%0it or #>(%0it a!thority signat!re keys, I) thesignat!re key target is a 0inary )i*e or key storage2 yo! can generate &#>%0it2 #>(%

0it2 or >8%0it a!thority signat!re keys,

B, I) the a!thority signat!re key is to 0e saved to a binary file2 a pass+ord and )i*e name

are reG!ired to encrypt and save the key )i*e, ")ter saving the a!thority signat!re key

and in)ormation to a 0inary )i*e or key storage2 yo! are prompted to save the key

again, It is not recommended that yo! save it again,

Fig!re #, Save a!thority signat!re key

Warnings.

a, I) the )i*e is saved to ;<;%"42 yo! m!st deactivate the C;/;<; drive

0e)ore removing the ;<;%"4 disc, For detai*s on deactivating media see

TKE 4edia 4anager ,


https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/tkemedmg.htm#tkemedmg





0, ;o not remove a USA )*ash memory drive )rom the USA port 0e)ore yo!

comp*ete the operation that is !sing the drive2 or 0e)ore yo! respond to a

message re*ated to the operation that is !sing the drive, I) yo! do remove a

drive 0e)ore the operation is comp*ete2 hard+are messages may 0e generated

on the TKE +orkstation,

8, I) the key is to 0e generated and saved on a )K* smart card2 a message 0o3

disp*ays2 prompting yo! to Insert TKE smart card in smart card reader #,

a, Insert the TKE smart card into Smart Card eader #, 5ress OK ,

0, When the a!thority signat!re key is generated and saved to a TKE smart card2

it is protected 0y the 5I o) the TKE smart card, " message 0o3 +i** prompt

yo! to 9Enter a 8 digit 5I on smart card reader # 5I pad:, Enter the 5I as

prompted,

ote.

I) the TKE smart card +as created on a version o) the TKE Workstation prior

to version ,2 the 5I o) the TKE smart card +i** 0e > digits instead o) 8

digits,

The a!thority signat!re key is generated on the TKE smart card and a

s!ccess)!* message is disp*ayed,

Fig!re $, enerate signat!re key

When generating and saving an a!thority signat!re key on a TKE smart card2

yo! are not given the option to save it again, -o! sho!*d !se the Copy smart

card contents !ti*ity to save the signat!re key again, See Copy smart cards,

Each TKE smart card can ho*d on*y one a!thority signat!re key,

, I) the keys are to 0e saved in Key Storae2 note that on*y one a!thority signat!re key

can 0e stored in 5K" key storage,


https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/copysc.htm#copysc





Fig!re >, Key saved stat!s message

Create "!thority


S"#$%##&&%(

This se*ection a**o+s yo! to create an a!thority at the host and se*ect its a!thority signat!re

key, Ae)ore yo! can create a ne+ a!thority2 yo! need to generate an a!thority signat!re key

6see enerating "!thority Signat!re Keys7,

To create an a!thority2 c*ick +ith the right mo!se 0!tton in the container on the "!thorities

page, " pop!p men! disp*ays, From this men!2 se*ect the Create &uthority men! item,

The Se*ect So!rce +indo+ opens2 ena0*ing yo! to speci)y the a!thority signat!re key so!rce,

4ake yo!r se*ection and press the Continue 0!tton,

Fig!re B, Se*ect so!rce o) a!thority signat!re key


https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/gsigkey.htm#gsigkey



https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/gsigkey.htm#gsigkey




• I) yo! se*ect Key storae2 the key and accompanying in)ormation )rom key storage

appears in the Create e+ "!thority +indo+,

• I) yo! se*ect Smart card in reader 7 or Smart card in reader 82 yo! are prompted

to insert the TKE smart card into the appropriate reader, Insert the smart card into the

reader2 and press OK ,

" message 0o3 +i** prompt yo! to enter the TKE smart card 5I, Enter the 5I as

prompted,

Once the 5I has 0een veri)ied2 the Create e+ "!thority +indo+ appears,

Fig!re 8, Create ne+ a!thority





• I) yo! se*ect 9inary file2 the @oad Signat!re Key +indo+ is disp*ayed, -o! are

prompted )or the signat!re key )i*e to *oad and pass+ord 0e)ore the Create e+

"!thority +indo+ appears,

Warnings.

&, I) the )i*e is *oaded )rom a )*oppy or C;/;<;2 yo! m!st deactivate the )*oppy

or C;/;<; drive 0e)ore removing the diskette or disc, I) the diskette is

removed prior to deactivating the drive data co!*d 0e *ost or corr!pted, For

detai*s on deactivating media see TKE 4edia 4anager ,

#, ;o not remove a USA )*ash memory drive )rom the USA port 0e)ore yo!

comp*ete the operation that is !sing the drive2 or 0e)ore yo! respond to a

message re*ated to the operation that is !sing the drive, I) yo! do remove a

drive 0e)ore the operation is comp*ete2 hard+are messages may 0e generated

on the TKE +orkstation,

Fig!re , @oad Signat!re Key )rom 0inary )i*e








• I) yo! se*ect Default key )rom the Se*ect So!rce dia*og2 the +ord ;e)a!*t is

a!tomatica**y p*aced in the Name )ie*d o) the Create e+ "!thority +indo+,

Fig!re (, Create e+ "!thority +ith o*e Container





The Create e+ "!thority +indo+ is opened +ith the )o**o+ing a!thority

in)ormation read )rom the signat!re key so!rce.

&, &uthority inde" % This is a mandatory )ie*d +ith the inde3 o) the a!thority,

<a*id range is thro!gh ,

I) the a!thority signat!re key is going to 0e !sed on severa* crypto mod!*es2 it

simp*i)ies matters to !se the same a!thority inde3 )or a** crypto mod!*es,

#, Name % ame o) the a!thority, Optiona* )ree te3t entry )ie*d,

$, -hone % 5hone n!m0er o) the a!thority, Optiona* )ree te3t entry )ie*d,

>, *'mail % E%mai* address )or the a!thority, Optiona* )ree te3t entry )ie*d,

B, &ddress % "ddress o) the a!thority, Optiona* )ree te3t entry )ie*d,

8, Description % ;escription o) the a!thority, Optiona* )ree te3t entry )ie*d,

, Sinature key % 5!0*ic mod!*!s o) the a!thority signat!re key,



(, Key :enth % @ength o) the a!thority signat!re key,

, Key !dentifier % Identi)ier )or the a!thority signat!re key associated +ith the

a!thority, The key identi)ier is the S?"%#B8 hash o) the ;E%encoded p!0*ic

mod!*!s and p!0*ic e3ponent o) the a!thority signat!re key,

-o! can edit a** o) the entry )ie*ds,

In the Role container there is a drop%do+n *ist, Se*ect one o) the previo!s*y de)ined

ro*es, The a!thority is mapped to the access rights o) that ro*e, This is avai*a0*e on*y

+hen creating or changing a crypto mod!*e a!thority,

5ress Send updates, This is a d!a* signat!re command, I) yo! do not have 0oth sign

and co%sign a!thority2 another a!thority +i** 0e reG!ired to co%sign,

The a!thority in)ormation 6name2 phone2 e%mai* and address7 is saved in the cryptomod!*e dataset speci)ied in the TKE host transaction program started proced!re on

the host,

Change "!thority


S"#$%##&&%(

This se*ection opens the Change "!thority +indo+2 a**o+ing yo! to change a!thority

in)ormation2 change the ro*e2 and rep*ace the a!thority signat!re key,

Fig!re , Change "!thority





When an a!thority is se*ected2 yo! +i** 0e a0*e to !pdate the ame2 5hone2 E%mai*2 "ddress

and ;escription )ie*ds, -o! can change the o*e de)inition 0y c*icking on the p!**%do+n

men! and se*ecting a di))erent ro*e, -o! can change the a!thority signat!re key 0y c*icking

on Get Sinature Key,

Get Sinature Key opens a Se*ect So!rce +indo+ and a @oad Signat!re Key +indo+, The

contents o) the se*ected key )i*e rep*ace the contents o) the Change "!thority +indo+ e3cept

)or the inde3,

Send updates !p*oads the in)ormation disp*ayed at the +indo+ to the crypto mod!*e, The

a!thority in)ormation 6name2 phone2 e%mai* and address7 is !pdated in the crypto mod!*edataset speci)ied in the TKE host transaction program started proced!re on the host,

;e*ete "!thority


S"#$%##&&%(

The s!pported crypto mod!*es operate +ith a varia0*e n!m0er o) TKE a!thorities

6TKE"UT33 pro)i*es7, TKE a**o+s a !ser to de*ete an a!thority )rom a crypto mod!*e, TKE



per)orms a consistency check o) the res!*ting TKE ro*es and pro)i*es to ens!re that access to

the crypto mod!*e is not *ost +hen the pro)i*e is de*eted,

Crypto 4od!*e ote0ook ;omains Ta0


S"#$%##&&%(

The ;omains ta0 de)ines the domains that can have "ES2 ECC2 ;ES and "symmetric master

keys and operationa* keys *oaded and changed2 as +e** as providing domain contro*s,

The ;omains ta0 ho*ds genera* in)ormation a0o!t each domain, There are &8 ta0s on theright hand side2 one )or each domain,

;omains enera* 5age


S"#$%##&&%(

The ;omains enera* page appears +hen yo! se*ect a domain, Each domain has )o!rassociated pages. the enera* page2 the Keys page2 the Contro*s page2 and the ;ec Ta0*es

page, From the ;omains enera* page2 yo! can !pdate the description2 zeroize the domain2

and discard changes,

Fig!re &, ;omains enera* 5age





To change the description2 edit the entry )ie*d and press Send updates, The description is

saved in the crypto mod!*e data set speci)ied in the TKE host transaction program started

proced!re on the host,

To change the de)a!*t key +rapping methods !sed )or the domain2 se*ect the desired methods

)or e3terna* and interna* )ormatted tokens and press Send updates,

3eroi4e Domain

=eroizing a domain erases its con)ig!ration data and c*ears a** cryptographic keys and

registers )or the c!rrent domain,

Se*ecting 3eroi4e domain... res!*ts in the disp*ay o) an action 6+arning7 message, Ay

accepting the message2 the domain is zeroized, That is2 a** registers and keys re*ated to this

domain are set to zero or set to not va*id,



I) yo! are reassigning a domain )or another !se2 it is a good sec!rity practice to zeroize that

domain 0e)ore proceeding,

When a domain is zeroized2 the domain's contro*s are reset to their initia* state,

ote.

Un*ike the *o0a* =eroize iss!ed )rom the S!pport E*ement2 =eroize ;omain does not a))ect

the ena0*ement o) TKE Commands on the s!pported crypto mod!*es 6CED#C and CED$C7,

e)er to TKE Ena0*ement,

Domains Keys Page

z/OS Cryptographic Services ICSF TKE Workstation Users !"i#e

S$%&'%%((')*

This page disp*ays master key stat!s in)ormation and a**o+s yo! to generate2 *oad2 set2 and

c*ear domain key registers,

The !pper part o) the +indo+ disp*ays the stat!s and hash patterns )or the "ES2 ECC2 ;ES2

and "symmetric key registers,

I) yo! have imp*emented smart card s!pport2 make s!re that the TKE +orkstation crypto

adapter and the TKE smart cards are in the same zone, To disp*ay the zone o) a TKE smart

card2 e3it )rom TKE and !se either the Cryptographic ode 4anagement Uti*ity or the Smart

Card Uti*ity 5rogram !nder Tr!sted Key Entry "pp*ications, See ;isp*ay smart card detai*s

or Smart Card Uti*ity 5rogram 6SCU57,

Fig"re ()(+ Domains Keys Page

https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/enabtke.htm#enabtke

https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/ddetail.htm#ddetail



https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/enabtke.htm#enabtke






The *o+er part o) the ;omains Keys page a**o+s yo! to se*ect the key type +ith +hich yo!

+ish to +ork, Se*ect the key type yo! +i** 0e +orking +ith )rom the Key Type container,

Each key type s!pports vario!s actions, ot a** actions are avai*a0*e )or a** key types, Ta0*e

$ i**!strates the possi0i*ities )or the s!pported crypto mod!*es,

Ta,-e &)+ Key types an# actions .or the s"pporte# crypto mo#"-es

Key Type Popup Sub-popup Action Description

$ES

aster

Key

ECC

4aster Key

;ES 4aster

!enerate

sing-e key part

!enerate one master key part an#

store it on a TKE smart car# or save it

to a ,inary or print 0-e+

!enerate

m"-tip-e key

parts to +++

Smart car#

Ainary )i*e

1"n a 2izar#'-ike .eat"re to generate

a "ser speci0e# n"m,er o. master

key parts an# store them on TKEsmart car#s or save them to ,inary

https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/dkgenp.htm#pcxkey








Key

"symmetri

c 4aster

Key

5rint )i*e or print 0-es+

3ote4

5o" can "se the same smart car# or

s2itch smart car#s ,et2een key part

generations+

6oa# sing-e key

part

First

Intermediate

@ast

6oa# one key part into the

appropriate 7ne27 master key

register+

3otes4

(+ To -oa# a 0rst part8 the 7ne27master register stat"s m"st ,e7empty7+

%+ To -oa# an interme#iate or -astpart8 the 7ne27 master registerstat"s m"st ,e 7part ."--79partia--y ."--:+

6oa# a-- key

parts .rom

Smart car#

Ainary )i*e

5rint )i*e

1"n a 2izar#'-ike .eat"re to -oa# an

entire 7ne27 master key register+ $t

the ,eginning o. the process8 yo"

speci.y the tota- n"m,er o. key parts

an# have the option o. c-earing the

7ne27 master key register+

3ote4

3o ne2 sec"rity contro-s are

intro#"ce# ,y this .eat"re+ $66

a"thority an# #"a- contro-

re;"irements yo" p"t in p-ace remain

in e<ect+ It takes the same n"m,er o. peop-e to -oa# an entire key "sing

this proce#"re as it #oes -oa#ing an

entire key one part at a time+

C-ear

3e2 aster Key

1egister

O*d 4aster Key

egister

C-ear the ne2 or o-# master key

register+ The stat"s o. the register

2i-- ,e 7empty7 2hen the operation is

comp-ete+

Set 9Optionon-y sho2n on

Sets the ne2 asymmetric master key+





$symmetric

K:

3otes4

(+ I. yo" are r"nning =C1>>?) or-ater8 yo" 2i-- no -onger ,ea,-e to set the asymmetricmaster key .rom the TKE+ Theset m"st ,e #one .rom ICSF+

%+ The c"rrent $S5'K istrans.erre# to the o-# $S5'K register+

&+ The ne2 $S5'K register is

trans.erre# to the c"rrent$S5'K register+

@+ The ne2 $S5'K register isreset to zeros+

Sec"re key

part entry

Enter kno2n key part va-"e to a TKE

smart car#A see $ppen#iB $+ Sec"re

Key Part Entry+

DES or

$ES

Operation

a- Keys

!enerate

sing-e key part

!enerate one key part an# store it on

a TKE smart car# or save it to a

,inary or print 0-e+

!enerate

m"-tip-e key

parts to +++

Smart card

Ainary )i*e

5rint )i*e

1"n a 2izar#'-ike .eat"re to generate

a "ser speci0e# n"m,er o. key parts

an# store them on TKE smart car#s

or save them to ,inary or print 0-es+

3ote4

5o" can "se the same smart car# or

s2itch smart car#s ,et2een key part

generations+

6oa# sing-e key

part

First

First 6minim!m o)

# parts7

First 6minim!m o)

$ parts7

"dd part

6oa# one key part into a key part

register+

3otes4

(+ The minim"m n"m,er o. parts.or the load single key part –> frst is %+

%+ When the 0rst key part is-oa#e#8 yo" m"st enter a

https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/csfb6z6004.htm#FT_Table_30

https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/skpe.htm#skpe


https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/csfb6z6004.htm#FT_Table_30







Comp*ete

3ote4

First 9minim"m

o. B parts:7

options on-y

sho2n on

Operationa-

Keys ' $ES key

types

EPO1TE18

IPO1TE18 an#

CIP=E1+

"ni;"e register -a,e-+

&+ 5o" can on-y a## parts to aneBisting register -a,e-+

@+ 5o" can on-y comp-ete aregister 2hen it has meet itsminim"m parts re;"irement+

6oa# to Key

Storage

3ote4

Options on-y

sho2n on DES

operationa- key

types

IPO1TE1 or

IP'PK$+

First

Intermediate

@ast

6oa# a key part to the TKE

2orkstations DES key storage+

6oa# a-- key

parts .romSmart card

Ainary )i*e

5rint )i*e

1"n a 2izar#'-ike .eat"re to -oa# an

entire operationa- key register+ $t the

,eginning o. the process8 yo" speci.y

the tota- n"m,er o. key parts an#

have the option o. c-earing the 7ne27

master key register+

3ote4

3o ne2 sec"rity contro-s are

intro#"ce# ,y this .eat"re+ $66

a"thority an# #"a- contro-

re;"irements yo" p"t in p-ace remain

in e<ect+ It takes the same n"m,er o.

peop-e to -oa# an entire key "sing

this proce#"re as it #oes -oa#ing an

entire key one part at a time+

ie2 ie2 key part register in.ormation

C-ear C-ear 9reset: the operationa- key part

register+





Sec"re key

part entry

Enter kno2n key part va-"e to a TKE

smart car#A see $ppen#iB $+ Sec"re

Key Part Entry+

1S$ Keys !enerate

sing-e key part

!enerate an 1S$ Key an# encrypt it

"n#er an IP'PK$ key+

Encipher Encipher an "nencrypte# 1S$ key

"n#er an IP'PK$ key+

6oa# to PKDS 6oa# an 1S$ key to the PKDS active

in the -ogica- partition 2here the =ost

Transaction Program is starte#+

6oa# to

#ataset

6oa# an 1S$ key to the host #ata set

aster Keys ' $ES8 ECC8 DES8 or $symmetric

!enerate sing-e key part

The generate action )or a ne+ "ES2 ECC2 ;ES2 or "symmetric 4aster Key type +i**

generate a master key part that can 0e stored in a )i*e or on a smart card, ote2 that this action

does not *oad the key part to the host,

When yo! se*ect Generate sinle key part2 a Se*ect Target +indo+ opens2 ena0*ing yo! tospeci)y the target,

Fig"re ()%+ Se-ect Target

Se*ect the target. TKE smart card2 0inary or print )i*e, Save the key part, I) saving the key

part to a 0inary or print )i*e2 speci)y the )i*e path,

3ote4









I. yo" have imp-emente# smart car# s"pport8 make s"re that the TKE

cryptographic a#apter in the TKE 2orkstation an# the TKE smart car#s are in the

same zone+ To #isp-ay the zone o. a TKE smart car#8 eBit TKE an# "se either the

Cryptographic 3o#e anagement Uti-ity or the Smart Car# Uti-ity Program "n#er

Tr"ste# Key Entry $pp-ications+ See Disp-ay smart car# #etai-s or Disp-ay smart

car# in.ormation+

I) saving the key part to a TKE smart card2 it cannot 0e saved to any other medi!m s!ch as a

0inary or print )i*e,

Sa/in to a )K* Smart Card% I) yo! are saving to a TKE smart card2 a message 0o3

prompts yo! to insert the smart card into the smart card reader,

Fig"re ()&+ Save key part to smart car#

")ter yo! insert the TKE smart card % press OK, Then enter the 5I onto the smart card

reader 5I pad,

" dia*og is disp*ayed prompting yo! )or a key part description,

Fig"re ()@+ Enter key part #escription

Enter a description )or the key part2 and press the Continue command 0!tton,

Fig"re ()+ Save key part

!enerate "-tip-e Key Parts toI) yo! are going to create more than one key part at a time2 !se the 9generate m!*tip*e key


https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/dsc.htm#dsc













part to )eat!re, When this )eat!re is started2 yo! are asked to provide the tota* n!m0er o) key

parts yo! +ant to create, The minim!m n!m0er o) key parts that can 0e speci)ied is #,

Fig"re ()+ Enter n"m,er o. keys to ,e generate#

The )eat!re +i** +a*k yo! thro!gh the process o) creating the reG!ested n!m0er o) key parts,

6oa# sing-e key part

The *oad action )rom the e+ "ES2 ;ES2 ECC2 or "symmetric 4aster Key type *oads a key

part to the ne+ master key register, The key part can 0e o0tained )rom a smart card2 a 0inary

)i*e2 or a key0oard, "t *east t+o key parts 6First and @ast7 m!st 0e *oaded, In addition2 yo!

can enter more than one intermediate key part,

?aving se*ected :oad sinle key part2 a ne+ men! pops !p giving the !ser the possi0i*ity to

se*ect +hich key part to *oad.

• First

• Interme#iate

• 6ast

Inp"t .rom TKE Smart Car#

Fo**o+ these steps.

(+ $ #ia-og ,oB is #isp-aye# .or se-ecting the inp"t so"rce+

Fig"re ()>+ Se-ect key so"rce ' smart car#







ake yo"r se-ection an# press Continue+

%+ Insert the TKE smart car# into the appropriate rea#er+ Ens"re the TKEsmart car# is enro--e# in the same zone as the TKE cryptographic a#apterAother2ise8 the Load 2i-- .ai-+

3ote4

To #isp-ay the zone o. a TKE smart car#8 eBit .rom TKE an# "se either the

Cryptographic 3o#e anagement Uti-ity or the Smart Car# Uti-ity Program

"n#er Tr"ste# Key Entry $pp-ications+ See Disp-ay smart car# #etai-s or

Disp-ay smart car# in.ormation+

&+ The smart car# contents are rea# an# #isp-aye# in the Se-ect key part.rom TKE smart car# 2in#o24

Fig"re ()*+ Se-ect key part .rom TKE smart car#









@+ =igh-ight the key part to -oa#+

+ C-ick OK +

+ Enter the PI3 on the smart car# rea#er PI3 pa# 2hen prompte#+

>+ For a DES or $symmetric aster Key8 the DC'@ is ca-c"-ate# an##isp-aye#8 provi#ing the "ser 2ith the opport"nity to vis"a--y veri.y theDC'@ va-"e+ For a DES aster Key8 the Encipher Gero P 9E3C'GE1O: isa-so #isp-aye#+ For an $ES or ECC aster Key8 the $ES'P is ca-c"-ate#an# #isp-aye#8 provi#ing the "ser 2ith the opport"nity to vis"a--y veri.ythe $ES'P va-"e+

*+ Press Load key+

?+ 5o" 2i-- get a message that the comman# 2as eBec"te# s"ccess."--y+

Inp"t .rom Key,oar#

" dia*og 0o3 is disp*ayed )or se*ecting the inp!t so!rce, Se*ect Key0oard and press the

Continue command 0!tton,

Fig"re ()?+ Se-ect key so"rce ' key,oar#





I) key0oard is se*ected as the inp!t so!rce an inp!t dia*og 0o3 is disp*ayed +ith inp!t )ie*ds

)or either a &8%0yte key2 a #>%0yte key or a $#%0yte key depending on the key type, The

dia*og 0o3 disp*ayed )or entering the key va*!es depends on the insta**ation's A*ind Key

Entry se*ection, A*ind Key Entry masks the key va*!es 0eing entered 0y representing the

va*!es as asterisks,

Fig"re (()+ Enter Key a-"e ' H-in# Key Entry

"n optiona* con)irmation )ie*d can 0e !sed to con)irm the key va*!e entered,

For more in)ormation on ho+ to change the A*ind Key Entry option2 see TKE C!stomization,

I) A*ind Key Entry is not 0eing !sed2 the key va*!es are not masked2 and there is no optiona*

con)irmation )ie*d,

Enter the key va*!es and press the Continue command 0!tton,

Fig"re (((+ Enter Key a-"e


https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/tkecusto.htm#tkecusto








• For the DES an# $symmetric aster Keys8 2hen the "ser pressesContinue8 the DC'@ 9an# Encipher Gero .or DES aster Key: areca-c"-ate# an# #isp-aye#8 provi#ing the "ser 2ith the opport"nity tovis"a--y veri.y the DC'@ an# E3C'GE1O va-"es+ When Load Key ispresse#8 the "ser is aske# i. he or she 2o"-# -ike to save the key part+ I.the "ser se-ects es to save the key part8 a 0-e chooser 2in#o2 is opene#.or the "ser to speci.y the 0-e -ocation 9CD/DD #rive8 USH ash memory#rive8 or TKE Data Directory: an# 0-e name .or saving the key part+ Thenthe key part is -oa#e#+ I. the "ser se-ects !o8 the key part is not save# an#the key part is -oa#e#+

Fig"re ((%+ Key Part In.ormation Win#o2

5ress :oad key,

• For an $ES or ECC aster Key8 2hen the "ser presses Continue8 the $ES'P is ca-c"-ate# an# #isp-aye#8 provi#ing the "ser 2ith the opport"nity tovis"a--y veri.y the $ES'P va-"e+ When 6oa# key is presse#8 the "ser isaske# i. he or she 2o"-# -ike to save the key part+ I. yes8 a 0-e chooser2in#o2 is opene# .or the "ser to speci.y the 0-e -ocation 9CD/DD #rive8USH ash memory #rive8 or TKE Data Directory: an# 0-e name .or savingthe key part+ Then the key part is -oa#e#+ I. no8 the key part is not save#an# the key part is -oa#e#+

Fig"re ((&+ Key Part In.ormation Win#o2







Press Load key+

Inp"t .rom Hinary Fi-e

" dia*og 0o3 is disp*ayed )or se*ecting the inp!t so!rce, Se*ect Ainary )i*e and press the

Continue command 0!tton,

Fig"re ((@+ Se-ect key so"rce ' ,inary 0-e

The Speci)y key )i*e +indo+ is disp*ayed,

Fig"re ((+ Speci.y Key Fi-e







Using the Speci)y key )i*e +indo+2 speci)y the )i*e *ocation 6F*oppy2 C;/;<; ;rive2 USA

)*ash memory drive2 or TKE ;ata ;irectory7 and )i*e name, Se*ect Open,

The Key -art !nformation +indo+ is disp*ayed,

• For a DES or $symmetric aster Key8 the DC'@ is ca-c"-ate# an##isp-aye#8 provi#ing the "ser 2ith the opport"nity to vis"a--y veri.y theva-"e+

• For a DES aster Key8 2hen -oa#ing .rom a ,inary 0-e8 the Encipher Gerohash is ca-c"-ate# an# #isp-aye#+ This provi#es the "ser 2ith theopport"nity to vis"a--y veri.y the va-"e+

• For $ES an# ECC aster Keys8 the $ES'P is ca-c"-ate# an# #isp-aye#8provi#ing the "ser 2ith the opport"nity to vis"a--y veri.y the $ES'P va-"e+

Warnings4

(+ I. the 0-e is -oa#e# .rom a CD/DD8 yo" m"st #eactivate the CD/DD #rive,e.ore removing the #isc+ I. the #isc is remove# prior to #eactivating the#rive8 #ata co"-# ,e -ost or corr"pte#+ For #etai-s on #eactivating me#ia

see TKE e#ia anager+





%+ Do not remove a USH ash memory #rive .rom the USH port ,e.ore yo"comp-ete the operation that is "sing the #rive8 or ,e.ore yo" respon# to amessage re-ate# to the operation that is "sing the #rive+ I. yo" #o removea #rive ,e.ore the operation is comp-ete8 har#2are messages may ,egenerate# on the TKE 2orkstation+

Fig"re ((+ Key Part In.ormation Win#o2

Once yo! have veri)ied the in)ormation in the Key part in)ormation dia*og2 press the :oad

key command 0!tton,

6oa# $-- Key Parts From

I) yo! have a** o) the peop*e and key materia* necessary to *oad an entire key2 yo! can !se

this +izard%*ike )eat!re to +a*k yo! thro!gh the process o) *oading an entire key, Ae*o+ is an

e3amp*e )or *oading a key )rom 0inary )i*es.

To start the *oad process.

(+ 1ight c-ick on the appropriate key type in the 7Se-ect key to 2ork 2ith7area to #isp-ay a pop'"p men"+ In this eBamp-e 2e se-ect Load all keyparts "ro#$$$ J %inary fle .rom the pop'"p men"+ Options .or -oa#inga-- key parts .rom a smart car# or key,oar# inp"t are a-so avai-a,-e+

Fig"re ((>+ 6oa# a-- key parts .rom+++







%+ $ #ia-og ,oB is #isp-aye# prompting yo" .or the n"m,er o. key parts to ,e-oa#e#+ In the teBt entry 0e-# o. this #ia-og8 enter the n"m,er o. key partsto ,e -oa#e# an# c-ick the OK comman# ,"tton+ In this eBamp-e8 there are

t2o key parts+

3ote4

The minim"m n"m,er o. key parts that can ,e speci0e# is %+

Fig"re ((*+ Enter the tota- n"m,er o. key parts





&+ $ #ia-og ,oB is #isp-aye# asking i. yo" 2ant to c-ear the key register+ Inthis eBamp-e8 2e c-ick the es comman# ,"tton to c-ear the key register,e.ore -oa#ing the key parts .rom the ,inary 0-e+

Fig"re ((?+ Do yo" 2ant to c-ear the key registerL

I. yo" choose to c-ear the key register8 a comman# is sent to the =ost

Cryptographic o#"-e+ This re;"ires an a"thority signat"re key+ When an

a"thority key is nee#e# an# no key is c"rrent-y -oa#e# 9or the c"rrent key

is associate# 2ith an $"thority that #oes not have eno"gh a"thority to

eBec"te the comman#:8 a #ia-og 2i-- #isp-ay asking i. yo" 2ant to -oa# a

signat"re key+ Fo--o2 yo"r norma- process .or -oa#ing a key+

3ote4

When yo"r key -oa#ing process re;"ires yo" to "se #i<erent a"thority

signat"re keys at #i<erent steps in the process8 yo" 2i-- ,e aske# .or ne2

signat"re keys at the proper times+

When the register is c*eared2 a message 0o3 disp*ays a Command +as e3ec!ted

s!ccess)!**y message, 5ress the Close 0!tton on this message 0o3 to contin!e the

process,

@+ $ message ,oB rea#ing 7Se-ect 0rst key part7 is #isp-aye#+ Press the OK ,"tton on this message ,oB to contin"e to se-ect the 0rst key part+

+ In this eBamp-e8 2e are -oa#ing key parts .rom ,inary 0-es8 so a 7Speci.ykey 0-e7 #ia-og ,oB is #isp-aye#+ Fi-es can ,e se-ecte# .rom a CD/DD#rive8 USH F-ash emory Drive8 or .rom the TKE Data Directory+ Se-ect theappropriate 0-e .or the 0rst key part8 an# press the Open comman#,"tton+

Fig"re (%)+ Speci.y key 0-e 90rst key part:







+ $ #ia-og ,oB #isp-ays the key part in.ormation containe# in the ,inary 0-e+ To -oa# the key materia-8 press the Load key comman# ,"tton+

Fig"re (%(+ Key part in.ormation 90rst key part:

When -oa# o. the key part comp-etes8 a message ,oB #isp-ays a

7Comman# 2as eBec"te# s"ccess."--y7 message+ Press the Close ,"tton

on this message ,oB to contin"e the process+

>+ In o"r eBamp-e8 2e are -oa#ing t2o key parts+ $ message ,oB rea#ing7Se-ect -ast key part7 is #isp-aye#+ Press the OK ,"tton on this message





,oB to contin"e to se-ect this key part+

*+ $ 7Speci.y key 0-e7 #ia-og ,oB is #isp-aye#+ Se-ect the appropriate 0-e .orthis key part8 an# press the Open comman# ,"tton+

Fig"re (%%+ Speci.y key 0-e 9secon# key part:

?+ $ #ia-og ,oB #isp-ays the key part in.ormation containe# in the ,inary 0-e+ To -oa# the key materia-8 press the Load key comman# ,"tton+

Fig"re (%&+ Key part in.ormation 9secon# key part:







When -oa# o. the key part comp-etes8 a message ,oB #isp-ays a

7Comman# 2as eBec"te# s"ccess."--y7 message+ Press the Close ,"tton

on this message ,oB+ The process is comp-ete+

C-ear

I) yo! +o!*d *ike to c*ear either the ne+ master key register or the o*d master key register2yo! can se*ect either Clear ;< Ne= master key reister or Clear ;< Old master key

reister,

" +arning is disp*ayed2 prompting yo! to veri)y that yo! +ant to c*ear the key register,

Fig"re (%@+ C-ear ne2 or o-# master key register va-i#ation message

I) yo! press $es2 0!t an a!thority signat!re key has not 0een *oaded2 yo! +i** 0e prompted to

*oad an a!thority signat!re key,

I) yo! press $es and the command e3ec!tes s!ccess)!**y2 a message 0o3 is disp*ayed

in)orming yo! o) this,

Fig"re (%+ C-ear ne2 or o-# ne2 master key s"ccess."- message

Set 9$symmetric aster Key on-y:

I) yo! se*ect SET )or an "symmetric master key2 a message is iss!ed +arning that 5K"

services m!st 0e disa0*ed 0e)ore the SET is done, I) yo! respond to contin!e then yo! get a







message indicating s!ccess)!* e3ec!tion,

SET +i** activate the ne+ "symmetric master key, That is2 the c!rrent "symmetric master

key is trans)erred to the o*d "symmetric master key register and the ne+ "symmetric master

key register is trans)erred to the c!rrent "symmetric master key register, The ne+

"symmetric master key register is reset to zeros,

Operationa- Keys


S$%&'%%((')*

Aeginning +ith TKE <>,&2 operationa* keys can 0e *oaded on a host crypto mod!*e,

Operationa* key part registers a**o+ operationa* keys to 0e *oaded and acc!m!*ated on a hostcrypto mod!*e 0e)ore storing them in the host key store,

3ote4

To "se TKE @+( or higher to -oa# operationa- keys8 yo" m"st ,e r"nning ICSF

=C1>>)H or higher+

Once a** the key parts have 0een *oaded and the key is Comp*ete2 yo! are reG!ired to remove

the key )rom the key part register and *oad it into the CK;S, This is accomp*ished either

thro!gh ICSF pane*s 6see @oading Operationa* Keys to the CK;S7 or !sing an option on Key

enerator Uti*ity 5rocesses 6KU57 Lo0 Contro* @ang!age 6LC@7 6see z/OS CryptographicServices ICSF "dministrator's !ide7,

Each o) the s!pported crypto mod!*es can have a ma3im!m o) & key part registers

distri0!ted across a** domains,

"n "ES ED5OTE2 I45OTE or CI5?E key part register can 0e in one o) the

)o**o+ing states.

• Incomp-ete8 nee# at -east t2o more parts ' 6oa# to key part register 9First8minim"m o. & parts: has comp-ete# s"ccess."--y

• Incomp-ete8 nee# at -east one more part ' 6oa# to key part register 9First8minim"m o. % parts or $## part: has comp-ete# s"ccess."--y

• Interme#iate part entere# J 6oa# to key part register 9$## part: hascomp-ete# s"ccess."--y

• Comp-ete J 6oa# to key part register 9Comp-ete: has comp-ete#s"ccess."--y

" ;ES operationa* key or "ES ;"T" key part register can 0e in one o) the )o**o+ing states.

• First part entere# J 6oa# to key part register 9First: has comp-ete#

https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/newpnl.htm#newpnl

https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb300/csfb3za2.htm







s"ccess."--y

• Interme#iate part entere# J 6oa# to key part register 9$## part: hascomp-ete# s"ccess."--y

• Comp-ete J 6oa# to key part register 9Comp-ete: has comp-ete#s"ccess."--y

"t *east t+o key parts m!st 0e entered, There is no ma3im!m n!m0er o) key parts that can 0e

entered,

"vai*a0*e tasks )or Operationa* key part registers are as )o**o+s.

• 6oa# sing-e key part

• 6oa# a-- key parts .rom+++

• ie2

• C-ear

"ES ED5OTE2 I45OTE2 and CI5?E keys have the )o**o+ing @oad sing*e key

part tasks.

• First 9minim"m o. % parts:

• First 9minim"m o. & parts:

• $## part

• Comp-ete

Tasks )or @oad a** key parts )rom,,, are as )o**o+s.

• Smart car#

• Hinary 0-e

• Key,oar#

" key part register is )reed +hen a Comp*ete key is *oaded to the CK;S )rom ICSF 6either

thro!gh the ICSF pane*s or KU5 LC@72 +hen the key part register is c*eared )rom TKE2 or a

zeroize domain is iss!ed )rom TKE,

<ie+ o) a key part register disp*ays key part register in)ormation,

Use o) the operationa* key part registers is contro**ed 0y access contro* points in the ro*e

de)inition, The access contro* points are as )o**o+s.



• 6oa# First Key Part

• 6oa# $##itiona- Key Part

•

Comp-ete Key

• C-ear Operationa- Key Part 1egister

3ote4

There are separate access contro- points .or DES8 $ES8 an# ECC master keys an#

.or DES operationa- keys8 $ES operationa- keys8 an# $ES KEK an# CIP=E1 keys+

The host crypto mod!*e s!pports a** ICSF operationa* key types, " USER DEFINED key

type is a*so avai*a0*e2 and a**o+s the !ser to speci)y his or her o+n contro* vector )or ;ES

keys, This USER DEFINED contro* vector m!st sti** con)orm to the r!*es o) a va*id contro*

vector, For more detai*s on contro* vectors2 see "ppendi3 C in the z/OS CryptographicServices ICSF "pp*ication 5rogrammer's !ide,

Instead o) a contro* vector2 "ES ED5OTE2 I45OTE2 and CI5?E keys have key

attri0!tes associated +ith them that speci)y the key !sage and key management attri0!tes o)

the key, The key attri0!tes are speci)ied either at the time a key part is generated or +hen the

)irst key part is *oaded to the key part register on the host crypto mod!*e, For more

in)ormation a0o!t key attri0!tes2 see "ppendi3 A in the z/OS Cryptographic Services ICSF

"pp*ication 5rogrammer's !ide,

!enerate Operationa- Key Parts

The generate action )or an operationa* key type generates a key part o) that type and stores it

in a 0inary )i*e or a print )i*e2 or on a smart card, ote that this action does not *oad the key

part to the host,

When enerate is se*ected )or a prede)ined Operationa* Key2 the Generate Operational Key

+indo+ is disp*ayed sho+ing the key type2 key *ength2 description2 and contro* vector, On*y

the description )ie*d may 0e !pdated, The key *ength and contro* vector )ie*ds re)*ect the

de)a!*t *ength and contro* vector )or the key type se*ected, I) the key type s!pports di))erent

*engths 64"C2 4"C<E and ;"T"7 then the key *ength )ie*d can a*so 0e !pdated,

Fig"re (%+ !enerate Operationa- Key ' pre#e0ne# EPO1TE1 Key Type














When enerate is se*ected )or a USER DEFINED key2 the enerate Operationa* Key

+indo+ is disp*ayed sho+ing the key type2 key *ength2 description2 and 0*ank contro* vector

)ie*ds, "** 0!t the key type can 0e !pdated, The contro* vector entered m!st con)orm to the

r!*es )or a va*id contro* vector,

Fig"re (%>+ !enerate Operationa- Key ' USE1 DEFI3ED

When enerate is se*ected )or an "ES ED5OTE2 I45OTE2 or CI5?E key2 the

enerate Operationa* Key +indo+ is disp*ayed sho+ing the key type2 key *ength2

description2 and key attri0!tes )ie*ds, The key attri0!tes )ie*ds indicate +hether the key

attri0!tes contain de)a!*t or c!stom va*!es, The key attri0!tes may 0e changed 0y pressing

the Chane key attributes 0!tton,





")ter se*ecting Continue on the enerate +indo+2 the Se*ect Target dia*og 0o3 disp*ays2

presenting yo! +ith a choice o) targets. Ainary Fi*e2 5rint Fi*e or Smart Card,

Fig"re (%*+ Se-ect Target

Sa/e key to 9inary File or -rint File

For either the 0inary )i*e or print )i*e option2 the Save key part +indo+ is disp*ayed, Speci)y

+here the key is to 0e saved2 and press the Sa/e command 0!tton,

Fig"re (%?+ Save key part







")ter the key is saved2 the !ser can save the same key va*!e again in another *ocation on the

Save key again +indo+,

Fig"re (&)+ Save key again

Warnings4

(+ I. the 0-e is save# to DD'1$8 yo" m"st #eactivate the CD/DD #rive,e.ore removing the DD'1$ #isc+ For #etai-s on #eactivating me#ia see

TKE e#ia anager+

%+ Do not remove a USH ash memory #rive .rom the USH port ,e.ore yo"comp-ete the operation that is "sing the #rive8 or ,e.ore yo" respon# to amessage re-ate# to the operation that is "sing the #rive+ I. yo" #o remove

a #rive ,e.ore the operation is comp-ete8 har#2are messages may ,e







generate# on the TKE 2orkstation+

Sa/e key to Smart Card

3ote4

The TKE cryptographic a#apter generates the key part an# sec"re-y trans.ers the

key to the TKE smart car#+ 5o" m"st insert a TKE smart car# that is enro--e# in

the same zone as the TKE cryptographic a#apterA other2ise the !enerate 2i--

.ai-+ To #isp-ay the zone o. a TKE smart car#8 eBit .rom TKE an# "se either the

Cryptographic 3o#e anagement Uti-ity or the Smart Car# Uti-ity Program "n#er

Tr"ste# Key Entry $pp-ications+ See Disp-ay smart car# #etai-s8 Disp-ay smart

car# in.ormation or ie2 c"rrent zone+

Steps )or saving a key to a TKE smart card are as )o**o+s.

(+ When prompte#8 insert TKE smart car# into Smart Car# 1ea#er %

%+ Press OK

&+ Enter the PI3 on the smart car# rea#er PI3 pa#

@+ $ pop "p message 2i-- in#icate that the key part 2as s"ccess."--y store#on the TKE smart car#+

3ote4

The "ser can "se the Copy s#art card contents "ti-ity to copy key parts .rom

one TKE smart car# to another+ See Copy smart car#s+

6oa# to Key Part 1egister First

The @oad to key part register action )or an operationa* key type *oads a key part to a key part

register on the host crypto mod!*e, I) the register a*ready contains a va*!e2 it is DO'd +ith

the e3isting va*!e, The key part can 0e o0tained )rom a smart card2 a 0inary )i*e2 or the

key0oard, "t *east t+o key parts m!st 0e *oaded 6)irst2 and add part72 and then a comp*ete

action m!st 0e per)ormed on the key register,

When yo! se*ect @oad to Key 5art egister First2 the Se*ect So!rce +indo+ is disp*ayed2

prompting yo! to se*ect the so!rce )or the key part,

Fig"re (&(+ Se-ect So"rce




https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/vzone.htm#vzone






https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/vzone.htm#vzone





I) 0inary )i*e is se*ected2 the Specify key file =indo= disp*ays, Speci)y the )i*e to 0e !sed )or

the key *oad2 and press the Open command 0!tton,

Fig"re (&%+ Speci.y key 0-e .or ,inary 0-e so"rce

I) the 0inary )i*e contains a key type that does not match the key type se*ected )or *oading2 a

+arning is disp*ayed asking )or con)irmation to contin!e, I) contin!e is chosen2 TKE +i***oad the key part as the key type de)ined in the 0inary )i*e and not the key type origina**y





se*ected 0y the !ser,

Warnings4

(+ I. the 0-e is -oa#e# .rom a oppy or CD/DD8 yo" m"st #eactivate the

#rive ,e.ore removing the #iskette+ I. it is remove# prior to #eactivatingthe #rive8 #ata co"-# ,e -ost or corr"pte#+ For #etai-s on #eactivatingme#ia see TKE e#ia anager+

%+ Do not remove a USH ash memory #rive .rom the USH port ,e.ore yo"comp-ete the operation that is "sing the #rive8 or ,e.ore yo" respon# to amessage re-ate# to the operation that is "sing the #rive+ I. yo" #o removea #rive ,e.ore the operation is comp-ete8 har#2are messages may ,egenerate# on the TKE 2orkstation+

I) key0oard is se*ected2 the *nter key /alue +indo+ is disp*ayed, When the key type is a

prede)ined operationa* key +ith a )i3ed *ength 6sing*e *ength or do!0*e *ength on*y72 the)ie*ds on the +indo+ that can 0e !pdated are the ;escription and the Key <a*!e )ie*ds, I)

the prede)ined operationa* key s!pports di))erent *engths 6;"T"2 4"C and 4"C<E72 then

the key *ength )ie*d can 0e !pdated, When the !ser presses Continue2 the 4;C%> and EC%

=EO are ca*c!*ated and disp*ayed )or the ;ES key part or the "ES%<5 is ca*c!*ated and

disp*ayed )or the "ES key part2 providing the !ser +ith the opport!nity to vis!a**y veri)y the

va*!es, When :oad key is pressed2 the !ser is asked i) he or she +o!*d *ike to save the key

part, I) yes2 a )i*e chooser +indo+ is opened )or the !ser to se*ect either the C;/;<; drive2 a

USA )*ash memory drive2 or the TKE ;ata ;irectory and enter a Fi*e ame )or saving the

key part, The key part is then *oaded, I) no2 the key part is not saved and the key is *oaded,

Fig"re (&&+ Enter key va-"e ' key,oar# so"rce .or pre#e0ne# EPO1TE1 key type







When the key type is USER DEFINED2 a** the )ie*ds on the *nter Key 1alue +indo+ can

0e !pdated2 inc*!ding the contro* vector, The contro* vector entered m!st con)orm to the r!*es

)or a va*id contro* vector, See z/OS Cryptographic Services ICSF "pp*ication 5rogrammer's

!ide,

Fig"re (&@+ Enter key va-"e ' key,oar# so"rce .or USE1 DEFI3ED key type









When the key type is "ES ED5OTE2 I45OTE2 or CI5?E2 the Key va*!e )ie*ds can

0e !pdated and the Chane key attributes 0!tton can 0e pressed to modi)y the key attri0!tes

va*!es,

I) TKE smart card is se*ected.

(+ The "ser is prompte# to insert a TKE car# into the appropriate rea#er an#se-ect OK +

Fig"re (&+ Se-ect So"rce

%+ In the Se-ect key part .rom TKE smart car# 2in#o28 high-ight the key part8





right c-ick8 an# either choose Select or press OK +

I) the smart card contains a key type that does not match the key type se*ected )or

*oading2 a +arning is disp*ayed asking )or con)irmation to contin!e, I) contin!e is

chosen2 TKE +i** *oad the key part as the key type de)ined in the smart card and notthe key type origina**y se*ected 0y the !ser,

Fig"re (&+ Se-ect key part .rom TKE smart car#

&+ Enter a PI3 on the smart car# rea#ers PI3 pa#+

")ter the 0inary )i*e or TKE smart card is read or the ;ES operationa* key part is entered2 the

EC%=EO and 4;C%> va*!es )or the key part are ca*c!*ated and disp*ayed a*ong +ith thedescription2 key type2 and contro* vector on the Key part in)ormation +indo+, 6EC%=EO

is not disp*ayed )or #> 0yte key parts,7

For an "ES ;"T" operationa* key2 the "ES%<5 is ca*c!*ated and disp*ayed a*ong +ith the

description2 key type2 and contro* vector on the Key part in)ormation +indo+, For an "ES

ED5OTE2 I45OTE2 or CI5?E key2 the "ES%<5 is ca*c!*ated and disp*ayed a*ong

+ith the description2 key type2 and key attri0!tes va*!es 6de)a!*t or c!stom7 on the Key part

in)ormation +indo+, The act!a* key attri0!tes va*!es may 0e disp*ayed 0y pressing the

;isp*ay key attri0!tes 0!tton,

The !ser m!st enter a key *a0e* )or the key part register, When *oading additiona* key parts2





the key part register +i** 0e se*ected 0ased on the key *a0e* entered, The key *a0e* entered

m!st not a*ready e3ist, I) it does2 an error +i** occ!r, The key *a0e* m!st con)orm to va*id key

*a0e* names in the CK;S, It m!st 0e no more than 8> 0ytes +ith the )irst character a*pha0etic

or a nationa* 6M2 N2 7, The remaining characters can 0e a*phan!meric2 a nationa* character2

or a period6,7, When the key part is processed2 the *a0e* +i** 0e converted to !ppercase,

Fig"re (&>+ Key part in.ormation ' 0rst DES key part

I) the in)ormation presented on the Key part information pane* is correct2 the key part is

*oaded to the key part register 0y se*ecting :oad Key, ")ter the key part is s!ccess)!**y

processed2 the Key part reister information +indo+ is disp*ayed, It disp*ays in)ormation

a0o!t the Key 5art egister2 inc*!ding the key type2 S?"%& hash o) the )irst key part2 the

Contro* <ector and the key *a0e*, I) necessary2 the parity o) the key part +i** 0e adH!sted to

odd,

Fig"re (&*+ DES key part register in.ormation

")ter OK is se*ected on the Key part reister information +indo+2 a message is disp*ayed

indicating that the *oad +as processed s!ccess)!**y,

6oa# to Key Part 1egister ' $## Part

" :oad to key part reister &dd -art can 0e per)ormed m!*tip*e times2 0!t m!st 0e

per)ormed at *east once, The process )or *oading additiona* parts is simi*ar to *oading the )irst

key part,

I) 9inary file is se*ected2 the !ser chooses the )i*e to *oad, I) Smart card in reader 7 or

Smart card in reader 8 is se*ected2 the !ser chooses the key part to *oad, I) Keyboard isse*ected and the key type is a prede)ined operationa* key2 the *nter Key 1alue +indo+ is







disp*ayed, I) the key type is USER DEFINED2 then the :oad Operational Key -art

Reister +indo+ is disp*ayed +ith a drop do+n men! o) avai*a0*e contro* vectors,

Fig"re (&?+ 6oa# Operationa- Key Part 1egister ' a## part8 key,oar# so"rce .or

USE1 DEFI3ED

The !ser se*ects the contro* vector )or the key part to 0e *oaded, ote that in Fig!re &>2

+hich disp*ays the avai*a0*e contro* vectors2 the key part 0it 60it >>7 is t!rned on indicating

that the key in the key part register is a partia* key and is not yet comp*ete, This 0it +i** 0et!rned on a!tomatica**y +hen the )irst key part is *oaded regard*ess o) +hether or not the !ser

t!rned it on +hen the contro* vector +as de)ined,

Fig"re (@)+ Drop #o2n o. contro- vectors ' a## part8 key,oar# so"rce .or USE1

DEFI3ED

")ter the contro* vector is se*ected2 the Key part information +indo+ is disp*ayed, Once the

0inary )i*e or key part )rom the TKE smart card is read or the key part is entered2 the Key

part information +indo+ is disp*ayed, This +indo+ di))ers )rom the +indo+ disp*ayed )or

the @oad )irst key part in t+o +ays. key *a0e* and key *a0e*'s S?"%&,

Fig"re (@(+ DES Key part in.ormation ' a## part



https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/dkppx.htm#dropdo






https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/dkppx.htm#dropdo






The key *a0e* )ie*d is no+ a drop%do+n men! )or a** the *a0e*s )or a** the key registers that

have the same contro* vector2 same key *ength2 and are not in a Comp*ete state, The !ser

se*ects the appropriate key register *a0e* to *oad the key part, The key *a0e*'s S?"%& re)*ects

the S?"%& hash o) the key parts c!rrent*y *oaded in the se*ected key part register, :oad Key

is se*ected and the Key part reister information +indo+ is disp*ayed, The S?"%& hash

va*!e disp*ayed no+ represents the acc!m!*ated key parts2 inc*!ding the key part H!st *oaded,

I) necessary2 the parity o) the key part H!st *oaded +as adH!sted to even,

Fig"re (@%+ DES Key part register in.ormation ' a## part 2ith S=$'( .or com,ine#

key

When the &dd -art is s!ccess)!**y processed2 a message is disp*ayed indicating the

command +as s!ccess)!**y e3ec!ted,

EG!iva*ent pane*s )or "ES ;"T" keys are sho+n 0e*o+.

Fig"re (@&+ $ES key part in.ormation ' a## part

Fig"re (@@+ $ES key part register in.ormation











6oa# to Key Part 1egister Comp-ete

When a** the key parts have 0een *oaded2 the key part register needs to 0e p*aced in the

Comp*ete state, When :oad Key -art Reister Complete is se*ected )or a prede)ined

operationa* key2 the Complete Operational Key -art Reister +indo+ is disp*ayed, On*y

*a0e*s o) key part registers in the intermediate state that contain keys o) the same operationa*

key type are disp*ayed )or se*ection, I) the key type s!pports di))erent key *engths2 then a**key part registers o) the key type se*ected +i** 0e disp*ayed regard*ess o) key *ength,

Fig"re (@+ Comp-ete DES Operationa- Key Part 1egister ' pre#e0ne# EPO1TE1

key type

To se*ect one key *a0e*2 high*ight the *a0e* !sing the *e)t mo!se 0!tton, To se*ect more than

one key *a0e*2 high*ight the *a0e* !sing the *e)t mo!se 0!tton2 then ho*d do+n the Contro* key

and high*ight additiona* key *a0e*s !sing the 0!tton, To se*ect a range o) key *a0e*s2 high*ightthe )irst key *a0e* !sing the *e)t mo!se 0!tton2 then ho*d do+n the Shi)t key and high*ight the

*ast key *a0e*, "** key *a0e*s 0et+een the t+o se*ected *a0e*s +i** 0e se*ected, To se*ect a** the

key *a0e*s2 ho*d do+n the Contro* key and type an 'a', When on*y one key *a0e* is se*ected )or

a ;ES key2 the S?"%& hash o) the acc!m!*ated key in the key part register is disp*ayed, I)

more than one key *a0e* is se*ected then the S?"%& )ie*d on the +indo+ contains a '%',

When :oad Key -art Reister Complete is se*ected )or USER DEFINED key type2 the

Complete Operational Key -art Reister +indo+ is disp*ayed +ith a** the domains' key

part registers containing ;ES keys that are in the intermediate state,

Fig"re (@+ Comp-ete DES Operationa- Key Part 1egister ' USE1 DEFI3ED key









type

Fig"re (@>+ Comp-ete $ES Operationa- Key Part 1egister

When on*y one key *a0e* is se*ected )or an "ES key2 the "ES%<5 o) the acc!m!*ated key in

the key part register is disp*ayed, I) more than one key *a0e* is se*ected then the "ES%<5

)ie*d on the +indo+ contains a '%',

Fig"re (@*+ $ES Key part register in.ormation ' pre#e0ne# D$T$ key type in

Comp-ete state











")ter the key *a0e*s have 0een se*ected2 the Key part reister information +indo+ is

disp*ayed )or each *a0e* that +as se*ected, The EC%=EO va*!e is sho+n )or comp*eted

;ES keys and the "ES%<5 is sho+n )or comp*eted "ES keys,

Fig"re (@?+ DES Key part register in.ormation ' pre#e0ne# EPO1TE1 key type in

Comp-ete state

")ter a** the key *a0e*s that +ere se*ected are processed2 a message is disp*ayed indicating

that the command +as e3ec!ted s!ccess)!**y,

ie2

Operationa* Key <ie+ is !sed to disp*ay key part register in)ormation, When 1ie= is se*ected

)or a prede)ined operationa* key2 the 1ie= Operational Key -art Reister +indo+ is

disp*ayed, On*y key part register *a0e*s that contain keys o) the same operationa* key type are

disp*ayed )or se*ection,

Fig"re ()+ ie2 DES Operationa- Key Part 1egister ' EPO1TE18 one key -a,e-

se-ecte#

To se*ect one key *a0e*2 high*ight the *a0e* !sing the *e)t mo!se 0!tton, To se*ect more than

one key *a0e*2 high*ight the *a0e* !sing the *e)t mo!se 0!tton2 then ho*d do+n the Contro* key

and high*ight additiona* key *a0e*s !sing the 0!tton, To se*ect a range o) key *a0e*s2 high*ight

the )irst key *a0e* !sing the *e)t mo!se 0!tton2 then ho*d do+n the Shi)t key and high*ight the*ast key *a0e*, "** key *a0e*s 0et+een the t+o se*ected *a0e*s +i** 0e se*ected, To se*ect a** the











key *a0e*s2 ho*d do+n the Contro* key and type an 'a', When on*y one key *a0e* is se*ected2

the veri)ication pattern o) the acc!m!*ated key in the key part register is disp*ayed 6S?"%&

)or ;ES keys2 "ES%<5 )or "ES keys7, I) more than one key *a0e* is se*ected then the

veri)ication pattern )ie*d on the +indo+ contains a '%',

Fig"re ((+ ie2 DES Operationa- Key Part 1egister ' EPO1TE18 a-- key -a,e-sse-ecte#

When 1ie= is se*ected )or a USER DEFINED key type2 the 1ie= Operational Key -art

Reister +indo+ is disp*ayed +ith a** the domain's key part registers containing ;ES keys,

Fig"re (%+ ie2 DES Operationa- Key Part 1egister ' USE1 DEFI3ED

")ter the key *a0e*s have 0een se*ected2 the Key part reister information +indo+ is

disp*ayed )or each *a0e* that +as se*ected, For keys that are in the First part entered or

Intermediate part entered state2 the S?"%& va*!e is disp*ayed )or the acc!m!*ated partia* key

va*!e, Since the key contained in the key part register is a partia* key2 the key part 0it 60it >>7

o) the contro* vector 6C<7 +i** 0e t!rned on, This is tr!e )or prede)ined and USER

DEFINED key types,









Fig"re (&+ ie2 DES key part register in.ormation ' key part ,it on in C

I) the key is in the Comp*ete state2 the EC%=EO va*!e o) the comp*eted key is disp*ayed

)or ;ES keys2 and the "ES%<5 va*!e o) the comp*eted key is disp*ayed )or "ES keys, The

contro* vector )or the comp*eted key +i** have the key part 0it t!rned o)),

Fig"re (@+ ie2 DES key part register in.ormation ' comp-ete key

")ter a** the key *a0e*s that +ere se*ected are processed2 a message is disp*ayed indicating

that the command +as e3ec!ted s!ccess)!**y,

Fig"re (+ ie2 key register s"ccess."- message

C-ear

Operationa* Key C*ear is !sed to c*ear the contents o) key part registers, When Clear is

se*ected2 a 6arnin> +indo+ is disp*ayed2 prompting the !ser to con)irm that he or she

+ants to c*ear the key part registers,









Fig"re (+ WarningM message .or c-ear operationa- key part register

When c*ear is se*ected )or a prede)ined operationa* key2 the Clear Operational Key -art

Reister +indo+ is disp*ayed, On*y key part register *a0e*s that contain keys o) the same

operationa* key type are disp*ayed )or se*ection, I) the key type s!pports di))erent key

*engths2 then a** key part registers o) the key type se*ected +i** 0e disp*ayed regard*ess o) key

*ength,

Fig"re (>+ C-ear Operationa- Key Part 1egister ' EPO1TE1 key type8 one key-a,e- se-ecte#

To se*ect one key *a0e*2 high*ight the *a0e* +ith the *e)t mo!se 0!tton, To se*ect more than

one key *a0e*2 high*ight the *a0e* +ith the *e)t mo!se 0!tton2 then ho*d do+n the Contro* key

and high*ight additiona* key *a0e*s +ith the 0!tton, To se*ect a range o) key *a0e*s2 high*ight

the )irst key *a0e* +ith the *e)t mo!se 0!tton2 then ho*d do+n the Shi)t key and high*ight the

*ast key *a0e*, "** key *a0e*s 0et+een the t+o se*ected *a0e*s +i** 0e se*ected, To se*ect a** the

key *a0e*s2 ho*d do+n the Contro* key and type an 'a', When on*y one key *a0e* is se*ected2

the veri)ication pattern o) the acc!m!*ated key in the key part register is disp*ayed 6S?"%&

)or ;ES keys2 "ES%<5 )or "ES keys7, I) more than one key *a0e* is se*ected then the

veri)ication pattern )ie*d )ie*d on the +indo+ contains a '%',

Fig"re (*+ C-ear DES Operationa- Key Part 1egister ' EPO1TE1 key type8 a-- key

-a,e-s se-ecte#













When Clear is se*ected )or a USER DEFINED key type2 the Clear Operational Key -art

Reister is disp*ayed +ith a** the domain's key part registers containing ;ES keys,

Fig"re (?+ C-ear DES Operationa- Key Part 1egister ' USE1 DEFI3ED8 one key

-a,e- se-ecte#

When yo! press the OK command 0!tton on the Clear Operational Key -art Reister

+indo+2 the se*ected key *a0e*s are processed2 and a message is disp*ayed indicating that the

command +as e3ec!ted s!ccess)!**y,

Fig"re ()+ C-ear Key 1egister s"ccess."- message

6oa# to Key Storage









This se*ection is on*y possi0*e )or operationa* I45%5K" or I45OTE keys, The I45%5K"

key%encrypting keys are !sed to protect S" keys d!ring transport )rom the +orkstation to

ICSF, ?aving se*ected :oad to Key Storae2 the !ser chooses one o) the )o**o+ing key parts

to *oad to the +orkstation key storage.

• First+++

• Interme#iate+++

• 6ast+++

The contents o) the container depend !pon the !ser's se*ection,

I) the !ser se*ected First2 the container sho+s a** keys in the +orkstation key storage !sa0*e

as I45%5K" key encrypting keys, The !ser can !ti*ize these as ske*etons )or composing the

ne+ key *a0e*,

I) the !ser se*ected !ntermediate or :ast2 the container sho+s a** keys in the +orkstation key

storage that have 0een insta**ed +ith the )irst key part, It a*so sho+s any optiona*

intermediate key parts that have 0een insta**ed, The !ser m!st se*ect one o) these as the key

*a0e*,

Fig"re ((+ Insta-- Importer Key Part in Key Storage





For I45%5K" keys2 yo! m!st speci)y additiona* in)ormation, " +indo+ is disp*ayed )or the

!ser to speci)y the +orkstation key *a0e* and +hether this I45%5K" key +i** 0e !sed )or

protecting either an S" key to 0e generated at the +orkstation or a c*ear S" key to 0eenciphered at the +orkstation,

Fig"re (%+ Insta-- IP'PK$ Key Part in Key Storage





3ote4

For the 1S$ key to ,e -oa#e# into the PKDS8 the same IP'PK$ key va-"e m"st ,e

store# in the CKDS+ See 6oa# to Key Part 1egister First+

Sec"re Key Part Entry

To save kno+n key part va*!es to a TKE Smart Card2 !se sec!re key part entry, e)er to

"ppendi3 ", Sec!re Key 5art Entry )or detai*s on !sing this )!nction,

S" Keys


S"#$%##&&%(

https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/dkppx.htm#lkpr






Generate RS& Key

ote.

On z& EC2 z& AC2 and z&82 it is strong*y recommended that c!stomers !se the 5K" keygenerate 6CS;5K7 "5I to generate S" keys,

To +rite S" keys to the 5K;S2 !se 5K" key record create 6CS;KC or CS;KW7,

For more in)ormation2 see z/OS Cryptographic Services ICSF "pp*ication 5rogrammer's

!ide,

This se*ection initiates S" key generation at the +orkstation, The key is protected +ith a

previo!s*y generated I45%5K" key encrypting key and saved in a )i*e,

From the ;omains Keys page2 right%c*ick on S" key in the Key Types container and se*ectenerate, The enerate S" Key +indo+ is disp*ayed,

Fig!re &8$, enerate S" Key









In the enerate S" key +indo+2 speci)y the )o**o+ing in)ormation.

• RS& key usae control J Speci)ies +hether or not the S" key can 0e !sed )or key

management p!rposes 6encryption o) ;ES keys7, "** S" keys can 0e !sed )or

signat!re generation and veri)ication,

• Key lenth J @ength o) the mod!*!s o) the S" key in 0its, "** va*!es )rom B&# to

&#> are va*id,

• -ublic e"ponent J <a*!e o) the p!0*ic e3ponent o) the S" key,

• -KDS key label J @a0e* to 0e given the imported S" key at the host, The

in)ormation provided in this )ie*d can 0e changed +hen yo! *oad the S" key to the

host,

• -ri/ate key name J Te3t string that is inc*!ded in the S" key token and

cryptographica**y re*ated to the key, The private key name can 0e !sed )or access



contro* )or the key, The in)ormation yo! entered in the 5K;S key *a0e* )ie*d is copied

to this )ie*d and can 0e edited,

• Description J Optiona* )ree te3t that is saved +ith the S" key and disp*ayed +hen

yo! retrieve the key,

• 6orkstation !#-'-K& label J The container disp*ays the *a0e*s o) the key%

encrypting keys c!rrent*y in the TKE +orkstation key storage avai*a0*e )or protecting

S" keys generated at a TKE +orkstation, The key%encrypting keys are sometimes

re)erred to as +orkstation ED5OTE keys, Se*ect one 0y c*icking on it,

• (ost !#-'-K& key label J The CK;S key *a0e* at the host !sed to import the

S" key, The se*ected Workstation I45%5K" *a0e* is copied to this )ie*d and can 0e

edited, This in)ormation can 0e changed +hen yo! *oad the S" key to the host,

When the key is generated2 a )i*e chooser +indo+ is disp*ayed )or the !ser to speci)y the )i*e

*ocation 6C;/;<; drive2 USA )*ash memory drive2 or TKE ;ata ;irectory7 and )i*e name

)or saving the generated S" key,

Warnings.

&, I) the S" key is saved to ;<;%"42 yo! m!st deactivate the C;/;<; drive

0e)ore removing the ;<;%"4 disc, For detai*s on deactivating media see TKE

4edia 4anager ,

#, ;o not remove a USA )*ash memory drive )rom the USA port 0e)ore yo! comp*etethe operation that is !sing the drive2 or 0e)ore yo! respond to a message re*ated to the

operation that is !sing the drive, I) yo! do remove a drive 0e)ore the operation is

comp*ete2 hard+are messages may 0e generated on the TKE +orkstation,

*ncipher RS& Key

This se*ection a**o+s an S" key to 0e read )rom a c*ear key )i*e2 encrypted +ith a

previo!s*y generated I45%5K" key encrypting key2 and saved in a )i*e, The )ormat o) the

c*ear key )i*e is descri0ed in "ppendi3 ;, C*ear S" Key Format,

?aving se*ected the Encipher action2 the Encipher S" Key +indo+ is disp*ayed.

Fig!re &8>, Encipher S" Key



https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/arsa.htm#arsa









In the Encipher S" key +indo+2 speci)y the )o**o+ing in)ormation.

• RS& key usae control J Speci)ies +hether the S" key can 0e !sed )or key

management p!rposes 6encryption o) ;ES keys7, "** S" keys can 0e !sed )or

signat!re generation and veri)ication,

• -KDS key label J @a0e* to 0e given the imported S" key at the host, The

in)ormation provided in this )ie*d can 0e changed +hen yo! *oad the S" key to the

host,







• Description J Optiona* )ree te3t that is saved +ith the S" key and disp*ayed +hen

yo! retrieve the key,

• 6orkstation *,-OR)*R key label J The container disp*ays the *a0e*s o) the key%

encrypting keys c!rrent*y in the TKE +orkstation key storage avai*a0*e )or protectingS" keys entered )rom a c*ear key )i*e, These key%encrypting keys are previo!s*y

generated I45%5K" keys that are c!rrent*y in the TKE +orkstation key storage,

Se*ect one 0y c*icking on it,

• (ost !#-'-K& key label J The CK;S key *a0e* at the host !sed to import the

S" key, The se*ected Workstation I45%5K" *a0e* is copied to this )ie*d and can 0e

edited, This in)ormation can 0e changed +hen yo! *oad the S" key to the host,

When the key is enciphered2 a )i*e chooser +indo+ is disp*ayed )or the !ser to speci)y the )i*e

*ocation 6C;/;<; drive2 USA )*ash memory drive2 or TKE ;ata ;irectory7 and )i*e name)or saving the encrypted S" key,

Warnings.

&, I) the S" key is saved to ;<;%"42 yo! m!st deactivate the C;/;<; drive

0e)ore removing the ;<;%"4 disc, For detai*s on deactivating media see TKE

4edia 4anager ,

#, ;o not remove a USA )*ash memory drive )rom the USA port 0e)ore yo! comp*ete

the operation that is !sing the drive2 or 0e)ore yo! respond to a message re*ated to the

operation that is !sing the drive, I) yo! do remove a drive 0e)ore the operation iscomp*ete2 hard+are messages may 0e generated on the TKE +orkstation,

:oad RS& Key to -KDS

This se*ection a**o+s the !ser to *oad an S" key to the host and insta** it in the 5K;S,

Using this )!nction2 it is on*y possi0*e to *oad the S" key to the 5K;S in the TKE ?ost

*ogica* partition 6@5"7, For *oading S" keys to TKE target @5"s2 see @oad S" Key to

?ost ;ataset,

?aving se*ected :oad to -KDS2 a dia*og 0o3 is disp*ayed )or se*ecting the inp!t )i*e ho*ding

the encrypted S" key, When comp*eted2 the :oad RS& key to -KDS +indo+ is disp*ayed,

Fig!re &8B, @oad S" Key to 5K;S



https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/csfb6z6076.htm#xlhost










In the :oad RS& key to -KDS +indo+2 speci)y the )o**o+ing in)ormation.

• -KDS key label J @a0e* to 0e given the imported S" key at the host, Change this

)ie*d as needed,





• Description J Optiona* )ree te3t that +as saved +ith the S" key,

• 6orkstation *,-OR)*R key label J @a0e* o) the +orkstation I45%5K" that is

!sed )or protecting the S" key,

• (ost !#-'-K& key label J @a0e* o) the I45%5K" key stored in the host CK;S

that +i** 0e !sed to import the S" key, Change this )ie*d as needed,

:oad RS& Key to (ost Dataset

This se*ection a**o+s the !ser to *oad an S" key to a host data set as an e3terna* key token,

From this dataset it is possi0*e to insta** the key in the 5K;S 0y means o) TSO/E ICSF

pane*s,

The host dataset m!st 0e de)ined in advance +ith these attri0!tes. rec)m )i3ed2 *rec*P&B2

partitioned, Using this insta**ation method2 it is possi0*e to *oad S" keys into any 5K;S in

any @5", For in)ormation on the TSO/E ICSF inter)ace2 see Insta**ing S" Keys in the

5K;S )rom a ;ata Set,

The steps are the same as )or *oading an S" key to 5K;S 6see @oad S" Key to 5K;S72e3cept that the !ser has to speci)y the )!** dataset and mem0er name, I) yo! don't speci)y the

dataset and mem0er name in G!otes2 the high *eve* G!a*i)ier )or the dataset is the TSO/E

https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/xinrsa.htm#xinrsa


https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/csfb6z6076.htm#xlpkds






*ogon o) the administrator/host !ser I;,

Fig!re &88, @oad S" Key to ;ataset

Contro-s Page


S$%&'%%((')*

The ;omain Contro*s page disp*ays the cryptographic )!nctions that are in e))ect )or the

domain and a**o+s yo! to make changes to them,

• To change a setting8 c-ick on it

• To "p-oa# the contro-s settings to the crypto mo#"-e8 press Send updates

• To -eave the contro-s settings "na-tere# a.ter yo" have ma#e changes tothe page8 press Discard c&anges

Fig"re (>+ Contro-s Page







3ote4

When managing #omain contro-s thro"gh a TKE 2orkstation8 services #isp-aye#

on the Domain Contro-s pane- may not ,e avai-a,-e on the host crypto mo#"-e+

Ena,-ing services on this pane- that are not s"pporte# ,y the host crypto mo#"-e

2i-- 3OT make this service avai-a,-e+

Working 2ith Domains Contro-s Settings

-o! are a0*e to administer access contro* points to IS5F Services2 "5I Cryptographic

Services and User ;e)ined E3tensions 6U;D7 )rom this page,

There are e3panda0*e )o*ders )or the ;omain Cryptographic services, Some services cannot

0e disa0*ed 0eca!se they are 9reG!ired:, This is indicated on the pane*, -o! can ena0*e or

disa0*e services +ithin the )o**o+ing )o*ders.

• ISPF Services



• $PI Cryptographic Services

• UDs 9appears on-y i. yo" have create# UDs on yo"r system:

Whether the vario!s services are ena0*ed or disa0*ed on yo!r system is dependent !pon TKE+orkstation insta**ation, 5rior to TKE <ersion $,&2 on*y IS5F services co!*d 0e !pdated, With

TKE <ersion $,& and *ater2 access contro* points )or "5I and U;D services can 0e !pdated,

"s ne+ access contro* points are added2 they are ena0*ed )or ne+2 )irst%time2 TKE

insta**ations, For e3isting TKE insta**ations2 "5I services +i** re)*ect +hat had 0een

ena0*ed/disa0*ed in <ersion $,& and ne+ access contro* points +i** 0e disa0*ed, U;D s!pport

is imp*emented *ike+ise, I) yo!r insta**ation +ants to !se the ne+ ca**a0*e services2 the

corresponding access contro* point m!st 0e ena0*ed,

For ne+ TKE ,& !sers2 a** access contro* points ena0*ed in the ;e)a!*t o*e +i** 0e ena0*edon the s!pported host crypto mod!*es 6CED#C and CED$C7, I) migrating )rom TKE <>, or

*ater to TKE ,& on a z& EC2 z& AC2 or z&82 "5I services +i** re)*ect +hat had 0een

ena0*ed/disa0*ed in the previo!s TKE re*ease, "ccess contro* points may need to 0e ena0*ed

depending on the ICSF F4I; insta**ed on the a0ove mentioned hard+are, 6For U;Ds +ith

access contro* points2 ena0*ement reG!ires a TKE +orkstation,7

ISPF Services

Under the IS5F Services )o*der2 there are check 0o3es )or the services yo! can ena0*e or

disa0*e, These services are )or *oading and setting the ;ES2 "ES2 ECC2 and "symmetric

4aster Keys on s!pported host crypto mod!*es thro!gh the ICSF pane* inter)ace,

I) yo! are !sing a TKE +orkstation )or the )irst time2 yo!r settings !nder IS5F Services +i**

indicate that a** services are ena0*ed,

$PI Cryptographic Services

Under the "5I Cryptographic Services )o*der are a** the ICSF services that can 0e ena0*ed or

disa0*ed )rom the TKE +orkstation, See /#S Cryptographic Ser$ices %CS& Application

'rogrammer(s !uide )or the corre*ation 0et+een the access contro* point and the ICSF

ca**a0*e service,

UDs

The U;D )o*der appears on*y i) there are User ;e)ined E3tensions on yo!r system, The

U;Ds )o*der *ists yo!r e3tensions and a**o+s yo! to ena0*e or disa0*e them,

;ec Ta0*es 5age


S"#$%##&&%(



;ecima*ization ta0*es map he3adecima* digits to decima* digits2 and are !sed in certain host crypto mod!*

process 5ersona* Identi)ication !m0ers 65Is7, ;ecima*ization ta0*es may contain on*y decima* digits 6'

m!st 0e e3act*y &8 digits *ong, Every domain has s*ots )or & decima*ization ta0*es, These ta0*es can on*

)rom a TKE, -o! can *oad2 activate2 or de*ete ta0*es )rom this page,

Fig!re &8(, ;ec Ta0*es page

To manage a ta0*e entry2 *e)t c*ick to se*ect an entry and right c*ick to disp*ay command options, The avai*

• @oad

• "ctivate

• "ctivate "**






• ;e*ete

• ;e*ete "**

Fig!re &8, Ta0*e entry options

There are three access contro* points that contro* the a0i*ity to manage decima*ization Ta0*es, They are.

• @oad ;ecima*ization Ta0*es

• ;e*ete ;ecima*ization Ta0*es

• "ctivate ;ecima*ization Ta0*es

" ta0*e entry can 0e in any o) the )o**o+ing states.

• Empty

• "ctive

• @oaded

:oad )able

@e)t c*ick to se*ect a ta0*e entry2 and right c*ick to 0ring !p the ta0*e options, Se*ect the *oad option, From

decima*ization ta0*e va*!e screen2 enter a &8 digit decima*ization ta0*e va*!e, The ta0*e can on*y contain

thro!gh ''7, 5ress the contin!e 0!tton to create the ta0*e entry,

Fig!re &, Enter ne+ decima*ization ta0*e va*!e








otes.

&, -o! m!st have the 9*oad "C5 in order to *oad a ta0*e,

#, I) the c!rrent stat!s o) a ta0*e entry is "ctive2 yo! m!st a*so have the 9;e*ete "C5 in order to *oa

m!st 0e a**o+ed to de*ete the c!rrent ta0*e,

$, I) yo! *oad a ta0*e2 and yo! a*so have the 9activate "C52 the ne+ ta0*e +i** 0e immediate*y activa

&cti/ate or &cti/ate &ll

@e)t c*ick to se*ect a ta0*e entry and right c*ick to 0ring !p the ta0*e options, Se*ect the "ctivate or "ctivat

the command comp*etes s!ccess)!**y2 press the C*ose 0!tton in the in)ormation message 0o3,

otes.

&, On*y ta0*es +ith a c!rrent state o) @oaded can 0e activated,

#, -o! m!st have the 9activate "C5 in order to activate a ta0*e,

Delete or Delete &ll

@e)t c*ick to se*ect a ta0*e entry and right c*ick to 0ring !p the ta0*e options, Se*ect the ;e*ete or ;e*ete "*

command comp*etes s!ccess)!**y2 press the C*ose 0!tton in the in)ormation message 0o3,

otes.

&, On*y ta0*es +ith a c!rrent state o) @oaded or "ctive can 0e de*eted,

#, -o! m!st have the 9de*ete "C5 in order to de*ete a ta0*e,

Crypto 4od!*e ote0ook Co%Sign Ta0


S"#$%##&&%(

For co%signing a pending command in a host crypto mod!*e2 open the note0ook )or that crypto mod!*e an

Sin ta0, The Co'Sin ta0 pane* disp*ays the )o**o+ing in)ormation on the command to co%sign.



• -endin command Q ame o) the pending command

• -endin command reference Q UniG!e he3adecima* n!m0er ret!rned to the iss!er o) the comma

• :oadin &uthority Q Iss!er o) the command

• -endin command details container Q Important parts o) the pending command

• Sinature reuirements container Q C!rrent stat!s )or the )!*)i**ment o) the signat!re reG!ireme

For host crypto mod!*e2 e3act*y t+o signat!res are reG!ired )or a m!*ti%signat!re command, The a

name o) each a!thority a**o+ed to sign the pending command are disp*ayed,

"!thorities +ho have a*ready signed the command are indicated 0y a $es in the co*!mn *a0e*ed Signed,

5ressing the Co'sin 0!tton initiates the signing o) the pending command, It opens +indo+s in +hich yo!

so!rce o) the a!thority signat!re key and then choose the a!thority inde3 associated +ith that key, The pos

signat!re key so!rces are as )o**o+s.

• Current key % Uses the c!rrent*y *oaded signat!re key

• Smart card % eads an a!thority signat!re key )rom a TKE smart card

• 9inary file % eads an a!thority signat!re key )rom a hard disk or diskette

• Key storae % eads an a!thority signat!re key )rom 5K" key storage

• Default key % Uses the de)a!*t a!thority signat!re key hardcoded into TKE

5ress Delete i) yo! +ant to de*ete the pending command,

"!diting

z/OS Cryptographic Services ICSF TKE Workstation User's !ideS"#$%##&&%(

TKE imp*ements *ogging o) sec!rity re*evant operations that occ!r on the TKE +orkstation,

TKE provides a!ditors +ith a trai* o) activities on the TKE +orkstation that are not c!rrent*y

tracked, Sec!rity actions per)ormed on the TKE +orkstation are recorded in a sec!rity *og

and tied to a !ser identity, TKE sec!rity a!dit records are in addition to the System

4anagement Faci*ities 6S4F7 records that are a*ready c!t on the host system that are

triggered 0y reG!ests )rom TKE,

To per)orm a!diting tasks or con)ig!re a!diting settings on the TKE +orkstation2 yo! m!st



*og on +ith the "U;ITO !ser name, When *ogged on to the TKE Workstation as

"U;ITO2 yo! are a0*e to.

• Use the TKE "!dit Con)ig!ration Uti*ity to t!rn TKE a!diting on and o)),

• Use Service 4anagement )!nctions to.

o <ie+ the sec!rity *og

o "rchive the sec!rity *ogs

• Use the TKE "!dit ecord Up*oad Con)ig!ration Uti*ity to con)ig!re a!dit record

!p*oad to a System z host2 +here the a!dit records +i** 0e saved in the z/OS S4F

dataset,

ICSF a*so !ses S4F record type (# to record certain ICSF events, ICSF +rites to s!0type &8

+henever a TKE +orkstation either iss!es a command reG!est to2 or receives a rep*y

response )rom2 a Crypto E3press# Coprocessor or Crypto E3press$ Coprocessor, In addition

to the s!0type &8 records2 yo! can !se the TKE "!dit ecord Up*oad Con)ig!ration Uti*ity to

send Tr!sted Key Entry +orkstation sec!rity a!dit records to a System z host, These sec!rity

a!dit records are stored in the S4F dataset as a type (# s!0type # record,

TKE "!dit Con)ig!ration Uti*ity


S"#$%##&&%(

To con)ig!re a!diting2 *og on +ith the "U;ITO !ser name2 se*ect )rusted Key *ntry and

then se*ect the &udit Confiuration Utility,

The TKE "!dit Con)ig!ration Uti*ity is disp*ayed,

Ay de)a!*t2 a** avai*a0*e a!diting is ena0*ed,

Fig!re &&, ;e)a!*t settings )or a!diting





-o! can c!stomize the a!diting !ti*ity to yo!r desired pre)erence, To t!rn o)) a!diting2 c*ick

on Stop &uditin to change the stat!s to &uditin Off ,

Fig!re &#, "!diting is o))






I) yo! +ish to ena0*e and disa0*e speci)ic a!dit records 60oth s!ccesses and )ai*!res7 yo! can

e3pand each a!dit point to see the individ!a* a!dit records associated +ith the gro!p 0yc*icking on the sym0o* to the *e)t o) the a!dit point,

Fig!re &$, E3amp*e o) e3panded a!diting points





When yo! e3pand an a!dit point2 yo! can con)ig!re the individ!a* a!dit records as desired,

I) yo! +ish to ena0*e or disa0*e a** s!ccess or )ai*!re a!dit points2 yo! can c*ick on the

s!ccesses or )ai*!res check0o3 on the *ine corresponding to the a!dit points gro!p,

Service 4anagement "!diting F!nctions


S"#$%##&&%(



-o! can !se Service 4anagement )!nctions to per)orm the )o**o+ing a!diting tasks.

• <ie+ the sec!rity *og

• "rchive the sec!rity *ogs

<ie+ Sec!rity @ogs


S"#$%##&&%(

The sec!rity *ogs can 0e vie+ed on the TKE2 0!t on*y +hen yo! are *ogged in +ith the"U;ITO !ser name, The sec!rity *og has a ma3 size a**o+ed o) $4A,

When the sec!rity *og reaches BN )!**2 a hard+are message a*erts the !ser on the TKE

conso*e, The <ie+ Sec!rity @ogs task determines i) the message disp*ays, Ay de)a!*t2 the

message disp*ays,

When the sec!rity *og reaches &N capacity2 the o*dest third o) the a!dit records are

de*eted,

In order to avoid de*eting records yo! can archive the sec!rity *ogs 6see "rchive Sec!rity

@ogs7,

In order to vie+ the sec!rity *ogs2 *og in as the "U;ITO !ser2 se*ect Ser/ice #anaement

and se*ect 1ie= Security :os,

Fig!re &>, <ie+ing the sec!rity *ogs

https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/arcaud.htm#arcaud








This *og disp*ays & records per page, The & record pages can 0e navigated 0y c*icking

on Sho= *arlier */ents and Sho= :ater */ents,

I) the a!dit record contains an asterisk 67 ne3t to the *ine saying 'TKE "!dit ecord'2 this

means that there are )!rther detai*s avai*a0*e to vie+, -o! can vie+ the detai*s 0y se*ecting

the radio 0!tton corresponding to the desired a!dit record and c*icking Details... ,

Fig!re &B, <ie+ing additiona* detai*s o) the sec!rity *ogs





"!dit and @og 4anagement


S"#$%##&&%(

"!dit and *og management copies the conso*e events *og2 sec!rity *og2 and tasks per)ormed

*og to a ;<;%"4 or USA )*ash memory drive, I) yo! +ish to copy the *ogs2 yo! m!st 0e

*ogged onto the TKE conso*e +ith the "U;ITO !ser name, Se*ect Ser/ice #anaement

and2 )rom the service management +indo+2 se*ect &udit and :o #anaement,

The "!dit and @og 4anagement dia*og 0o3 is disp*ayed,

Fig!re &8, "!dit and @og 4anagement dia*og





The *og data can 0e )ormatted in either ?T4@ or D4@ )ormat,

The starting and ending date and time va*!es may 0e speci)ied to *imit the amo!nt o) *og data

that +i** appear in the report,

The types o) data 6conso*e events2 sec!rity *og2 and tasks per)ormed *og7 can a*so 0e

speci)ied to *imit the amo!nt o) data that appears in the report, ote that the events re*ated to

the TKE !ti*ities are *ogged in the sec!rity *og,

Fig!re &, "!dit and @og 4anagement dia*og 6sec!rity *og data se*ected7






")ter pressing OK2 the *og data is )ormatted in either ?T4@ or D4@ )ormat2 and is

disp*ayed in a +indo+,

Fig!re &(, Sec!rity @og





This +indo+ contains the report prod!ced )rom the *og data, To save the report to a ;<;%

"4 or a USA )*ash memory drive2 press the Sa/e... 0!tton, ")ter pressing Sa/e...2 the

E3port ;ata +indo+ is disp*ayed,

Fig!re &, E3port ;ata





ote.

I) a ;<;%"4 or USA )*ash memory drive is not c!rrent*y present2 nothing is *isted !nder

Select a De/ice, To +rite to a ;<;%"42 insert the ;<;%"4 into the drive2 +ait )or the

drive *ight to stop 0*inking2 and then press the Refresh 0!tton, To +rite to a USA )*ash

memory drive insert the drive2 +ait )or the USA ;evice Stat!s +indo+ to appear2 and then

press the Refresh 0!tton, When the OK 0!tton is pressed2 the report is saved +ith the

speci)ied )i*e name to the ;<;%"4 or USA )*ash memory drive,

" pop!p +indo+ is disp*ayed to indicate that the report +as saved s!ccess)!**y,

"rchive Sec!rity @ogs


S"#$%##&&%(

I) yo! +ish to archive the sec!rity *ogs yo! m!st 0e *ogged onto the TKE conso*e +ith the

"U;ITO !ser name, "rchiving the sec!rity *ogs saves the sec!rity *og's event data in

another )i*e on the ;<;%"4 or USA )*ash memory drive2 and then erases eno!gh events)rom the sec!rity *og to red!ce its size to #N o) its ma3im!m capacity,

In order to "rchive the Sec!rity *og2 *og in as the "U;ITO !ser and se*ect Ser/ice

#anaement, From the service management +indo+ se*ect &rchi/e Security :os,

ote.

-o! m!st either have a ;<;%"4 or USA )*ash memory drive that is )ormatted +ith no

vo*!me *a0e* or a vo*!me *a0e* o) "CTSEC@, In order to do this2 !se the Format 4edia

!ti*ity 6see Format 4edia7,

Fig!re &(, "rchiving the sec!rity *ogs

https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/formmeda.htm#formmeda


https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/formmeda.htm#formmeda




With a va*id ;<;%"4 or USA )*ash memory drive inserted2 c*ick &rchi/e,

Whi*e the sec!rity *og is 0eing archived2 an "rchiving Sec!rity @og,,, message 0o3

disp*ays, ")ter the archiving is comp*eted2 a message 0o3 disp*ays indicating that the archive

operation has comp*eted,

TKE "!dit ecord Up*oad Con)ig!ration Uti*ity


S"#$%##&&%(

ICSF !ses S4F record type (# to record certain ICSF events, ICSF +rites to s!0type &8

+henever a TKE +orkstation either iss!es a command reG!est to2 or receives a rep*y

response )rom2 a Crypto E3press# Coprocessor or Crypto E3press$ Coprocessor, In addition

to the s!0type &8 records2 yo! can !se the TKE "!dit ecord Up*oad Con)ig!ration Uti*ity to

send Tr!sted Key Entry +orkstation sec!rity a!dit records to a System z host2 +here they

+i** 0e saved in the z/OS System 4anagement Faci*ities 6S4F7 dataset, Each TKE sec!rity

a!dit record is stored in the S4F dataset as a type (# s!0type # record,

ote.

The a!dit !p*oad process does not remove any data )rom the TKE Workstation, Copies o)

sec!rity a!dit records are sent to the host system and a** data is retained 0y the TKE

Workstation,

Starting TKE "!dit ecord Up*oad Con)ig!ration Uti*ity


S"#$%##&&%(



To !se the TKE "!dit ecord Up*oad Con)ig!ration Uti*ity2 yo! m!st )irst sign on to the

Tr!sted Key Entry conso*e in -ri/ileed #ode &ccess +ith the "U;ITO !ser I;, To do

this.

&, C*ose the Tr!sted Key Entry Conso*e,

#, From the We*come to the Tr!sted Key Entry Conso*e screen se*ect 'ri$ileged )ode

Access,

$, From the Tr!sted Key Entry Conso*e @ogon screen2 enter the !ser name "U;ITO

and the pass+ord, 6The de)a!*t pass+ord is 5"SSWO;2 0!t this can 0e changed 0y

the !ser, See Change 5ass+ord,7

>, 5ress the :oon command 0!tton,

To start the TKE "!dit ecord Up*oad Con)ig!ration Uti*ity2 go to the Tr!sted Key EntryConso*e Workp*ace +indo+ and se*ect T"* Audit Record +pload +tility,

The TKE "!dit ecord Up*oad Con)ig!ration Uti*ity +indo+ is disp*ayed,

Fig!re &(&, TKE "!dit ecord Up*oad Con)ig!ration Uti*ity

Using the TKE "!dit ecord Up*oad Con)ig!ration Uti*ity2 yo! can.

• Speci)y the host machine to +hich the a!dit records +i** 0e sent, See Con)ig!re TKE

)or "!dit ;ata Up*oad )or more in)ormation,

• Up*oad a!dit records to the target host, See Up*oading "!dit ecords )or more

in)ormation,

https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/chgpass.htm#chgpass


https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/cfaug.htm#cfaug


https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/upaud.htm#upaud

https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/chgpass.htm#chgpass







• Ena0*e a!tomatic a!dit record !p*oad, When ena0*ed2 a!dit records +i** 0e !p*oaded

every time the +orkstation is re0ooted, See Ena0*ing and ;isa0*ing "!tomatic "!dit

ecord Up*oad )or more in)ormation,

Con)ig!re TKE )or "!dit ;ata Up*oad


S"#$%##&&%(

To !p*oad a!dit data to a host system2 yo! need to add the target host to the TKE "!dit

ecord Up*oad Uti*ity's host *ist2 and make the target host the c!rrent host, To do this.

&, "dd the target host to the TKE "!dit ecord Up*oad Uti*ity's host *ist, To do this.

a, In the TKE "!dit ecord Up*oad Con)ig!ration Uti*ity +indo+2 right c*ick to

disp*ay a pop!p men!2 and se*ect the &dd (ost men! item,

The Speci)y ?ost In)ormation dia*og is disp*ayed,

Fig!re &(#, Speci)y ?ost In)ormation dia*og

0, In the Speci)y ?ost In)ormation dia*og's ?ost name )ie*d2 enter the host name,

c, In the Speci)y ?ost In)ormation dia*og's 5ort )ie*d2 enter the port n!m0erassigned to the TKE ?ost Transaction 5rogram,

d, C*ick the Ok command 0!tton,

The Speci)y ?ost In)ormation dia*og c*oses and the host name is added to the

TKE "!dit ecord Up*oad Con)ig!ration Uti*ity's host *ist, The host name

+i** appear in the #ther hosts and associated timestamps area o) the +indo+,

Fig!re &($, Other hosts and associated timestamps

https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/enaust.htm#enaust










#, 4ake the target host the c!rrent host, To comp*ete this step2 yo! m!st have a !ser I;

and pass+ord )or the target host,

a, In the TKE "!dit ecord Up*oad Uti*ity +indo+'s #ther hosts and associated

timestamps area2 c*ick on the target host name to high*ight it,

0, In the TKE "!dit ecord Up*oad Uti*ity +indo+'s #ther hosts and associated timestamps area2 right c*ick on the target host name to disp*ay a pop!p men!2

and se*ect the Specify current host men! item,

The Speci)y ?ost @ogin In)ormation dia*og is disp*ayed,

Fig!re &(>, Speci)y ?ost @ogin In)ormation

c, In the Speci)y ?ost @ogin In)ormation dia*og2 enter the !ser I; and pass+ord2

and c*ick the Ok command 0!tton,

The target host is made the c!rrent host, The host name +i** appear in the





C!rrent ?ost )ie*d o) the TKE "!dit ecord Up*oad Con)ig!ration Uti*ity

Once the target host has 0een identi)ied in the TKE "!dit ecord Up*oad Uti*ity2 yo! can.

• Up*oad a!dit records to the target host, See Up*oading "!dit ecords )or morein)ormation,

• Ena0*e a!tomatic a!dit record !p*oad, When ena0*ed2 a!dit records +i** 0e !p*oaded

every time the +orkstation is re0ooted, See Ena0*ing and ;isa0*ing "!tomatic "!dit

ecord Up*oad )or more in)ormation,

Up*oading "!dit ecords


S"#$%##&&%(

Once yo! have !sed the TKE "!dit ecord Up*oad Con)ig!ration Uti*ity to speci)y the target

host 6as descri0ed in Con)ig!re TKE )or "!dit ;ata Up*oad72 yo! can !p*oad a!dit records to

the target host, I) yo! have not a*ready *ogged onto the host system d!ring this session2 the

Speci)y ?ost @ogon In)ormation dia*og +i** prompt yo! )or a !ser I; and pass+ord 0e)ore

the a!dit records +i** 0e !p*oaded, To comp*ete this task2 yo! m!st have a !ser I; and

pass+ord )or the target host,

In the TKE "!dit ecord Up*oad Uti*ity +indo+2 c*ick the Start uploadin command 0!tton,

ote.

I) yo! have not a*ready *ogged onto the host system2 the Speci)y ?ost @ogon In)ormation

dia*og +i** prompt yo! )or a !ser I; and pass+ord,

The TKE "!dit ecord Up*oad Con)ig!ration Uti*ity +i** 0egin !p*oading the a!dit records

to the target host, The TKE "!dit ecord Up*oad Con)ig!ration Uti*ity +indo+'s Up*oad

stat!s )ie*d +i** indicate the stat!s o) the !p*oad operation,

• 5ressing the Refresh command 0!tton +i** re)resh the TKE "!dit ecord Up*oadUti*ity +indo+, In partic!*ar2 the Timestamp o) *ast record !p*oaded )ie*d +i** 0e

!pdated,

• 5ressing the Stop uploadin command 0!tton +i** stop the a!dit record !p*oad,

-o! can a*so ena0*e a!tomatic a!dit record !p*oad, When ena0*ed2 a!dit records +i** 0e

!p*oaded every time the +orkstation is re0ooted, See Ena0*ing and ;isa0*ing "!tomatic

"!dit ecord Up*oad )or more in)ormation,

Ena0*ing and ;isa0*ing "!tomatic "!dit ecord Up*oad
















S"#$%##&&%(

Once yo! have !sed the TKE "!dit ecord Up*oad Con)ig!ration Uti*ity to speci)y the target

host 6as descri0ed in Con)ig!re TKE )or "!dit ;ata Up*oad72 yo! can ena0*e a!tomatic a!ditrecord !p*oad, This is ca**ed a!tostart mode, In a!tostart mode2 a!dit records +i** 0e

!p*oaded every time the +orkstation is re0ooted, I) yo! have not a*ready *ogged onto the host

system d!ring this session2 the Speci)y ?ost @ogon In)ormation dia*og +i** prompt yo! )or a

!ser I; and pass+ord 0e)ore a!tostart mode +i** 0e ena0*ed, To comp*ete this task2 yo! m!st

have a !ser I; and pass+ord )or the target host,

In the TKE "!dit ecord Up*oad Uti*ity +indo+2 c*ick the *nable autostart command

0!tton,

ote.

I) yo! have not a*ready *ogged onto the host system2 the Speci)y ?ost @ogon In)ormationdia*og +i** prompt yo! )or a !ser I; and pass+ord,

The TKE "!dit ecord Up*oad Con)ig!ration Uti*ity +i** ena0*e a!tostart mode2 and +i**

!p*oad a!dit records every time the +orkstation is re0ooted, The TKE "!dit ecord Up*oad

Con)ig!ration Uti*ity +indo+'s "!tostart stat!s )ie*d +i** indicate that a!tostart is ena0*ed,

To disa0*e a!tomatic a!dit record !p*oad2 c*ick the Disable autostart command 0!tton,

4anaging Keys


S"#$%##&&%(

4aster keys are !sed to protect a** cryptographic keys that are active on yo!r system,

Aeca!se master key protection is essentia* to the sec!rity o) the other keys2 ICSF stores the

master keys +ithin the sec!re hard+are o) the cryptographic )eat!re, This nonvo*ati*e key

storage area is !na))ected 0y system po+er o!tages2 0eca!se it has a 0attery 0ack!p, The

va*!es o) the master keys never appear in the c*ear o!tside the cryptographic )eat!re,

On a z& system +ith a CED#C or CED$C and the ov, #( or *ater *icensed interna* code

6@IC72 sec!re "ES keys are s!pported, On the z&8 +ith the Sept, #& or *ater @IC2 sec!re

ECC keys are s!pported,

!CSF is reuired to complete some operations initiated from )K*. )hese operations

include settin the &*S5 *CC5 or D*S master keys5 loadin operational keys into the

CKDS5 and loadin RS& keys from a host data set to the -KDS.

ote.!CSF is also reuired for initiali4in+refreshin the CKDS5 disablin and enablin -K&





ser/ices5 -KDS initiali4ation5 -KDS reencipher and -KDS acti/ate.

9e prepared to s=itch bet=een your )K* =orkstation and your !CSF host session.

This topic disc!sses the proced!res needed )or.

• @oading the master keys the )irst time yo! start ICSF 6 page First%Time Start!p7

• Changing the ;ES%4K or "ES%4K periodica**y 6page Changing 4aster Keys7

• eentering the master keys 6page e%entering 4aster Keys ")ter They have 0een

C*eared7

• "dding "dditiona* Coprocessors 6page "dding ?ost Crypto 4od!*es ")ter ICSF

Initia*ization7

• Changing the "S-4%4K master keys 6page "symmetric%keys 4aster Key 5arts7

• @oading Operationa* Keys to the CK;S 6page @oading Operationa* Keys to the

CK;S7

• e)reshing the CK;S 6page e)reshing the CK;S7

• Insta** S" Keys 6page Insta**ing S" Keys in the 5K;S )rom a ;ata Set7

4aster Key 5arts


S"#$%##&&%(

4aster key parts are *oaded !sing 0inary )i*es2 the key0oard2 or smart cards, I) *oading key

parts +ith the key0oard2 record the key parts and the associated hash patterns,

The key parts are generated )rom the ;omain Keys page, For more in)ormation2 see ;omains

Keys 5age,

ote.

I) yo! are reentering master keys a)ter they have 0een c*eared2 !se the same master key part

va*!es as +hen yo! origina**y entered the keys, -o! sho!*d have saved the key part va*!es in

a sec!re p*ace a)ter yo! entered the master keys previo!s*y,

To enter a ;ES%4K or "ES%4K2 yo! can either enter a )irst key part and a )ina* key part or a

)irst key part2 one or more intermediate key part and a )ina* key part,

First%Time Start!p

https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/xcinckds.htm#xcinckds

https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/xcchange.htm#xcchange

https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/xrecove.htm#xrecove


https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/xaddcc.htm#xaddcc


https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/xcentmk.htm#xcentmk



https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/xcrany.htm#xcrany




https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/xcinckds.htm#xcinckds






https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/xcentmk.htm#xcentmk










S"#$%##&&%(

The )irst time yo! start ICSF2 yo! m!st *oad a ;ES%4K or "ES%4K and initia*ize theCK;S, For in)ormation on creating an empty CK;S2 see z/OS Cryptographic Services ICSF

System 5rogrammer's !ide, When yo! initia*ize the CK;S2 ICSF creates a header record

)or the CK;S2 insta**s the reG!ired system key in the CK;S2 and sets the master key, Keys

stored in the CK;S are enciphered !nder the ;ES%4K or "ES%4K, ")ter the master key has

0een set2 yo! can generate or enter any keys yo! need to per)orm cryptographic )!nctions,

To de)ine a ;ES%4K or "ES%4K2 yo! m!st *oad the key parts to the ;ES or "ES ne+

master key register,

-o! have to initia*ize a CK;S on*y the )irst time yo! start ICSF on a system, ")ter yo!

initia*ize a CK;S2 yo! can copy the disk copy o) the CK;S to create other CK;Ss )or !seon the system, -o! can a*so share a CK;S +ith another ICSF system i) the system has the

same master key va*!e, I) sharing a CK;S 0et+een a z& EC or z& AC and a *egacy system2

the CK;S m!st 0e initia*ized on the *egacy system, "t any time2 yo! can read a di))erent disk

copy into storage, For in)ormation a0o!t ho+ to read a disk copy into storage2 see e)reshing

the CK;S,

Initia*ize the CK;S


S"#$%##&&%(

"t this point2 the ne+ ;ES and/or "ES master key register on each host crypto mod!*e in

this domain is )!**,

-o! m!st no+ initia*ize the CK;S 6+hich a*so activates the ;ES or "ES master key7,

From the ICSF 5rimary 4en!.

&, Se*ect Option #2 4"STE KE- 44T2 as sho+n in Fig!re &(B,

Fig!re &(B, ICSF Se*ecting the 4aster Key Option on the 5rimary 4en! 5ane*

CSF@PRIM ------------- Integrated Cryptographic Service Facility---------

OPTION ! "

Enter the n#$%er o& the de'ired option(






https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/initckds.htm#xccsf1






https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/initckds.htm#xccsf1




) COPROCESSOR M*MT - Manage$ent o& Cryptographic Coproce''or'

" M+STER ,E M*MT - Ma'ter .ey 'et or change/ C,DS0P,DSproce''ing

1 OPST+T - In'tallation option'

2 +DMINCNT3 - +d$ini'trative Control F#nction'

4 UTI3IT - ICSF Utilitie'

5 PPINIT - Pa'' Phra'e Ma'ter ,ey0C,DSInitiali6ation

7 T,E - T,E Ma'ter and Operational .eyproce''ing

8 ,*UP - ,ey *enerator Utility proce''e'

9 UD: M*MT - Manage$ent o& U'er De&ined E;ten'ion'

3icen'ed Material' - Property o& I<M

Thi' prod#ct contain' =Re'tricted Material' o& I<M=

4592-+>) ?C Copyright I<M Corp( ">>8( +ll right' re'erved(

US *overn$ent U'er' Re'tricted Right' - U'e/ d#plication or

di'clo'#re re'tricted %y *S+ +DP Sched#le Contract Aith I<MCorp(

Pre'' ENTER to go to the 'elected option(

Pre'' END to e;it to the previo#' $en#(

#, The 4aster Key 4anagement pane* appears, Se*ect Option &2IIT/EFES?/U5;"TE CK;S2 as sho+n in Fig!re &(8,

Fig!re &(8, Se*ecting the Initia*ize a CK;S Option on the ICSF 4aster Key

4anagement 5ane*

CSFM,M)> ---------------- ICSF - Ma'ter ,ey Manage$ent----------------

OPTION ! )

https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/initckds.htm#cmkmxxz



https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/initckds.htm#cmkmxxz





Enter the n#$%er o& the de'ired option a%ove(

) INIT0REFRESB0UPD+TE C,DS - Initiali6e a Cryptographic ,ey DataSet or

activate an #pdated Cryptographic ,ey DataSet

" SET M, - Set a $a'ter .ey ?+ES/ DES/ ECC

1 REENCIPBER C,DS - Reencipher the C,DS prior to changing a'y$$etric

$a'ter .ey

2 CB+N*E SM M, - Change a 'y$$etric $a'ter .ey and activatethe

reenciphered C,DS

4 INIT0REFRESB0UPD+TE P,DS - Initiali6e a P#%lic ,ey Data Set or

activate an #pdated P#%lic ,ey Data Set or

#pdate the P#%lic ,ey Data Set header

5 REENCIPBER P,DS - Reencipher the P,DS

7 CB+N*E +SM P,DS - Change an a'y$$etric $a'ter .ey andactivate the

reenciphered P,DS

$, The Initia*ize a CK;S pane* no+ appears,

Fig!re &(, ICSF Initia*ize a CK;S 5ane*

CSFC,D)> ---------------- ICSF - Initiali6e a C,DS----------------

COMM+ND ! )


) Initiali6e an e$pty C,DS ?create' the header and 'y'te$ .ey'

" REFRESB - +ctivate an #pdated C,DS





Enter the na$e o& the C,DS %eloA(

C,DS ! FIRST(EMPT(C,DS

>, In the CK;S )ie*d at the 0ottom o) the pane*2 enter the name o) the empty <S"4

data set that +as created to !se as the disk copy o) the CK;S,

The name yo! enter sho!*d 0e the same name that is speci)ied in the CK;S

insta**ation option in the insta**ation options data set, For in)ormation a0o!t creating a

CK;S and speci)ying the CK;S name in the insta**ation options data set2 see z/OS

Cryptographic Services ICSF System 5rogrammer's !ide,

B, Choose option &2 Initia*ize an empty CK;S2 and press ETE,

ICSF creates the header record in the disk copy o) the CK;S, e3t2 ICSF sets the

;ES master key or "ES master key, ICSF then adds the reG!ired system key to the

CK;S and re)reshes the CK;S, When ICSF comp*etes a** these steps the message

INITI+3I+TION COMP3ETE appears, I) yo! did not enter a master key into the

ne+ master key register previo!s*y2 the message NM, RE*ISTER NOT FU33

appears and the initia*ization process ends, -o! m!st enter a master key into the ne+

master key register 0e)ore yo! can initia*ize the CK;S,

ote.

I) any part o) the option & )ai*s2 yo! m!st de*ete the CK;S and start over, I) the

)ai*!re occ!rs a)ter the master key is set and 0e)ore the system key has 0een created2

yo! +i** need to re*oad the ne+ master key register2 de*ete the CK;S and start over,

")ter yo! comp*ete the entire process2 a master key and CK;S e3ist on yo!r system, I) yo!

+ant to enter keys 6)or e3amp*e2 keys !sing the key generate ca**a0*e service2 the key

generator !ti*ity program2 or convert CUS5/5CF keys to ICSF keys !sing the conversion

program72 see z/OS Cryptographic Services ICSF "dministrator's !ide,

Changing 4aster Keys


S"#$%##&&%(

For sec!rity reasons yo!r insta**ation sho!*d change the master keys periodica**y, In addition2

i) the master keys have 0een c*eared2 yo! may a*so +ant to change the master keys a)ter yo!

reenter the c*eared master keys,

Tasks necessary )or changing the master key are.










&, @oad ne+ ;ES%4K or "ES%4K 6)irst2 midd*e2 *ast7

#, e%encipher CK;S

$, Change master key

The step%0y%step proced!re )or changing the ;ES or "ES master key2 reenciphering the

CK;S2 and activating the ne+ master key is presented in Changing the 4aster Key Using the

4aster Key 5ane*s, For in)ormation on the contents o) the master key registers d!ring the

key change process2 and some compati0i*ity mode considerations2 see z/OS Cryptographic

Services ICSF "dministrator's !ide,

" ;ES or "ES master key and a CK;S containing keys enciphered !nder that master key

a*ready e3ist, Ae)ore yo! rep*ace this e3isting master key +ith the ne+ master key2 yo! m!st

reencipher the CK;S !nder the ne+ master key6s7,

When the ;ES or "ES master key is changed2 the c!rrent active ;ES or "ES master key is

moved to the a!3i*iary master key register and the ne+ ;ES or "ES master key is moved to

the master key register, In this +ay2 the ne+ master key yo! have H!st entered 0ecomes the

c!rrent master key2 and the previo!s master key is stored in the o*d master key register,

Ae)ore the ne+ ;ES or "ES master key is p*aced into the master key register2 yo! m!st

reencipher a** disk copies o) the CK;S !nder the ne+ master key, Then yo! are ready to

activate the master key, When yo! change the master key2 yo! have ICSF rep*ace the in%

storage copy o) the CK;S +ith the reenciphered disk copy and make the ne+ master key

active on the system,

Changing the 4aster Key Using the 4aster Key 5ane*s


S"#$%##&&%(

@oad the key parts o) the ne+ master key that yo! +ant to rep*ace the c!rrent master key, The

ne+ master key parts m!st 0e *oaded )rom TKE,

ote.

The steps )or this task are per)ormed )rom yo!r TSO/E *ogon id !sing the ICSF pane*s,

The ne+ ;ES or "ES master key register on a** s!pported host crypto cards m!st 0e )!**

0e)ore yo! change the master key,

&, Se*ect option #2 4"STE KE- 44T2 on the ICSF 5rimary 4en!,

Fig!re &((, Se*ecting the 4aster Key Option on the ICSF 5rimary 4en! 5ane*


https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/xccmkstp.htm#xccmkstp












OPTION ! "











#, Ae)ore yo! change the master key2 yo! m!st )irst reencipher the disk copy o) the

CK;S !nder the ne+ master key, Se*ect option $2 EECI5?E CK;S2 on the4aster Key 4anagement pane*2 as sho+n in Fig!re &(2 and press ETE,

Fig!re &(, Se*ecting the eencipher CK;S Option on the ICSF 4aster Key

4anagement 5ane*


OPTION ! 1





https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/xccmkstp.htm#cmkmxxa



https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/xccmkstp.htm#cmkmxxa






$a'ter .ey

2 CB+N*E SM M, - Change a 'y$$etric $a'ter .ey and activate

the

reenciphered C,DS





7 CB+N*E +SM P,DS - Change an a'y$$etric $a'ter .ey and

activate the

reenciphered P,DS

$, The eencipher CK;S pane* appears, See Fig!re &,

Fig!re &, eencipher CK;S

CSFCM,)> ----------------- ICSF - Reencipher C,DS ------------------

COMM+ND !

To reencipher all C,DS entrie' &ro$ encryption #nder the c#rrent$a'ter .ey

to encryption #nder the neA $a'ter .ey enter the C,DS na$e' %eloA(

Inp#t C,DS ! C,DS(CURRENT(M+STER

O#tp#t C,DS ! C,DS(NE(M+STER

https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/xccmkstp.htm#ccmk10x






>, In the Inp!t CK;S )ie*d2 enter the name o) the CK;S that yo! +ant to reencipher, In

the O!tp!t CK;S )ie*d2 enter the name o) the data set in +hich the reenciphered keys

are +ritten,

ote.

The o!tp!t data set sho!*d a*ready e3ist a*tho!gh it m!st 0e empty, For more

in)ormation a0o!t de)ining a CK;S2 see z/OS Cryptographic Services ICSF System

5rogrammer's !ide,

eenciphering the disk copy o) the CK;S does not a))ect the in%storage copy o) the

CK;S, On this pane*2 yo! are +orking +ith on*y a disk copy o) the CK;S,

B, 5ress ETE to reencipher the inp!t CK;S entries and +rite them into the o!tp!t

CK;S,

The message EECI5?E SUCCESSFU@ appears on the top right o) the pane* i)

the reencipher s!cceeds,

8, I) yo! have more than one CK;S on disk2 speci)y the in)ormation and press ETE

as many times as yo! need to reencipher a** o) them, eencipher a** yo!r disk copies

at this time, When yo! have reenciphered a** the disk copies o) the CK;S2 yo! are

ready to change the master key,

, 5ress E; to ret!rn to the 4aster Key 4anagement pane*,

a, Changing the master key invo*ves re)reshing the in%storage copy o) the CK;S

+ith a disk copy and activating the ne+ master key,

0, I) yo! are r!nning in compati0i*ity or co%e3istence mode2 do not se*ect option

>2 the Change option, To activate the changed master key +hen r!nning in

compati0i*ity or co%e3istence mode2 yo! need to re%I5@ 4<S and start ICSF,

When yo! re%I5@ 4<S and start ICSF2 yo! activate the changed master key

and re)resh the in%storage CK;S, To do this2 yo! m!st e3it the pane*s at this

time,

c, I) yo! are r!nning in noncompati0i*ity mode2 to change the master key se*ectoption > on the 4aster Key 4anagement pane*2 as sho+n in Fig!re &&,

Fig!re &&, Se*ecting the Change 4aster Key Option on the ICSF 4aster Key

4anagement 5ane*


OPTION ! 2




https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/xccmkstp.htm#ccmmxx












) INIT0REFRESB0UPD+TE C,DS - Initiali6e a Cryptographic ,eyData Set or

activate an #pdated Cryptographic,ey Data Set


1 REENCIPBER C,DS - Reencipher the C,DS prior tochanging a 'y$$etric

$a'ter .ey

2 CB+N*E SM M, - Change a 'y$$etric $a'ter .ey andactivate the

reenciphered C,DS

4 INIT0REFRESB0UPD+TE P,DS - Initiali6e a P#%lic ,ey DataSet or

activate an #pdated P#%lic ,ey DataSet or




reenciphered P,DS

(, When yo! press the ETE key2 the Change 4aster Key pane* appears, See Fig!re

&#,

Fig!re &#, Change 4aster Key 5ane*

CSFCM,"> -------------------- ICSF Change Ma'ter ,ey --------------

COMM+ND !

Enter the na$e o& the neA C,DS %eloA

NeA C,DS ! C,DS(NE(M+STER

https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/xccmkstp.htm#xccmk20








hen the $a'ter .ey i' changed/ the neA C,DS Aill %eco$e active(

, In the e+ CK;S )ie*d2 enter the name o) the disk copy o) the CK;S that yo! +ant

in storage,

-o! sho!*d have a*ready reenciphered the disk copy o) the CK;S !nder the ne+

master key, The *ast CK;S name that yo! speci)ied in the O!tp!t CK;S )ie*d on the

eencipher CK;S pane*2 +hich is sho+n in Fig!re &2 a!tomatica**y appears in this

)ie*d,

&, 5ress ETE,

ICSF *oads the data set into storage +here it 0ecomes operationa* on the system,

ICSF a*so p*aces the ne+ master key into the master key register so it 0ecomes active,

")ter yo! press ETE2 ICSF attempts to change the master key, It disp*ays a

message on the top right o) the pane*, The message indicates either that the master

key +as changed s!ccess)!**y or that an error occ!rred that did not permit the change

process to 0e comp*eted, For e3amp*e2 i) yo! indicate a data set that is not

reenciphered !nder the ne+ master key2 an error message disp*ays and the master key

is not changed,

e%entering 4aster Keys ")ter They have 0een C*eared


S"#$%##&&%(

In these sit!ations2 the host crypto mod!*e 6CED#C or CED$C7 c*ears the master key

registers so that the master key va*!es are not disc*osed.

• I) the card detects tampering 6the intr!sion *atch is tripped72 "@@ insta**ation data is

c*eared. master keys2 retained keys )or a** domains2 operationa* key part registers2 as

+e** as ro*es and a!thorities,

• I) the card detects tampering 6the sec!re 0o!ndary o) the card is compromised72 it

se*)%destr!cts and can no *onger 0e !sed,

• I) yo! iss!e a command )rom the TKE +orkstation to zeroize a domain

This command zeroizes the data speci)ic to a domain. master keys2 retained keys and

operationa* key part registers,





• I) yo! iss!e a command )rom the S!pport E*ement pane* to zeroize domains

This command can zeroize "@@ insta**ation data. master keys2 retained keys2

operationa* key part registers2 and access contro* ro*es and pro)i*es, "*so2 the de)a!*t

setting o) Denied )or a** crypto mod!*es set )or TKE Ena0*ement,

I) yo! are r!nning on z& servers2 yo! can zeroize the data speci)ic to a domain.

master keys2 retained keys and operationa* key part registers

"*tho!gh the va*!es o) the master keys are c*eared2 the keys in the CK;S are sti** enciphered

!nder the c*eared symmetric%keys master key, The S" and ;SS private key are a*so each

enciphered !nder the c*eared asymmetric%keys master keys, There)ore2 to recover the keys in

the CK;S2 and the 5K" private keys in the 5K;S2 yo! m!st reenter the same master keys

and activate the ;ES or "ES master key, For sec!rity reasons2 yo! may then +ant to change

a** the master keys,

-R+S# Considerations

When r!nning in 5/S4 *ogica* partition 6@5"7 mode2 a tamper sit!ation ca!ses a**

insta**ation data1 master keys2 retained keys2 operationa* key part registers2 ro*es and

a!thorities on the crypto card to 0e c*eared, "** insta**ation data +i** need to 0e re*oaded and

recreated, I) yo! zeroize a domain !sing the TKE +orkstation2 ho+ever2 the master keys are

c*eared on*y in that domain, 4aster keys in other domains are not a))ected and do not need to

0e reentered, For more in)ormation a0o!t reentering master keys in @5" mode2 see z/OS

Cryptographic Services ICSF "dministrator's !ide,

Setting the 4aster Key


S"#$%##&&%(

")ter the master keys have 0een c*eared2 reenter the same master keys 0y )o**o+ing these

steps.

&, @oad ne+ master key parts, For detai*s on *oading the keys2 see @oad sing*e key part,

These va*!es sho!*d 0e stored in a sec!re p*ace as speci)ied in yo!r enterprises

sec!rity process,

#, etrieve the key parts2 checks!ms2 veri)ication patterns2 and hash patterns yo! !sed

+hen yo! *oaded the master keys origina**y, These va*!es sho!*d have 0een stored in

a sec!re p*ace,

$, To activate the ;ES or "ES master key yo! H!st entered2 yo! need to set it, On the

ICSF 5rimary 4en! pane*2 se*ect option #,




https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/dkgenp.htm#loadpci



https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/dkgenp.htm#loadpci



Fig!re &$, ICSF Se*ecting the 4aster Key Option on the 5rimary 4en! 5ane*


OPTION ! "











>, To set the ;ES or "ES master key2 choose option # on the pane* and press ETE,

Fig!re &>, Se*ecting the Set ?ost 4aster Key Option on the ICSF 4aster Key

4anagement 5ane*

CSFM,M)> ---------------- ICSF - Ma'ter ,ey Manage$ent

----------------

OPTION ! "



activate an #pdated Cryptographic ,ey Data









Set



$a'ter .ey


reenciphered C,DS






reenciphered P,DS

")ter yo! se*ect option #2 ICSF checks that the states o) the registers are correct,

ICSF then trans)ers the ;ES and/or the "ES master key )rom the ne+ master key

register to the master key register, This process sets the master key,

When ICSF attempts to set the master key2 it disp*ays a message on the top right o)

the 4aster Key 4anagement pane*, The message indicates either that the master key

+as s!ccess)!**y set2 or that an error prevented the comp*etion o) the set process,

B, -o! can no+ change the ;ES or "ES master key2 i) yo! choose to2 )or sec!rity

reasons, Contin!e +ith Changing 4aster Keys,

"dding ?ost Crypto 4od!*es ")ter ICSF Initia*ization


There may come a time +hen yo! +ish to add additiona* host crypto mod!*es to yo!r system,

")ter the ne+ crypto mod!*es have 0een insta**ed and con)ig!red 0y the appropriate

hard+are personne*2 make them kno+n to the TKE +orkstation 0y )o**o+ing the appropriate

proced!re,

ote.

With TKE <ersion >, and *ater2 it is no *onger necessary to e3it the app*ication to add ne+crypto mod!*e6s7,





&, Open the ?ost +here the crypto mod!*e6s7 +ere added, -o! +i** 0e prompted to

a!thenticate the crypto mod!*e,

#, Open the ne+ crypto mod!*e6s7,

$, Use the a!thority de)a!*t signat!re key to administer access contro* 6create the same

ro*es and a!thorities )or the ne+ crypto mod!*e to match the crypto mod!*es c!rrent*y

on the host7, @oad the a!thority signat!re keys to match the other crypto mod!*es,

>, @oad a ne+ signat!re )or an a!thority that can *oad master keys, I) one a!thority does

not have the a0i*ity to *oad a** the master key parts )or each master key2 yo! may need

to *oad additiona* a!thority signat!re keys,

B, @oad the master keys,

ote.

The keys sho!*d 0e the same keys that yo! *oaded to the other crypto mod!*es, I) yo!

are adding more than one crypto mod!*e2 *oad the keys in a** crypto mod!*es 0e)ore

setting the master key,

8, Set the asymmetric master key )rom TKE,

, Set the ;ES or "ES master key on the crypto mod!*e )rom ICSF 6see Setting the

4aster Key7 +hen everything is the same 6ro*es2 a!thorities2 contro*s2 master keys7,

(, I) desired2 add the ne+ crypto mod!*e to the gro!p 0y doing a gro!p change,

"symmetric%keys 4aster Key 5arts


S"#$%##&&%(

When yo! enter the asymmetric master key the )irst time2 the 5K" ca**a0*e services are

initia**y disa0*ed, Once yo! have entered the master key2 yo! m!st ena0*e the 5K" ca**a0*eservices )or these services to +ork, Ae)ore yo! change the asymmetric master keys2 yo! need

to disa0*e the 5K" ca**a0*e services, To ena0*e and disa0*e the 5K" ca**a0*e services re)er to

;isa0*ing 5K" Services,

To enter an asymmetric master key2 yo! can either enter a )irst key part and a )ina* key part or

a )irst key part2 one or more intermediate key parts2 and a )ina* key part,

")ter yo! enter a key part )or a ;ES or "ES master key or asymmetric master key2 the host

crypto mod!*e ca*c!*ates a si3teen%0yte hash pattern, The hash patterns are disp*ayed in a

pop%!p +indo+ )or the administrator to veri)y, The hash patterns check +hether yo! entered

the key part correct*y,

https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/xsetkey.htm#xsetkey


https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/xpkacse.htm#xpkacse



https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/xpkacse.htm#xpkacse



Tasks necessary )or changing the asymmetric%keys master keys are *isted here, ote that

steps # thro!gh > are done at the TKE +orkstation,

&, ;isa0*e 5K" Services

#, C*ear e+ "S-4%4K 6if not empty7

$, @oad e+ "S-4%4K J )irst2 one or more midd*e parts2 *ast

>, Set "S-4%4K

B, 5K;S eencipher !nder the ne+ 5K" 4aster Key

8, 5K;S "ctivate

, Ena0*e 5K" Services

(, Ena0*e 5K;S eads/Writes

;isa0*ing 5K" Services


S"#$%##&&%(

When yo! enter or change the asymmetric master keys2 the 5K" services sho!*d )irst 0e

disa0*ed, To disa0*e 5K" services.

&, From TSO/E2 access the !ser contro* )!nctions 0y choosing option >2 ";4ICT@2

on the 5rimary 4en! pane* o) ICSF2 as sho+n in Fig!re &B,

Fig!re &B, Se*ecting the "dministrative Contro* Option on the ICSF 5rimary 4en!

5ane*


OPTION ! 2



" M+STER ,E - Ma'ter .ey 'et or change/ C,DS0P,DSproce''ing


https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/xpkacse.htm#xcmka3



https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/xpkacse.htm#xcmka3







5 PPINIT - Pa'' Phra'e Ma'ter ,ey0C,DS

Initiali6ation




#, The "dministrative Contro* F!nction pane* appears, See Fig!re &8,

Fig!re &8, ;isa0*ing the 5K" Ca**a0*e Services

CSF+CF>> ------------- ICSF +d$ini'trative Control F#nction'

COMM+ND !

+ctive C,DS CSF(C,DS

+ctive P,DS CSF(P,DS

+ctive T,DS CSF(T,DS

To change the 'tat#' o& a control/ enter the appropriate character

?E - EN+<3E/ D - DIS+<3E and pre'' ENTER(

F#nction ST+TUS

-------- ------

( Dyna$ic C,DS +cce'' EN+<3ED

D P,+ Calla%le Service' EN+<3ED

( P,DS Read +cce'' EN+<3ED

( P,DS rite/ Create/ and Delete +cce'' EN+<3ED

$, Type a ';' to the *e)t o) the )!nctions yo! +ant disa0*ed and press ETE,

ote.

;isa0*ing 5K" Ca**a0*e Services a!tomatica**y disa0*es 5K;S ead/Write/Create/;e*ete

https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/xpkacse.htm#xucf2


https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/xpkacse.htm#xucf2




access as +e**,

Ena0*ing 5K" Services


S"#$%##&&%(

")ter yo! enter or change the asymmetric master keys2 the 5K" services sho!*d 0e ena0*ed,

To ena0*e 5K" services.

&, From TSO/E2 access the !ser contro* )!nctions 0y choosing option >2 ";4ICT@2

on the 5rimary 4en! pane* o) ICSF2 as sho+n in Fig!re &,

Fig!re &, Se*ecting the "dministrative Contro* Option on the ICSF 5rimary 4en!

5ane*


OPTION ! 2



" M+STER ,E - Ma'ter .ey 'et or change/ C,DS0P,DSproce''ing








#, The "dministrative Contro* F!nction pane* appears, See Fig!re &(,

Fig!re &(, Ena0*ing and ;isa0*ing the 5K" Ca**a0*e Services

https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/xpkacs.htm#xcmka39



https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/xpkacs.htm#xucf9



https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/xpkacs.htm#xcmka39



https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/xpkacs.htm#xucf9




CSF+CF>> ------------- ICSF +d$ini'trative Control F#nction'

COMM+ND !

+ctive C,DS CSF(C,DS

+ctive P,DS CSF(P,DS

+ctive T,DS CSF(T,DS

To change the 'tat#' o& a control/ enter the appropriate character ?E- EN+<3E/

D - DIS+<3E and pre'' ENTER(

F#nction ST+TUS

-------- ------

( Dyna$ic C,DS +cce'' EN+<3ED

E P,+ Calla%le Service' DIS+<3ED

E P,DS Read +cce'' DIS+<3ED

E P,DS rite/ Create/ and Delete +cce'' DIS+<3ED

$, Enter the option and press ETE,

o To ena0*e the 5K" ca**a0*e services2 type an 'E' 0e)ore the )!nction, 5ress

ETE,

o To ena0*e 5K;S ead "ccess2 type an 'E' 0e)ore the )!nction, 5ress ETE,

o To ena0*e 5K;S Write "ccess2 type an 'E' 0e)ore the )!nction, 5ress ETE,

esetting "symmetric 4aster Keys


S"#$%##&&%(

I) yo! rea*ize that yo! have made a mistake entering key parts to the asymmetric master key

register2 yo! are a0*e to reset the va*!e in the register to zero, From the TKE +orkstation2

access the domain +indo+ 6see ;omains Keys 5age and Operationa* Keys7, Se*ect the

asymmetric master key and then se*ect Clear,

otes.


https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/dkppx.htm#dkppx


https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/dkppx.htm#dkppx



&, Once the asymmetric master key has 0een changed2 interna* tokens in the 5K;S are

!n!sa0*e, -o! +i** need to reencipher and activate the 5K;S in order to !se them

+ith the changed master key, See eenciphering and e)reshing the 5K;S,

#, For S" keys *oaded into the 5K;S )rom the TKE +orkstation2 the process can 0erepeated to *oad the keys !nder the changed asymmetric master keys, See @oad S"

Key to 5K;S and Insta**ing S" Keys in the 5K;S )rom a ;ata Set )or detai*s,

eenciphering and e)reshing the 5K;S


S"#$%##&&%(

For sec!rity reasons2 yo!r insta**ation sho!*d periodica**y change the asymmetric master keyand reencipher the private keys,

To reencipher the 5K;S a)ter the "S-4%4K has 0een changed2 go to the 4aster Key

4anagement pane* and se*ect option 8,

Fig!re &, Se*ecting the eencipher 5K;S Option on the 4aster Key 4anagement 5ane* CSFM,M)> ---------------- ICSF - Ma'ter ,ey Manage$ent ----------------

OPTION ! 5


) INIT0REFRESB0UPD+TE C,DS - Initiali6e a Cryptographic ,ey Data Set or

activate an #pdated Cryptographic ,ey Data Set



$a'ter .ey

2 CB+N*E SM M, - Change a 'y$$etric $a'ter .ey and activate the

reenciphered C,DS




https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/xrepkds.htm#xrepkds
















7 CB+N*E +SM P,DS - Change an a'y$$etric $a'ter .ey and activate the

reenciphered P,DS

The eencipher 5K;S pane* appears, In the Inp!t 5K;S )ie*d2 speci)y the name o) the

5K;S that yo! +ant ICSF to reencipher !nder the c!rrent "S-4%4K,

In the O!tp!t 5K;S )ie*d2 speci)y the name o) an empty <S"4 data set, ICSF +rites the

reenciphered keys in this data set,

Fig!re #, eencipher 5K;S CSFCM,)) ---------------- ICSF - Reencipher P,DS -------------

COMM+ND !

To reencipher all P,DS entrie' &ro$ encryption #nder the old RS+ $a'ter.ey

and0or c#rrent ECC $a'ter .ey' to encryption #nder the c#rrent RS+ $a'ter.ey

and0or neA ECC $a'ter .ey/ enter the P,DS na$e' %eloA(

Inp#t P,DS !

O#tp#t P,DS !

Pre'' ENTER to reencipher the P,DS(

Pre'' END to e;it to the previo#' $en#

5ress enter to reencipher the 5K;S, Once s!ccess)!*2 yo! +i** then +ant to re)resh the

5K;S, et!rn to the 4aster Key 4anagement pane* and se*ect option B,

Fig!re #&, Se*ecting the e)resh 5K;S Option on the 4aster Key 4anagement 5ane* CSFM,M)> ---------------- ICSF - Ma'ter ,ey Manage$ent ----------------

OPTION ! 7









) INIT0REFRESB0UPD+TE C,DS - Initiali6e a Cryptographic ,ey Data Set or

activate an #pdated Cryptographic ,ey Data Set



$a'ter .ey

2 CB+N*E SM M, - Change a 'y$$etric $a'ter .ey and activate the

reenciphered C,DS





7 CB+N*E +SM P,DS - Change an a'y$$etric $a'ter .ey and activate the

reenciphered P,DS

The "ctivate 5K;S pane* appears, Enter the name o) the 5K;S that yo! +ant ICSF to !se,

The 5K;S m!st have a*ready 0een reenciphered !nder the c!rrent Signat!re/"symmetric

master key,

Fig!re ##, e)resh 5K;S CSFCM,") --------- ICSF - +ctivate P,+ Cryptographic ,ey Data Set --------

COMM+ND !

Enter the na$e o& the neA P,DS %eloA(

NeA P,DS !

Pre'' ENTER to activate the P,DS(

Pre'' END to e;it to the previo#' $en#





")ter yo! press ETE2 the 5K;S 0ecomes active,

@oading Operationa* Keys to the CK;S


S"#$%##&&%(

-o! can *oad operationa* key parts into key part registers on host crypto mod!*es, To *oad

these keys into the CK;S yo! need to !se the ICSF Operationa* Key @oad pane* or KU5,

For KU5 detai*s2 re)er to z/OS Cryptographic Services ICSF "dministrator's !ide,

Ae)ore a key can 0e *oaded into the CK;S )rom a key part register2 it m!st 0e in theComp*ete State, I) the key part register is not in the comp*ete state2 the error message ,E

NOT COMP3ETE +i** res!*t, "ccess contro* point2 Key 5art Import % ETK52 m!st 0e

ena0*ed on the se*ected crypto mod!*e or error message +CCESS CONTRO3 F+I3ED +i**

res!*t,

To *oad operationa* keys into the CK;S2 start at the ICSF main men! and )o**o+ these

instr!ctions.

&, Se*ect option &2 COPROCESSOR M*MT2 on the primary men! pane*

Fig!re #$, ICSF 5rimary 4en! 5ane*


OPTION ! )








7 T,E - T,E Ma'ter and Operational .ey







proce''ing



#, The Coprocessor 4anagement pane* appears, 5!t a 'K' 0y the coprocessor that

contains the key part register to *oad,

Fig!re #>, Coprocessor 4anagement 5ane*

CSF*CMP> ---------------- ICSF Coproce''or Manage$ent -------------

COMM+ND !

Select the coproce''or' to %e proce''ed and pre'' ENTER(

+ction character' are +/ D/ E/ ,/ R/ and S( See the help panel &ordetail'(

COPROCESSOR SERI+3 NUM<ER ST+TUS

----------- ------------------------------- -------

G +>5 +CTIHE

G +>7 DE+CTIH+TED

G :>> 2"-,>>>) ON3INE

, :>2 2"-,>>21 +CTIHE

G :>4 2"-,>>48 DIS+<3ED

G :>5 2"-,>>44 DE+CTIH+TED

$, The Operationa* Key @oad pane* appears, The coprocessor previo!s*y se*ected and

the active CK;S are disp*ayed at the top o) the pane*,

Fig!re #B, Operationa* Key @oad 5ane*

CSFCMP4> ------------ ICSF Operational ,ey 3oad -----

COMM+ND !

Coproce''or 'elected &or neA .ey :>2







C,DS na$e CSF3P+R)(SSP3E:(C,DS

Enter the .ey la%el

,ey la%el

! FREDS(M+C(,E

Control Hector ! ES ES or NO

a, In the key *a0e* )ie*d2 enter the CK;S entry *a0e* )or the key, The *a0e* m!st

match the key *a0e* speci)ied on the key part in)ormation +indo+ on TKE

+hen the First key part +as *oaded to the key part register, Other+ise2 a ,E

NOT FOUND message is disp*ayed, See @oad to Key 5art egister First,

0, In the contro* vector )ie*d enter ES or NO, This )ie*d on*y app*ies i) the key

0eing *oaded is a standard C< importer or e3porter key, I) it is and yo! speci)y

NO2 ICSF +i** not e3c*!sive%or a contro* vector +ith the key 0e)ore !sing it,

Se*ect NO )or keys that +i** 0e e3changed +ith a system that does not !se

contro* vectors, The de)a!*t is ES,

I) a record a*ready e3ists in the CK;S +ith a *a0e* that matches the key *a0e* speci)ied2 the

Operationa* Key @oad pane* appears a*erting yo! that C,DS RECORD E:ISTS, I) yo!

+ant to rep*ace the e3isting key +ith the ne+ key yo! are trying to *oad2 press ENTER,

Fig!re #8, Operationa* Key @oad 5ane* CSFCMP4) ---------------- ICSF Operational ,ey 3oad -------------

COMM+ND !

+ record Aith the &olloAing 'peci&ication' ha' %een &o#nd in the C,DS

,ey la%el M(E:ISTIN*(3+<E3(E:PORTER







,ey type E:PORTER

When the key has 0een s!ccess)!**y *oaded the EC%=EO va*!e 6;ES Operationa* Keys7

or the "ES%<5 va*!e 6"ES Operationa* Keys7 o) the key and the contro* vector are disp*ayed

)or the !ser,

Fig!re #, Operationa* Key @oad 5ane* % EC%=EO and C< va*!es disp*ayed CSFCMP4> ------------ ICSF Operational ,ey 3oad ----- ,E 3O+D COMP3ETE

COMM+ND !



Enter the .ey la%el

,ey la%el

! FREDS(M+C(,E


ENC-ERO HP >)"12457

Control vector >>>42D>>>12)>>>> >>>42D>>>1")>>>>

Fig!re #(, Operationa* Key @oad 5ane* % "ES contro* vector va*!es disp*ayed CSFCMP4> ------------ ICSF Operational ,ey 3oad ----- ,E 3O+D COMP3ETE







COMM+ND !



Enter the .ey la%el

,ey la%el

! FREDS(+ES(,E


+ES-HP

Control vector >>>>>>>>>>>>>>>>

e)reshing the CK;S


S"#$%##&&%(

"t any time +itho!t disr!pting cryptographic )!nctions2 yo! can re)resh the in%storage CK;S+ith an !pdated or di))erent disk copy o) the CK;S 0y )o**o+ing these steps.

&, Enter option #2 4aster Key2 on the ICSF 5rimary 4en! to access the 4aster Key

process pane*, Enter option &2 IIT/EFES?/U5;"TE CK;S to access the

Initia*ize a CK;S pane*2 +hich is sho+n in Fig!re #,

Fig!re #, ICSF Initia*ize a CK;S 5ane*

CSFC,D)> ---------------- ICSF - Initiali6e a C,DS ----------------

COMM+ND ! "

https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/xcrany.htm#xckds4


https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/xcrany.htm#xckds4





) Initiali6e an e$pty C,DS ?create' the header and 'y'te$ .ey'




#, In the CK;S )ie*d2 speci)y the name o) the disk copy o) the CK;S that yo! +ant

ICSF to read into storage,

$, Choose option #2 EFES?2 and press ETE,

ICSF p*aces the disk copy o) the speci)ied CK;S into storage, 5artia* keys that may

e3ist +hen yo! enter keys man!a**y are not *oaded into storage d!ring a EFES?,

"pp*ications r!nning on ICSF are not disr!pted, " message stating that the CK;S+as re)reshed appears on the right o) the top *ine on the pane*,

")ter the CK;S is read into storage2 ICSF per)orms a 4"C veri)ication on each

record in the CK;S i) the record a!thentication is ena0*ed, I) a record )ai*s the 4"C

veri)ication2 a message giving the key *a0e* and type )or that record is sent to the

4<S sec!rity conso*e, -o! can then de*ete the record )rom the CK;S !sing KU5

or the dynamic CK;S !pdate services, "ny other attempts to access a record that has

)ai*ed 4"C veri)ication res!*ts in an inva*id 4"C ret!rn code and reason code,

>, 5ress E; to ret!rn to the 5rimary 4en! pane*,

Updating the CK;S +ith the "ES master key


S"#$%##&&%(

On systems that s!pport the "ES master key2 yo! can add the "ES master key to any e3isting

CK;S, It is a*so possi0*e to add the ;ES master key to a CK;S that +as initia*ized +ith

on*y the "ES master key,



These are the steps to !pdate the CK;S.

&, @oad the ne+ "ES master key 0y !sing the master key entry pane*s or 0y !sing TKE,

The "ES master key m!st 0e *oaded on a** active coprocessors,

#, From the 5rimary 4en!2 se*ect option #2 4"STE KE- 44T.

Fig!re #&, Se*ecting the 4aster Key option on the primary men! pane*

CSF@PRIM --------- Integrated Cryptographic Service Facility---------

OPTION ! "











3icen'ed Material' - Property o& I<M

4592-+>) ?C Copyright I<M Corp( )99>/ ">>8( +ll right're'erved(

US *overn$ent U'er' Re'tricted Right' - U'e/ d#plication or

di'clo'#re re'tricted %y *S+ +DP Sched#le Contract Aith I<MCorp(

Pre'' ENTER to go to the 'elected option(






$, Se*ect option &2 IIT/EFES?/U5;"TE CK;S,

Fig!re #&&, ICSF 4aster Key 4anagement 5ane*


OPTION ! )





1 REENCIPBER C,DS - Reencipher the C,DS prior to changing a

'y$$etric

$a'ter .ey


reenciphered C,DS






reenciphered P,DS

>, The Initia*ize a CK;S pane* appears, In the CK;S )ie*d2 enter the name o) an





e3isting2 initia*ized CK;S,

Fig!re #&#, ICSF Initia*ize a CK;S 5ane* i) "ES master keys are s!pported

CSFC,D"> ---------------- ICSF - Initiali6e a C,DS ----------------

COMM+ND !


) Initiali6e an e$pty C,DS

Record a#thentication re#iredJ ?0N !


1 Update an e;i'ting C,DS



B, Choose option $2 Update an e3isting CK;S and press *N)*R , ICSF +i** check the

stat!s o) the ne+ master key registers and the master key veri)ication pattern o) the

master key is +ritten to the CK;S header record, ote that a** the CK;S' that yo!

+ish to !pdate sho!*d 0e processed prior to going to step 8,

8, In the CK;S )ie*d2 enter the name o) the !pdated CK;S that +i** 0e the active

CK;S,

, Se*ect option #2 EFES? and press *N)*R , The in%storage copy o) the CK;S +i**

0e !pdated +ith yo!r !pdated CK;S,

Fig!re #&$, ICSF Initia*ize a CK;S 5ane*

CSFC,D"> ---------------- ICSF - Initiali6e a C,DS ----------------

COMM+ND !








) Initiali6e an e$pty C,DS

Record a#thentication re#iredJ ?0N !


1 Update an e;i'ting C,DS



(, et!rn to the 4aster Key 4anagement pane* 0y pressing *ND, Choose option #2

SET 4K and press *N)*R , ICSF sets the "ES master key and yo!r system can 0e

!sed to encrypt "ES key operations,

Insta**ing S" Keys in the 5K;S )rom a ;ata Set


S"#$%##&&%(

I) yo! !sed TKE to *oad an S" key into a host data set mem0er on 4<S 6see @oading

Operationa* Keys to the CK;S72 yo! *oad it )rom the data set to the 5K;S 0y this method,

&, Se*ect Option 2 TKE2 on the ICSF 5rimary Option 4en!,

Fig!re #&>, Se*ecting the TKE Option on the ICSF 5rimary 4en! 5ane*


OPTION ! 7



















#, The TKE 5rocessing Se*ection pane* appears, Se*ect option $,

Fig!re #&B, Se*ecting 5K" Key entry on the TKE 5rocessing Se*ection 5ane*

CSFOP,>> ---------------- ICSF - T,E Proce''ing Selection-------------

OPTION ! 1


) DES Ma'ter .ey entry

" DES Operational .ey entry

1 P,+ .ey entry

$, On the ICSF 5K" ;irect Key @oad pane*2 enter the name o) the pre%a**ocated

partitioned data set and the mem0er name o) the S" key to 0e *oaded into the5K;S,

Fig!re #&8, 5K" ;irect Key @oad

CSFTP3>> -------------- ICSF - P,+ Direct ,ey 3oad---------------

Enter the data 'et na$e and the .ey 'peci&ication'(

,ey Data Set

Na$e ! '>9(p.d'?r'a.ey)GGGGGGGGGGGGGGGGGGGGGGGGGG







Pre'' ENTER to 'elect the data 'et and the .ey(


OPTION !

I) the S" key is *oaded s!ccess)!**y into the 5K;S2 a :O&D CO#-:*)*D message is

disp*ayed in the !pper right corner, I) an error occ!rs d!ring the *oad process2 an app*ica0*e

error message is disp*ayed in the !pper right corner +ith detai*ed error in)ormation disp*ayed

in the midd*e o) the disp*ay )or se*ected errors, -o! may a*so press the 5F& key )or more

in)ormation,

Cryptographic ode 4anagement Uti*ity 6C47


S"#$%##&&%(

The Cryptographic ode 4anagement 6C47 !ti*ity is a Lava app*ication that provides a

graphica* !ser inter)ace to initia*ize and manage the TKE cryptographic adapter, It is part o)

the IA4 Cryptographic Coprocessor CC" S!pport 5rogram,

This topic descri0es the )!nctions o) C4 that are !sed )or initia*izing and managing the

Crypto "dapter in the TKE +orkstation,

ote.

Smart Card and Smart Card ro!p options +ithin the C4 pane*s +i** on*y 0e avai*a0*e i)

C4 is ena0*ed to s!pport Smart Cards, See Initia*izing TKE )or smart cards,

To start C42 c*ick +ith the *e)t mo!se 0!tton on the Tr!sted Key Entry *ink in the *e)t%

hand pane* o) the main Tr!sted Key Entry Conso*e page, Then2 !nder the "pp*ications

section disp*ayed in the right%hand pane*2 c*ick +ith the *e)t mo!se 0!tton on Cryptographic ode 4anagement Uti*ity,

Fig!re #&, C4 main +indo+

https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/intkecad.htm#sci


https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/intkecad.htm#sci




5assphrase @ogon


S"#$%##&&%(

When *ogging on to the Cryptographic ode 4anagement Uti*ity 6C472 yo! +i** 0e

prompted to enter a !ser I; and passphrase, They are 0oth case sensitive, The !ser I; and

passphrase co!*d 0e one o) the prede)ined ones shipped +ith the TKE 6s!ch as !ser I;

TKE";472 or one that has 0een de)ined at yo!r insta**ation,

Fig!re #&(, 5assphrase *ogon prompt

Smart Card @ogon






S"#$%##&&%(

When yo! c*ick on the C4 Uti*ity's Smart Card @ogon 0!tton2 yo! +i** 0e prompted toinsert yo!r TKE smart card into smart card reader # and to enter yo!r 5I,

ote.

Smart card s!pport m!st 0e activated in C4 0e)ore *ogon +ith a TKE smart card is

avai*a0*e,

Fig!re #&, TKE smart card prompt

Fig!re ##, 5I prompt

ro!p @ogon


ro!p *ogon a**o+s m!*tip*e !sers to cosign a *ogon to the TKE cryptographic adapter, When

yo! c*ick on the C4 !ti*ity's ro!p @ogon 0!tton2 a dia*og 0o3 +i** prompt yo! to enter a

gro!p pro)i*e name )or ro!p I;, 5ro)i*e names are case sensitive,

Fig!re ##&, 5assphrase gro!p *ogon % gro!p mem0er *ist

There are t+o types o) gro!p *ogon.









• 5assphrase ro!p @ogon

• Smart Card ro!p @ogon

5assphrase ro!p @ogon


S"#$%##&&%(

The passphrase gro!p *ogon +indo+ is disp*ayed i) a passphrase gro!p pro)i*e name is

entered at the ro!p @ogon prompt,

Fig!re ###, ro!p *ogon prompt

In this +indo+2 the gro!p pro)i*e name is disp*ayed and the a!thentication method is

5assphrase,

!roup members re,uired for logon is the n!m0er o) !sers +ho m!st sign the *ogon 0e)ore the





*ogon is per)ormed, To sign the *ogon2 the se*ected gro!p mem0er m!st enter his or her

passphrase,

!roup members ready for logon is the n!m0er o) !sers that have entered their passphrase,

This co!nter is incremented each time a !ser signs the *ogon,

The gro!p mem0ers are *isted, Se*ect a gro!p mem0er )rom the *ist and press the *nter

'assphrase 0!tton, The !ser is prompted )or his or her passphrase,

Fig!re ##$, 5assphrase gro!p *ogon % enter passphrase prompt

The *ist is !pdated indicating that the !ser is ready for logon, The !roup members ready for

logon )ie*d is incremented,

Fig!re ##>, 5assphrase gro!p *ogon % mem0er is ready )or *ogon







When !roup members ready for logon eG!a*s !roup members re,uired for logon2 the *ogon

is per)ormed,

I) the gro!p *ogon is s!ccess)!*2 a !roup Logon Completed message is disp*ayed,

Fig!re ##B, 5assphrase gro!p *ogon s!ccess)!*

I) the gro!p *ogon sho!*d )ai* 6)or e3amp*e2 a !ser pro)i*e has e3pired2 an incorrect

passphrase +as entered2 etc,72 !roup members ready for logon is reset to zero and gro!p

*ogon m!st start over,

Smart Card ro!p @ogon






S"#$%##&&%(

The smart card gro!p *ogon +indo+ is disp*ayed i) a smart card gro!p pro)i*e is entered at

the ro!p @ogon prompt,

Fig!re ##8, Smart card gro!p *ogon +indo+

In this +indo+2 the gro!p pro)i*e name is disp*ayed and the a!thentication method is Smartcard,

!roup members re,uired for logon is the n!m0er o) !sers +ho m!st sign the *ogon 0e)ore the

*ogon is per)ormed, To sign the *ogon2 the gro!p mem0er m!st insert his or her TKE smart

card into Smart Card eader # and enter his or her correct 5I on the Smart Card eader #

5I pad,

!roup members ready for logon is the n!m0er o) !sers +ho have signed the *ogon +ith their

TKE smart card and 5I, This co!nter is incremented each time a !ser signs the *ogon,

The gro!p mem0ers are *isted, Insert the TKE smart card )or a gro!p mem0er and press the Read Smart Card 0!tton, The !ser is prompted )or his or her 5I, I) the 5I is correct2 the





*ist is !pdated indicating that the !ser is ready for logon, !roup members ready for logon is

incremented, I) an incorrect 5I is entered2 the !ser is prompted to retry another 5I or

cance*,

Fig!re ##, Smart card gro!p *ogon J retry 5I prompt

Fig!re ##(, Smart card gro!p *ogon +indo+ % mem0er is ready )or *ogon

ote.

" TKE smart card is 0*ocked a)ter three incorrect 5I attempts, To !n0*ock a 5I2 yo! m!st

e3it )rom C4 and !se the Smart Card Uti*ity 5rogram 6SCU57, 6e)er to Un0*ock 5I on a

TKE smart card,7

When !roup members ready for logon eG!a*s !roup members re,uired for logon2 the *ogon

is per)ormed, I) the gro!p *ogon is s!ccess)!*2 !roup Logon Completed +i** 0e disp*ayed,

Fig!re ##, Smart card gro!p *ogon s!ccess)!*



https://www.ibm.com/support/knowledgecenter/en/SSLTBW_1.13.0/com.ibm.zos.r13.csfb600/unblo.htm#unblo










I) the gro!p *ogon sho!*d )ai* 6)or e3amp*e2 a !ser pro)i*e has e3pired72 !roup members

ready for logon is reset to zero and gro!p *ogon m!st start over,

Fi*e 4en!


S"#$%##&&%(

From the File p!**%do+n2 yo! can choose any o) the )o**o+ing.

• CI Editor

• Ena0*e Smart Card eaders

• E3it

• E3it and @ogo))

CI Editor


S"#$%##&&%(

The CI Editor is a !ti*ity +ithin the C4 Uti*ity that is !sed to create CI scripts to

a!tomate some o) the )!nctions o) C4,

Ena0*e Smart Card eaders


S"#$%##&&%(

This option ena0*es smart card readers, This not on*y ena0*es smart card readers )or C42

0!t a*so )or other TKE app*ications,

E3it and @ogo))




S"#$%##&&%(

To *og o)) )rom the TKE cryptographic adapter2 and e3it )rom C42 se*ect *"it and :ooff

)rom the File p!**%do+n men!,

Se*ect $es to con)irm *ogo)), " s!ccess)!* message is disp*ayed,

Date post:	28-Feb-2018
Category:	Documents
Upload:	elsa-cristina-david
View:	227 times
Download:	0 times

Copy smart cards.docx

Documents