Configure the Cryptographic Coprocessor

Configuring your Cryptographic Coprocessor allows you to begin to use all of its cryptographic operations.

The easiest and fastest way to configure your Cryptographic Coprocessor is to use the Cryptographic Coprocessor configuration web–based utility found off of the System Tasks page at http://server-name:2001 (specify another port if you have changed it from port 2001). The utility includes the Basic configuration wizard that is used for configuring (and initializing) a Coprocessor that has not been previously configured. If HTTP and SSL have not been previously configured, you will need to do the following before using the Configuration Wizard.

• Start the HTTP Administrative server.
• Configure the HTTP Administrative server to use SSL.
• Use DCM to create a certificate, specifying that the private key be generated and stored in software.
• Use DCM to receive the signed certificate.
• Associate the certificate with the HTTP Administrative server application ID.
• Restart the HTTP Administrative server to enable it for SSL processing.

If the Cryptographic Coprocessor has already been configured, then click on the Manage configuration option to change the configuration for specific portions of the Coprocessor.

If you would prefer to write your own application to configure the Coprocessor, you can do so by using the Cryptographic_Facility_Control (CSUACFC), Access_Control_Initialize (CSUAACI), Master_Key_Process (CSNBMKP), and Key_Store_Initialize (CSNBKSI) API verbs. Many of the pages in this section include one or more program examples that show how to configure the Coprocessor via an application. Change these programs to suit your specific needs.

Whether you choose to use the Cryptographic Coprocessor configuration utility or write your own applications, the following outlines the steps you must take to properly configure your Cryptographic Coprocessor:

• Create a device description
  The device description specifies a default location for key storage. You can create a device description with or without naming any key store files.
• Name files to key store file
  Before you can perform any operation using a key store file or key stored in a key store file, you must name the key store file.
• Set the environment ID and clock
  Your Cryptographic Coprocessor uses the EID to verify which Coprocessor created a key token. It uses the clock for time and date stamping and to control whether a profile can log on.
• Load a function control vector
  The function control vector tells the Cryptographic Coprocessor what key length to use to create keys. You cannot perform any cryptographic functions without loading a function control vector.
• Load and set a master key
  After you load a function control vector, load and set the master key. You can use your master key to encrypt other keys.
• Configure the Cryptographic Coprocessor for use with DCM and SSL
  Read this information to make the Cryptographic Coprocessor ready for use with SSL.
• Configure the Cryptographic Coprocessor for use with i5/OS applications
  This topic lists the steps needed to make Cryptographic Coprocessors ready for use with an i5/OS™ application.