z/OS Cryptographic Services ICSF Administrator's Guide
Previous topic |
Next topic
|
Contents
|
Contact z/OS
|
Library
|
PDF
Contents (exploded view)
z/OS Cryptographic Services ICSF Administrator's Guide
SA22-7521-17
Administrator's Guide
Figures
Tables
Summary of Changes
Changes made in z/OS Version 1 Release 13
Changes made in z/OS Version 1 Release 12
Changes made in z/OS Version 1 Release 11
Introduction
The Tasks of a Data Security System
The Role of Cryptography in Data Security
Symmetric Cryptography
The Data Encryption Algorithm and the Data Encryption Standard
Advanced Encryption Standard
The Commercial Data Masking Facility
Asymmetric Algorithm or Public Key Cryptography
The RSA Public Key Algorithm
The DSS Public Key Algorithm
Elliptic Curve Digital Signature Algorithm (ECDSA)
Cryptographic Hardware Features supported by z/OS ICSF
Crypto Express3 Feature (CEX3C or CEX3A)
Crypto Express2 Feature (CEX2C or CEX2A)
Crypto Express2-1P Feature
PCI X Cryptographic Coprocessor (PCIXCC)
CP Assist for Cryptographic Functions (CPACF)
CP Assist for Cryptographic Functions (CPACF) DES/TDES Enablement
PCI Cryptographic Accelerator (PCICA)
Cryptographic Coprocessor Feature (CCF)
PCI Cryptographic Coprocessor
Managing Crypto Express2 Features on an IBM System z9 EC, z9 BC, z10 EC, and z10 BC
Managing Crypto Express3 Features on an IBM System z10 EC, z10 BC, and z196
Strength of Hardware Cryptography
The Role of Key Secrecy in Data Security
Understanding Cryptographic Keys
Values of Keys
Types of Keys
Master Keys
Data-Encrypting Keys
Data-Translation Keys
MAC Keys
PIN Keys
PIN keys for generating and verifying PINs and PIN offsets
PIN keys to protect and translate PIN blocks
Cryptographic Variable Keys
Transport Keys
Key Generating Keys
HMAC Keys
PKA Keys
Protection and control of cryptographic keys
Master Key Concept
Key Separation
DES master key variants protect DES and CDMF keys
Multiple Encipherment
Migrating from PCF Key Types
Protection of Distributed Keys
Protecting Keys Stored with a File
Remote key loading
Using DES Transport Keys to Protect Keys Sent between Systems
Using RSA Public Keys to Protect Keys Sent between Systems
Protection of Data
Triple DES for Privacy
Advanced Encryption Standard (AES)
Managing Cryptographic Keys
Generating Cryptographic Keys
Enhanced key management for crypto assist instructions
Encrypted key support for Crypto Assist instructions
DES key wrapping
TKDS key protection
Generating PKA Keys
Key Generator Utility Program (KGUP)
Key Generate Callable Service
Entering Keys
Entering master keys
Entering system keys into the cryptographic key data set (CKDS)
Entering keys into the cryptographic key data set (CKDS)
Entering keys by using the key generator utility program
Special Secure Mode
Entering keys by using the dynamic CKDS update services
Entering keys into the PKDS
Entering cryptographic objects into the TKDS
PKCS #11 and FIPS 140-2
Maintaining cryptographic keys
Setting up and maintaining the cryptographic key data set (CKDS)
Setting up and maintaining the PKDS
Distributing Cryptographic Keys
Common Cryptographic Architecture Key Distribution
ANSI X9.17 Key Distribution
Public Key Cryptographic Standard Key Distribution
Controlling PCICC, PCIXCC, CEX2C, and CEX3C services
Using RACF to Protect Keys and Services
Steps for RACF-protecting keys and services
Setting up profiles in the CSFKEYS general resource class
Setting up profiles in the CSFSERV general resource class
Defining a key store policy
Enabling access authority checking for key tokens
Determining access to tokens not stored in the CKDS or PKDS
Enabling duplicate key label checking
Increasing the level of authority needed to modify key labels
Increasing the level of authority required to export symmetric keys
Controlling how cryptographic keys can be used
Restricting asymmetric keys from being used in secure import and export operations
Restricting asymmetric keys from being used in handshake operations
Placing restrictions on exporting symmetric keys
Restricting the symmetric key from being exported
Identifying RSA public keys that can export the symmetric key
Identifying key certificates for symmetric key export
Placing no additional restrictions on symmetric key export
Enabling PKA Key Management Extensions
PKA key management extensions example
Enabling use of encrypted keys in Symmetric Key Encipher and Symmetric Key Decipher callable services
Using the Pass Phrase Initialization Utility
Steps required when running the Pass Phrase Initialization Utility
SAF Protection
Running the Pass Phrase Initialization Utility
Steps for running PPINIT on a CCF system
Steps for running PPINIT on a PCIXCC, CEX2C, or CEX3C system
Steps for running PPINIT with ECC master key support
Steps for running PPINIT with AES master key support
Steps for adding a PCICC after first time Pass Phrase Initialization
Steps for adding a PCIXCC, CEX2C, or CEX3C after first time Pass Phrase Initialization
Migrating to a z990, z890, z9 EC, z9 BC, z10 EC, z10 BC, or z196 server
PPINIT Recovery
Steps recovering with a CCF (with or without a PCICC)
Steps recovering with a PCIXCC, CEX2C, or CEX3C
Initializing multiple systems with pass phrase initialization utility
Managing Master Keys - CCF and PCICC
Entering master key parts
Generating master key data for master key entry
Steps for generating key parts using ICSF utilities
Steps for generating a checksum, verification pattern, or hash pattern for a key part
Steps for entering the first master key part
Steps for entering intermediate key parts
Steps for entering the final key part
Steps for restarting the key entry process
Initializing the CKDS and PKDS at First-Time Startup
CKDS
Steps for initializing a CKDS
PKDS
Steps for initializing the PKDS
Refreshing the CKDS at any time
Steps for refreshing the CKDS
Refreshing the PKDS at any time
Reentering master keys when they have been cleared
Steps to reenter cleared master keys
Steps for changing master keys
DES master keys and the CKDS
Steps for changing the DES master key and reenciphering the CKDS
PKA master keys and the PKDS
Steps for enabling and disabling PKA services
Steps for changing PKA master keys
Steps for reenciphering and refreshing the PKDS
Steps for setting the SMK equal to the KMMK
Steps for clearing master keys
Steps for adding a PCICC after CCF initialization
Managing Master Keys - PCIXCC, CEX2C, or CEX3C
Changes concerning the RSA master key (RSA-MK)
Coprocessor Activation
Entering master key parts
Generating master key data for master key entry
Steps for generating key parts using ICSF utilities
Steps for generating a checksum, verification pattern, or hash pattern for a key part
Steps for entering the first master key part
Steps for entering intermediate key parts
Steps for entering the final key part
Steps for restarting the key entry process
Initializing the CKDS and PKDS at First-Time Startup
CKDS
Steps for initializing a CKDS
Updating the CKDS with the AES master key
PKDS
Steps for initializing a PKDS
Performing a single system CKDS refresh
Refreshing the PKDS at any time
Reentering master keys when they have been cleared
Steps for changing master keys
Symmetric Master Keys and the CKDS
Steps for reenciphering the CKDS and performing a single-system CKDS master key change
Asymmetric master keys and the PKDS
Steps for enabling and disabling PKA callable services and PKDS updates
Steps for changing the RSA-MK or ECC-MK master key and reenciphering the PKDS
Steps for clearing master keys
Steps for adding PCIXCC, CEX2C, or CEX3C coprocessors after initialization
Key Management on Systems without Coprocessors
Initializing the CKDS at First-Time Startup
Steps for initializing a CKDS
Refreshing the CKDS at Any Time
Callable services
Running in a Sysplex Environment
CKDS management in a sysplex
Setting DES and AES master keys for the first time when sharing a CKDS in a sysplex environment
Using master key entry
Using Pass Phrase Initialization
Changing symmetric master keys and refreshing the CKDS when the CKDS is shared in a sysplex environment
Performing a coordinated CKDS master key change
Performing a coordinated CKDS refresh
Recovering from a Coordinated CKDS administration failure
Coordinated CKDS change master key or coordinated CKDS refresh messages
New master key register mismatch
Cataloged failures
Mainline processing failure
Backout processing failure
Set master key failure
Back-level ICSF releases in the sysplex
Rename failures
PKDS management in a sysplex
Steps for changing asymmetric master keys when sharing a PKDS
Steps for refreshing the PKDS
Sharing and migrating a CKDS/PKDS between a CCF system and a PCIXCC, CEX2C, or CEX3C system
CCF only system
SMK equal to KMMK
SMK not equal to KMMK
CCF with PCICCs
SMK equal to KMMK
SMK not equal to KMMK
TKDS management in a sysplex
Managing Cryptographic Keys Using the Key Generator Utility Program
Steps for disallowing dynamic CKDS updates during CKDS administration updates
Using KGUP for key exchange
Using KGUP control statements
General Rules for CKDS Records
CKDS record level authentication
KGUP Uniqueness Checking
Dynamic CKDS Update Services Uniqueness Checking
Syntax of the ADD and UPDATE Control Statements
Using the ADD and UPDATE control statements for key management and distribution functions
To Import Keys
Import a Clear Key Value
Import an Encrypted Key Value
To Generate Keys
Generate an Importer Key For File Encryption
Generate an AES data key
Generate a Complementary, Clear Key Value
Generate a Complementary, Encrypted Key Value
Generate a Complementary Key Pair For Other Systems
To Create NULL Keys
Create NULL Key Records
Syntax of the RENAME Control Statement
Syntax of the DELETE Control Statement
To Delete Keys
Syntax of the SET Control Statement
Syntax of the OPKYLOAD Control Statement
Examples of Control Statements
Example 1: ADD Control Statement
Example 2: ADD Control Statement with CLEAR Keyword
Example 3: ADD Control Statement with one TRANSKEY Keyword
Example 4: ADD Control Statement with two TRANSKEY Keywords
Example 5: ADD Control Statement with a Range of NULL Keys
Example 6: ADD Control Statement with OUTTYPE and TRANSKEY Keywords
Example 7: UPDATE Control Statement with Key Value and Transkey Keywords
Example 8: DELETE Control Statement
Example 9: RENAME Control Statement
Example 10: SET Control Statement
Example 11: OPKYLOAD Control Statement
Example 12: OPKYLOAD Control Statement for NOCV Key-encrypting Keys
Example 13 – ADD control statement with CLRDES keyword
Example 14 – ADD control statement to add a group of CLRDES keys
Example 15 – ADD control statement to add a group of CLRDES keys
Example 16 – ADD control statement to add a range of CLRDES keys
Example 17 – UPDATE control statement with CLRDES keyword
Example 18 – UPDATE control statement with CLRDES keyword
Example 19 – DELETE control statement with CLRDES keyword
Example 20 – DELETE control statement to delete a group of CLRDES key labels
Example 21 – RENAME Control Statement with CLRDES Keyword
Example 22 – ADD Control Statement with CLRAES Keyword
Example 23 – ADD Control Statement to Add a Group of CLRAES Keys
Example 24 – ADD Control Statement to Add a Group of CLRAES Keys
Example 25 – ADD Control Statement to Add a Range of CLRAES Keys
Example 26 – UPDATE Control Statement with CLRAES Keyword
Example 27 – UPDATE Control Statement with CLRAES Keyword
Example 28 – DELETE Control Statement with CLRAES Keyword
Example 29 – DELETE Control Statement to Delete a Group of CLRAES Key Labels
Example 30 – RENAME Control Statement with CLRAES Keyword
Example 31 – ADD Control Statement for ALGORITHM keyword
Example 32 – UPDATE Control Statement with the ALGORITHM keyword
Specifying KGUP data sets
Submitting a job stream for KGUP
Enabling Special Secure Mode
Running KGUP Using the MVS/ESA Batch Local Shared Resource (LSR) Facility
Reducing Control Area Splits and Control Interval Splits from a KGUP Run
Refreshing the In-Storage CKDS
Using KGUP Panels
Steps for creating KGUP control statements using the ICSF panels
Steps for creating ADD, UPDATE, or DELETE control statements
Steps for creating a RENAME control statement
Steps for creating a SET control statement
Steps for editing control statements
Steps for specifying data sets using the ICSF panels
Steps for creating the job stream using the ICSF panels
Example of a KGUP job stream with existing data sets
Example of a KGUP job stream with non-existing data sets
Steps for refreshing the active CKDS using the ICSF panels
Scenario of Two ICSF Systems Establishing Initial Transport Keys
Scenario of an ICSF System and a PCF System Establishing Initial Transport Keys
Scenario of an ICSF System and 4758 PCI Cryptographic Coprocessor Establishing Initial Transport Keys
Viewing and Changing System Status
Displaying administrative control functions
Displaying coprocessor or accelerator status - CCF, PCICC, PCICA
Displaying coprocessor or accelerator status - PCIXCC, PCICA, CEX2C, CEX3C, CEX2A, and CEX3A
Changing coprocessor or accelerator status - CCF, PCICC, and PCICA
Changing coprocessor or accelerator status - PCIXCC, PCICA, CEX2C, CEX3C, CEX2A, and CEX3A
Deactivating the last coprocessor
Displaying coprocessor hardware status - CCF and PCICC
Displaying coprocessor hardware status - PCIXCC, CEX2C, and CEX3C
Displaying installation options
Displaying PCICC coprocessor roles
Displaying PCIXCC, CEX2C, and CEX3C coprocessor roles
Displaying installation exits
Displaying installation-defined callable services
Managing User Defined Extensions
Display UDXs for a coprocessor
Display coprocessors for a UDX
Authorize a UDX
Using the Utility Panels to Encode and Decode Data
Steps for encoding data
Steps for decoding data
Using the Utility Panels to Manage Keys in the PKDS
RACF Protecting ICSF Services used by the New Panels
Generate a new RSA public/private PKDS key pair record
Delete an existing key record
Export a public key to an X.509 certificate for importation elsewhere
Import a public key from an X.509 certificate received from elsewhere
Processing Indicators
Success
Failure
Using PKCS11 Token Browser Utility Panels
RACF Protecting ICSF Services used by the Token Browser Utility Panels
Token browser panel utility
Token Browser main panel
Token Create Successful
Token Delete Confirmation
Token Delete Successful
Object Delete Successful
List Token panel
Token Details panel
Data Object Details panel
Certificate Object Details panel
Secret Key Object Details panel
Public Key Object Details panel
Private Key Object Details panel
Domain Parameters Object Details panel
Using the ICSF Utility Program CSFEUTIL
Reenciphering a disk copy of a CKDS and changing the master key
Refreshing the in-storage CKDS using a utility program
Loading DES and PKA master keys using a pass phrase
Return and reason codes for the CSFEUTIL program
CSFWEUTL
Using the ICSF Utility Program CSFPUTIL
Reenciphering a PKDS
Refreshing the in-storage copy of the PKDS
Return and reason codes for the CSFPUTIL program
CSFWPUTL
Using the ICSF Utility Program CSFDUTIL
Using the Duplicate Token Utility
CSFDUTIL output
Return and reason codes for the CSFDUTIL program
CSFWDUTL
Rewrapping DES key token values in the CKDS using the utility program CSFCNV2
Using ICSF Health Checks
Accessing the ICSF Health Checks
ICSFMIG7731_ICSF_RETAINED_RSAKEY
ICSFMIG_DEPRECATED_SERV_WARNINGS
ICSF_COPROCESSOR_STATE_NEGCHANGE
Appendix A. CCC Bit Assignments
Appendix B. Control Vector Table
Appendix C. Supporting Algorithms and Calculations
Checksum Algorithm
Algorithm for calculating a verification pattern
AES master key verification pattern algorithm
Algorithm for calculating an authentication pattern
Pass Phrase Initialization master key calculations
The MDC–4 Algorithm for Generating Hash Patterns
Notations Used in Calculations
MDC-1 Calculation
MDC-4 Calculation
Appendix D. PR/SM Considerations during Key Entry
Allocating Cryptographic Resources to a Logical Partition
Allocating Resources on z/990 or z890
Allocating Resources on CCF Systems
Entering the Master Key or Other Keys in LPAR Mode
Reusing or Reassigning a Domain
Appendix E. Callable services affected by key store policy
Summary of Key Store Policy (KSP) and Enhanced Keylabel Access Control interactions
Appendix F. Questionable (Weak) Keys
Index
Copyright IBM Corporation 1990, 2014
z/OS Cryptographic Services ICSF Administrator's Guide
z/OS Cryptographic Services ICSF Administrator's Guide
Copyright IBM Corporation 1990, 2014
