Filter
Top Products
CCA Release 2.54
The PKA_Key_Generate verb either retains the generated private key within the
Coprocessor, or the verb outputs the generated private key in one of three forms so
you can control where the private key is deployed.
You can request that the generated private key be retained within the secure
cryptographic-engine through the use of the RETAIN keyword on the
PKA_Key_Generate verb. In this case, only the public key is returned. You use
the retained private key by referring to it with a key label which you specify in the
key-name section of the skeleton key-token.
If you do not retain the private key within the Coprocessor, you select how you wish
to receive the private key:
Cleartext
Both the private and public keys are returned as cleartext. This option requires
that you provide protection for the private key by means other than encryption
within the key-generating step. This option is provided so the user can test, or
interface with, other systems or applications that require the private key to be in
the clear.
Enciphered by the local master-key
You can request that the key-generating service return the private key
enciphered by the asymmetric master-key within the cryptographic engine.
Since there is no service available to re-encrypt the private key other than by
the current or a replacement master-key, the generated private key is
effectively locked to the generating node, or other nodes that you establish with
the same master key. (Generally these would be backup nodes or parallel
nodes for greater throughput.)
Enciphered by a transport key-encrypting-key
You can request the service to encrypt the generated private key under either a
DES IMPORTER key or a DES EXPORTER key. An IMPORTER key will
permit the private key to be imported and used later at the generating node.
Or, the key-encrypting key can be an EXPORTER transport key. An
EXPORTER key is shared with one or more nodes. This allows you to
distribute the key to another node(s). For example, you could obtain a private
key in this form for distribution to a zSeries (S/390) large server's integrated
RSA cryptographic processor.
Note: EXPORTER and IMPORTER key-encrypting “transport” keys are
discussed in Chapter 5, “DES Key-Management.”
Because you can obtain the private key, it can be made functional on more than
one cryptographic engine and used for backup or additional throughput. Your
administration procedures control where the key can be used. The private key can
be transported securely between nodes in its encrypted form. You can set up
one-way key distribution channels between nodes and “lock” the receiving transport
key-encrypting key to a particular node or nodes so that you can be certain where
the private key exists. This ability to replicate a key to multiple nodes is especially
important to high-throughput server systems and important for backup processing
purposes.
In systems with an access monitor like RACF on IBM zSeries servers, the key
name that you associate with a private key gives you the ability to enforce
Chapter 3. RSA Key-Management 3-3