96 lines
6.7 KiB
HTML
96 lines
6.7 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="task" />
|
|
<meta name="DC.Title" content="Migrate key store files from the IBM CCA Services for OS/400 PRPQ" />
|
|
<meta name="abstract" content="If you currently use the Common Cryptographic Architecture (CCA) Services for OS/400 (5799-FRF), you can migrate the keys in the key store file so that your Cryptographic Coprocessor can use them. The Coprocessor uses the migrated keys with the CCA Cryptographic Service Provider (CCA CSP, which is packaged as i5/OS Option 35)." />
|
|
<meta name="description" content="If you currently use the Common Cryptographic Architecture (CCA) Services for OS/400 (5799-FRF), you can migrate the keys in the key store file so that your Cryptographic Coprocessor can use them. The Coprocessor uses the migrated keys with the CCA Cryptographic Service Provider (CCA CSP, which is packaged as i5/OS Option 35)." />
|
|
<meta name="DC.Relation" scheme="URI" content="rzajcmigrate4758.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzajcexporttsstxt.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzajcimporttsstxt.htm" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="migrateprpq" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>Migrate key store files from the IBM CCA Services for OS/400 PRPQ</title>
|
|
</head>
|
|
<body id="migrateprpq"><a name="migrateprpq"><!-- --></a>
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<h1 class="topictitle1">Migrate key store files from the IBM CCA Services for OS/400 PRPQ</h1>
|
|
<div><p>If you currently use the Common Cryptographic Architecture (CCA)
|
|
Services for OS/400<sup>®</sup> (5799-FRF),
|
|
you can migrate the keys in the key store file so that your Cryptographic
|
|
Coprocessor can use them. The Coprocessor uses the migrated keys with the
|
|
CCA Cryptographic Service Provider (CCA CSP, which is packaged as i5/OS™ Option
|
|
35).</p>
|
|
<div class="section"><div class="note"><span class="notetitle">Note:</span> You cannot migrate all keys because the CCA Services supports
|
|
a wider range of key types than the Cryptographic Coprocessor. For example,
|
|
you cannot migrate keys that have had the prohibit-export bit in the control
|
|
vector set. Also, you cannot migrate any of the PKA keys in the CCA Services
|
|
because CCA Services provides public key algorithm (PKA) support that is
|
|
significantly different than that in the Cryptographic Coprocessor.</div>
|
|
<p>You
|
|
need to write two programs, in order to migrate your Data Encryption Standard
|
|
(DES) keys. The CCA defines the format of the external DES key tokens and
|
|
therefore is the same for both products. Optionally, there are two program
|
|
example <a href="rzajcexporttsstxt.htm">Example:
|
|
EXPORTing keys</a>], and <a href="rzajcimporttsstxt.htm">Example: IMPORTing keys</a>, which you can change and run
|
|
to migrate the key store files. The CCA defines the format of the external
|
|
DES key tokens and therefore is the same for both products.</p>
|
|
<div class="p">Use the
|
|
EXPORT program in conjunction with the IMPORT program. This will migrate DES
|
|
keys from the IBM<sup>®</sup> CCA
|
|
Services to your Cryptographic Coprocessor and CCA CSP. You should run the
|
|
EXPORT program first to generate a file that contains the necessary key information
|
|
in a secure, exportable form. You should then transfer the file to the target
|
|
server. You can then run the IMPORT program to import the keys from the file
|
|
into a key storage file that you have created. The key storage file to which
|
|
you want to import the keys must already exist before you run the program.<div class="note"><span class="notetitle">Note:</span> If
|
|
you choose to use the program examples provided, change them to suit your
|
|
specific needs. For security reasons, IBM recommends that you individualize these
|
|
program examples rather than using the default values provided.</div>
|
|
</div>
|
|
<p>To
|
|
change the program examples, follow these steps.</p>
|
|
</div>
|
|
<ol><li><span>Import the same clear key value for a key-encrypting key into both
|
|
products. For the CCA Services, the key-encrypting key must be an EXPORTER,
|
|
and for CCA CSP it must be an IMPORTER.</span></li>
|
|
<li><span>Run the Key_Export (CSNBKEX) CCA API in the CCA Services for <strong>each
|
|
key</strong> you want to migrate. This causes the program example to call an API.</span></li>
|
|
<li><span>Import the outputted external key token into CCA CSP and your Cryptographic
|
|
Coprocessor by using the Key_Import (CSNBKIM) CCA API. Remember to change
|
|
the program to do this for <strong>each key</strong>.</span></li>
|
|
</ol>
|
|
<div class="section"> <p>Once you change the program to address each key, you can run the
|
|
program. Remember to run EXPORT first and then IMPORT.</p>
|
|
<div class="note"><span class="notetitle">Note:</span> Read the <a href="codedisclaimer.htm#codedisclaimer">Code license and disclaimer information</a> for important legal information.</div>
|
|
</div>
|
|
</div>
|
|
<div>
|
|
<ul class="ullinks">
|
|
<li class="ulchildlink"><strong><a href="rzajcexporttsstxt.htm">Example: EXPORTing keys</a></strong><br />
|
|
Change this program example to suit your needs for migrating the key store files.</li>
|
|
<li class="ulchildlink"><strong><a href="rzajcimporttsstxt.htm">Example: IMPORTing keys</a></strong><br />
|
|
Change this program example to suit your needs for completing the migration of the key store files.</li>
|
|
</ul>
|
|
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzajcmigrate4758.htm" title="If you have worked with cryptography before, you may have a requirement to migrate from a previous cryptography product to the 4764 or 4758 Cryptographic Coprocessor.">Migrate to the Cryptographic Coprocessor</a></div>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html> |