friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
master
ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzajc_5.4.0.1/rzajcmasterkey.htm

115 lines
8.2 KiB
HTML
Raw Permalink Blame History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Load and set a master key" />
<meta name="abstract" content="After you load a function control vector, load and set the master key. You can use your master key to encrypt other keys." />
<meta name="description" content="After you load a function control vector, load and set the master key. You can use your master key to encrypt other keys." />
<meta name="DC.Relation" scheme="URI" content="rzajccontrolvector.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="masterkey" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Load and set a master key</title>
</head>
<body id="masterkey"><a name="masterkey"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Load and set a master key</h1>
<div><p>After you load a function control vector, load and set the master
key. You can use your master key to encrypt other keys.</p>
<p>After you load a function control vector, you can load and set a master
key. The Coprocessor uses the master key to encrypt all operational keys.
The master key is a special key-encrypting key stored in the clear (not encrypted)
within the Coprocessor secure module. Your Coprocessor uses the master key
to encrypt other keys so that you can store those keys outside of your Coprocessor.
The master key is a 168-bit key formed from at least two 168-bit parts exclusive
ORed together.</p>
<div class="note"><span class="notetitle">Note:</span> Read the <a href="codedisclaimer.htm#codedisclaimer">Code license and disclaimer information</a> for
important legal information.</div>
</div>
<div><div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzajccontrolvector.htm" title="The function control vector tells the Cryptographic Coprocessor what key length to use to create keys. You cannot perform any cryptographic functions without loading a function control vector.">Load a function control vector</a></div>
</div>
</div><div class="nested1" xml:lang="en-us" id="loadingamasterkey"><a name="loadingamasterkey"><!-- --></a><h2 class="topictitle2">Loading a master key</h2>
<div><p>There are three registers for your master keys: New, Current<sup>®</sup>, and
Old. The new master key register is used to hold a pending master key while
it is being built. It is not used to encrypt any keys. The Current master
key register holds the master key that is currently being used to encrypt
newly generated/imported/re-enciphered keys. The old master key register
holds the previous master key. It is used to recover keys after a master
key change has occurred. When you load a master key, the Coprocessor places
it into the New master key register. It remains there until you set the master
key. </p>
<div class="p">Choose one of these three ways to create and load a master key, based on
your security needs: <ul><li>Load the first key parts and the subsequent key parts separately to maintain
split knowledge of the key as a whole. This is the least secure method, but
you can increase security by giving each key part to a separate individual.</li>
<li>Use random key generation, which will remove any human knowledge of the
key. This is the most secure method for loading a master key, but you will
need to clone this randomly generated master key into a second Cryptographic
Coprocessor in order to have a copy of it.</li>
<li>Use a pre-existing master key by cloning it from another Coprocessor. </li>
</ul>
</div>
</div>
<div><div class="relinfo"><strong>Related information</strong><br />
<div><a href="http://www.ibm.com/security/cryptocards/library.shtml">IBM PCI Cryptographic Coprocessor documentation library</a></div>
</div>
</div></div>
<div class="nested1" xml:lang="en-us" id="settingamasterkey"><a name="settingamasterkey"><!-- --></a><h2 class="topictitle2">Setting a master key</h2>
<div><p>Setting the master key causes the key in the Current master key register to move
to the Old master key register. Then, the master key in the New master key
register moves to the Current master key register.</p>
<div class="note"><span class="notetitle">Note:</span> It is vital for retrieval of data encrypted by the master key that you
have a backup copy of the master key at all times. For example write it on
a piece of paper, and make sure that you store the backup copy with appropriate
security precautions. Or, clone the master key to another Coprocessor.</div>
<p>The easiest and fastest way to load and set master keys is to use the Cryptographic
Coprocessor configuration web-based utility found off of the System Tasks
page at http://<var class="varname">server-name</var>:2001. The utility includes
the Basic configuration wizard that is used when the Coprocessor is in an
un-initialized state. If the Cryptographic Coprocessor already has been initialized,
then click on <span class="uicontrol">Manage configuration</span> and then click on <span class="uicontrol">Master
keys</span> to load and set master keys.</p>
<p>If you would prefer to write your own application to load and set master
keys, you can do so by using the Master_Key_Process (CSNBMKP) API verb.</p>
</div>
<div><div class="relref"><strong>Related reference</strong><br />
<div><a href="rzajcloadkmc.htm" title="Change this program example to suit your needs for loading a new master key into your Cryptographic Coprocessor.">Example: ILE C program for loading a master key into your Cryptographic Coprocessor</a></div>
<div><a href="rzajcloadkmrpg.htm" title="Change this program example to suit your needs for loading a new master key into your Cryptographic Coprocessor.">Example: ILE RPG program for loading a master key into your Cryptographic Coprocessor</a></div>
</div>
</div></div>
<div class="nested1" xml:lang="en-us" id="reencryptingkeys"><a name="reencryptingkeys"><!-- --></a><h2 class="topictitle2">Re-encrypting keys</h2>
<div><p>When you set a master key, you should re-encrypt all keys that were encrypted
under the former master key to avoid losing access to them. You must do this
before you change and set the master key. </p>
<p>You can re-encrypt keys in key store by using the Cryptographic Coprocessor
configuration web-based utility found off of the System Tasks page at http://<var class="varname">server-name</var>:2001.
The Cryptographic Coprocessor must have already been initialized. Click
on "Manage configuration" and then click on either "DES keys" to re-encrypt
DES keys, or "PKA keys" to re-encrypt PKA keys.</p>
<p>If you have keys that are not in key store or if you would prefer to write
your own application to re-encrypt keys, you can do so by using the Key_Token_Change
(CSNBKTC) or PKA_Key_Token_Change (CSNDKTC) API verbs. </p>
<p> An example program is provided for your consideration.</p>
</div>
<div><div class="relref"><strong>Related reference</strong><br />
<div><a href="rzajcrenkeystotxt.htm" title="Change this program example to suit your needs for re-encrypting keys for your Cryptographic Coprocessor.">Example: ILE C program for re-encrypting keys for your Cryptographic Coprocessor</a></div>
</div>
</div></div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink