Migrate key store files from the IBM CCA Services for OS/400 PRPQ

If you currently use the Common Cryptographic Architecture (CCA) Services for OS/400® (5799-FRF), you can migrate the keys in the key store file so that your Cryptographic Coprocessor can use them. The Coprocessor uses the migrated keys with the CCA Cryptographic Service Provider (CCA CSP, which is packaged as i5/OS™ Option 35).

Note: You cannot migrate all keys because the CCA Services supports a wider range of key types than the Cryptographic Coprocessor. For example, you cannot migrate keys that have had the prohibit-export bit in the control vector set. Also, you cannot migrate any of the PKA keys in the CCA Services because CCA Services provides public key algorithm (PKA) support that is significantly different than that in the Cryptographic Coprocessor.

You need to write two programs, in order to migrate your Data Encryption Standard (DES) keys. The CCA defines the format of the external DES key tokens and therefore is the same for both products. Optionally, there are two program example Example: EXPORTing keys], and Example: IMPORTing keys, which you can change and run to migrate the key store files. The CCA defines the format of the external DES key tokens and therefore is the same for both products.

Use the EXPORT program in conjunction with the IMPORT program. This will migrate DES keys from the IBM® CCA Services to your Cryptographic Coprocessor and CCA CSP. You should run the EXPORT program first to generate a file that contains the necessary key information in a secure, exportable form. You should then transfer the file to the target server. You can then run the IMPORT program to import the keys from the file into a key storage file that you have created. The key storage file to which you want to import the keys must already exist before you run the program.
Note: If you choose to use the program examples provided, change them to suit your specific needs. For security reasons, IBM recommends that you individualize these program examples rather than using the default values provided.

To change the program examples, follow these steps.

  1. Import the same clear key value for a key-encrypting key into both products. For the CCA Services, the key-encrypting key must be an EXPORTER, and for CCA CSP it must be an IMPORTER.
  2. Run the Key_Export (CSNBKEX) CCA API in the CCA Services for each key you want to migrate. This causes the program example to call an API.
  3. Import the outputted external key token into CCA CSP and your Cryptographic Coprocessor by using the Key_Import (CSNBKIM) CCA API. Remember to change the program to do this for each key.

Once you change the program to address each key, you can run the program. Remember to run EXPORT first and then IMPORT.

Note: Read the Code license and disclaimer information for important legal information.
Parent topic: Migrate to the Cryptographic Coprocessor