Beginning with TKE V4.1, operational keys can be loaded on a host
crypto module. Operational key part registers allow operational keys
to be loaded and accumulated on a host crypto module before storing
them in the host key store.
Note: To use TKE V4.1 or higher to load
operational keys, you must be running ICSF HCR770B or higher.
After
all the key parts have been loaded and the key is Complete, you are
required to remove the key from the key part register and load it
into the CKDS. This is accomplished either through ICSF panels (see
Loading operational keys to the CKDS) or using an option on Key Generator Utility
Processes (KGUP) Job Control Language (JCL) (see
z/OS Cryptographic Services ICSF Administrator's Guide).
CEX2C, CEX3C, and CEX4C host crypto modules support
a maximum of 100 key part registers distributed across all domains.
On the CEX5C, 512 key part registers are supported and distributed
across all domains.
An AES key part register that has a type other than DATA can
be in one of the following states:
- Incomplete, need at least two more parts - Load to key part register
(First, minimum of 3 parts) has completed successfully
- Incomplete, need at least one more part - Load to key part register
(First, minimum of 2 parts or Add part) has completed successfully
- Intermediate part entered – Load to key part register (Add
part) has completed successfully
- Complete – Load to key part register (Complete) has completed
successfully
A DES operational key or AES DATA key part register can be in one
of the following states:
- First part entered – Load to key part register (First) has
completed successfully
- Intermediate part entered – Load to key part register (Add
part) has completed successfully
- Complete – Load to key part register (Complete) has completed
successfully
At least two key parts must be entered. There is no maximum number
of key parts that can be entered.
Available tasks for Operational key part registers are as follows:
- Load single key part
- Load all key parts from...
- View
- Clear
AES keys other than AES DATA have the following "Load
single key part" tasks:
- First (minimum of 2 parts)
- First (minimum of 3 parts)
- Add part
- Complete
Tasks for "Load all key parts from..." are as follows:
- Smart card
- Binary file
- Keyboard
A key part register is freed when a Complete key is loaded to the
CKDS from ICSF (either through the ICSF panels or KGUP JCL), when
the key part register is cleared from TKE, or a zeroize domain is
issued from TKE.
View of a key part register displays key part register information.
Use of the operational key part registers is controlled by access
control points in the role definition. The access control points are
as follows:
- Load First Key Part
- Load Additional Key Part
- Complete Key
- Clear Operational Key Part Register
Note: There are separate access control points for DES, AES,
and ECC (APKA) master keys and for DES operational keys, AES DATA
operational keys, and all other AES operational keys.
The host crypto module supports all ICSF operational key types.
A USER DEFINED key type is also available, and allows
the user to specify his or her own control vector for DES keys. This USER
DEFINED control vector must conform to the rules
of a valid control vector. For more details on control vectors, see
Appendix C in z/OS Cryptographic Services ICSF Application Programmer's Guide.
Instead of a control vector, AES keys other than AES DATA have
key attributes associated with them that specify the key usage and
key management attributes of the key. The key attributes are specified
either at the time a key part is generated or when the first key part
is loaded to the key part register on the host crypto module. For
more information about key attributes, see Appendix B in z/OS Cryptographic Services ICSF Application Programmer's Guide.