Special secure mode is a special processing mode in which:
- The Secure Key Import, Secure Key Import2,
and Multiple Secure Key Import callable services, which work with
clear keys, can be used.
- The Clear PIN Generate callable service, which works with clear
PINs, can be used.
- The Symmetric Key Generate callable service with the "IM" keyword
(the DES enciphered key is enciphered by an IMPORTER key) can be used
(CCF Systems Only).
- The key generator utility program (KGUP) can be used to enter
clear keys into the CKDS.
To use special secure mode, several conditions must be met.
- The installation options data set must specify YES for the SSM
installation option.
For information about specifying installation
options, see z/OS Cryptographic Services ICSF System Programmer’s Guide.
This is required
for all systems.
- The environmental control mask (ECM) must be configured to permit
special secure mode.
The ECM is a 32-bit mask defined for each cryptographic
domain during hardware installation. The second bit in this mask must
have been turned on to enable special secure mode. The default is
to have this bit turned on in the ECM. The bit can only be turned
off/on through the optional TKE Workstation.
This is required
for systems with the Cryptographic Coprocessor Feature.
- If you are running in LPAR mode, special secure mode must be enabled.
On
the IBM zSeries 900, you enable special secure mode during activation using
the Crypto page of the Customize Activation Profiles task. When activated,
you can enable or disable special secure mode on the Change LPAR Crypto
task. Both of these tasks can be accessed from the Hardware Management
Console.
This is required for systems with the Cryptographic Coprocessor Feature.
For the IBM zSeries 900 with TKE, TKE can disable/enable special secure
mode.
|