Filter
Top Products
CCA Release 2.54
the Coprocessor device driver.
5
The host code then polls each Coprocessor in turn
to determine which ones contain the CCA application. As each Coprocessor is
evaluated, the CCA host code associates the identifiers CRP01, CRP02, and so
forth to the Coprocessors with CCA.
6
In the absence of a specific Coprocessor allocation, the host code employs the
device designated CRP01 by default. You can alter the default designation by
explicitly setting the CSU_DEFAULT_ADAPTER environment variable. The
selection of a default device occurs with the first CCA call to a Coprocessor. Once
selected, the default remains constant throughout the life of the thread. Changing
the value of the environment variable after a thread uses a Coprocessor does not
affect the assignment of the default CCA Coprocessor.
If a thread with an allocated Coprocessor terminates without first deallocating the
Coprocessor, excess memory consumption will result. It is not necessary to
deallocate a cryptographic resource if the process itself is terminating; it is only
suggested if individual threads terminate while the process continues to run.
Note: The scope of the Cryptographic_Resource_Allocate and the
Cryptographic_Resource_Deallocate verbs is operating-system dependent. For the
AIX and Windows implementations, these verbs are scoped to a thread. "Scoped
to a thread" means that each of several threads within a process can allocate a
specific Coprocessor.
Understanding and Managing Master Keys
In a CCA node, the master key is used to encrypt (wrap) working keys used by the
node that can appear outside of the cryptographic engine. The working keys are
triple encrypted. This method of securing keys enables a node to operate on an
essentially unlimited number of working keys without concern for storage space
within the confines of the secured cryptographic engine.
The CCA design supports three master-key registers: new, current, and old. While
a master key is being assembled, it is accumulated in the new master-key register.
Then the Master_Key_Process verb is used to transfer (set) the contents of the
new master-key register to the current master-key register.
Working keys are normally encrypted by the current master-key. To facilitate
continuous operations, CCA implementations also have an old master-key register.
When a new master-key is transferred to the current master-key register, the
preexisting contents (if any) of the current master-key register are transferred to the
old master-key register. With the IBM 4758 CCA implementation, whenever a
working key must be decrypted by the master key, master-key verification pattern
information that is included in the key token is used to determine if the current or
the old master-key must be used to recover the working key. Special status (return
code 0, reason code 10001) is returned in case of use of the old master-key so that
your application programs can arrange to have the working key updated to
encryption by the current master-key (using the Key_Token_Change and
5
The device driver designates the Coprocessors using numbers 0, 1, ..., 7. The number assignment is based on the design of the
BIOS in a machine. BIOS routines “walk the bus” to determine the type of device in each PCI slot. Adding, removing, or
relocating Coprocessors can alter the number associated with a specific Coprocessor.
6
Coprocessors loaded with a UDX extension to CCA will also be assigned a CRP0x identifier.
2-12 IBM 4758 CCA Basic Services, Release 2.54, February 2005