Filter
Top Products
CCA Release 2.54
7. In the target node, generate a retained key usable for master-key
administration, the Coprocessor Share Receiving (CSR) key, and have this key
certified by the SA key.
8. Once a master key has been established in the source node, perhaps through
random master-key generation, obtain shares of the master key. Also obtain
master-key verification information for use in step 10 using the Key_Test verb.
Note that generally fewer shares are required to reconstitute the master key
than that which can be obtained from the source node. Thus corruption of
some of the information that is in transit between source and target can be
tolerated.
9. Deliver and install the master-key shares.
10. Verify that the new master-key in the target node has the proper value. Then
set the master key.
Master-Key Considerations with Multiple CCA Coprocessors
Master keys are used to wrap (encrypt) working keys (as opposed to clear keys or
keys wrapped by key-encrypting keys or RSA keys). Master-key-wrapped keys are
either stored in the CCA key storage, or are held and managed by your
application(s). When multiple Coprocessors are installed, it is a responsibility of the
using organization(s) to ensure that appropriate current and old master-keys, both
symmetric and asymmetric, are installed in the multiple Coprocessors. The most
straightforward approach is to ensure that when you change (“set”) master keys on
one CCA Coprocessor, you also change the master keys (both asymmetric and
symmetric) on the other Coprocessor(s).
The approach to multiple Coprocessors differs in detail between OS/400 and the
workstation environments. Each type of environment is discussed:
OS/400
AIX and Windows.
OS/400 Multi-Coprocessor Master-Key Support: IBM recommends loading all
CCA Coprocessors with the same current and the same old master-keys, especially
if your applications perform load balancing among the Coprocessors or if the
Coprocessors will be used for SSL.
With OS/400, multiple key-storage files can exist. To avoid confusion, keep all
keys in the key-storage files encrypted by a common, current master-key. The
master-key verification pattern is not stored in the header record of any key-storage
file. Therefore, it is important that when you change the master key, you
re-encipher all of the keys in all of your key-storage files. The organization that
manages all users of the Coprocessors must arrange procedures for keeping all
key-storage files up to date with the applicable current master-key. Note that the
person changing the master key may not have authorization to (or knowledge of) all
key-storage files on the system.
The order of loading and setting of the master key between Coprocessors is not
significant. However, be sure that after all Coprocessor master-keys have been
updated that you then update all key-storage files. Remember that if you import a
key or generate a key, it is returned encrypted by the current master-key within the
Coprocessor used for the task.
Chapter 2. CCA Node-Management and Access-Control 2-17