IBM 2 Computer Hardware User Manual


 
CCA Release 2.54
used to establish the maximum strength of certain cryptographic functions, the
environment identifier, and the maximum number of master-key-cloning shares,
and the minimum number of shares needed to reconstitute a master key.
Reset the intrusion latch. The intrusion latch circuit can be set by breaking an
external circuit connected to jack 6 (J6) on the Coprocessor. Normally the pins
of J6 are connected to each other with a jumper; see the IBM 4758 PCI
Cryptographic Coprocessor CCA Support Program Installation Manual, Chapter
2. In your installation you might connect an external circuit to J6 that opens if
covers on your host machine are opened. Note that setting the intrusion latch
does not cause zeroization of the Coprocessor. If the intrusion latch is set,
exception status is reported on most verb calls.
Reset the battery-low indicator (latch). The Coprocessor electronics sets the
battery-low indicator when the reserve power in the battery falls below a
predetermined level. You acknowledge and reset the battery-low condition
using the RESETBAT rule-array keyword. Of course if the battery has not
been replaced, you should expect the low-battery-power condition to return.
The Key_Storage_Initialization verb is used to establish a fresh symmetric or
asymmetric (DES or PKA) key-storage data set. The data file that holds the key
records is initialized with header records that contain a verification pattern for the
master key. Any existing key records in the key storage are lost. The index file is
also initialized. The file names and paths for the key storage and its index file are
obtained from different sources depending on the operating system:
The AIX ODM registry
The Windows registry.
See the CCA Support Program Installation Manual for information.
The Cryptographic_Resource_Allocate and Cryptographic_Resource_Deallocate
verbs allow your application to steer requests to one of multiple CCA Coprocessors.
See the “Multi-Coprocessor Capability” for further information.
Multi-Coprocessor Capability
Multi-Coprocessor support operates with up to eight Coprocessors installed in a
single machine, some or all of which are loaded with the CCA application. When
more than one Coprocessor with CCA is installed, an application program can
explicitly select which cryptographic resource (Coprocessor) to use, or it can
optionally accept the default Coprocessor. To explicitly select a Coprocessor, use
the Cryptographic_Resource_Allocate verb. This verb allocates a Coprocessor
loaded with the CCA software. Once allocated, CCA requests are routed to it until
it is deallocated. To deallocate a currently allocated Coprocessor, use the
Cryptographic_Resource_Deallocate verb. When a Coprocessor is not allocated
(either before an allocation occurs or after the cryptographic resource is
deallocated), requests are routed to the default CCA Coprocessor.
Except for the OS/400 environment, a multi-threaded application program can use
all of the installed CCA Coprocessors simultaneously. A program thread can use
only one of the installed CCA Coprocessors at any given time, but it can switch to a
different installed CCA Coprocessor as needed. To perform the switch, a program
thread must deallocate a currently allocated cryptographic resource, if any, then it
must allocate the desired cryptographic resource. The
2-10 IBM 4758 CCA Basic Services, Release 2.54, February 2005