Filter
Top Products
CCA Release 2.54
Take care to ensure that you define roles that have the authority to perform
initialization, including the RQ-TOKEN and RQ-REINT options of the
Cryptographic_Facility_Control (CSUACFC) verb. You must also ensure there are
active profiles that use these roles.
If you configure your Coprocessor so that initialization is not allowed, you can
recover by reloading
4
the Coprocessor CCA software. This will delete all
information previously loaded, and restore the Coprocessor's CCA function to its
initial state.
Configuration and Greenwich Mean Time (GMT)
CCA always operates with GMT time. This means that the time, date, and
day-of-the-week values in the Coprocessor are measured according to GMT. This
can be confusing because of its effect on access-control checking.
All users have operating time limits, based on values in their roles and profiles.
These include:
Profile activation and expiration dates
Time-of-day limits
Day-of-the-week limits.
All of these limits are measured using time in the Coprocessor's frame of reference,
not the user's. If your role says that you are authorized to use the Coprocessor on
days Monday through Friday, it means Monday through Friday in the GMT time
zone, not your local time zone. In like manner, if your profile expiration date is
December 31, it means December 31 in GMT.
In the Eastern United States, your time differs from GMT by four hours during the
part of the year Daylight Savings Time is in effect. At noon local time, it is 4:00 PM
GMT. At 8:00 PM local time, it is midnight GMT, which is the time the Coprocessor
increments its date and day-of-the-week to the next day.
For example, at 7:00 PM on Tuesday, December 30 local time, it is 11:00 PM,
Tuesday, December 30 to the Coprocessor. Two hours later, however, at 9:00 PM,
Tuesday, December 30 local time, it is 1:00 AM Wednesday, December 31 to the
Coprocessor. If your role only allows you to use the Coprocessor on Tuesday, you
would have access until 8:00 PM on Tuesday. After that, it would be Wednesday
in the GMT time frame used by the Coprocessor.
This happens because the Coprocessor does not know where you are located, and
how much your time differs from GMT. Time zone information could be obtained
from your local workstation, but this information could not be trusted by the
Coprocessor; it could be forged in order to obtain access at times the system
administrator intended to keep you from using the Coprocessor.
4
Use file CNWxxxyy.CLU. See Chapter 4 of the IBM 4758 PCI Cryptographic Coprocessor CCA Support Program Installation
Manual.
2-6 IBM 4758 CCA Basic Services, Release 2.54, February 2005