Filter
Top Products
CCA Release 2.54
When all of the Coprocessors are newly initialized, that is, their
current-master-key registers are empty, first install the same master key in
each of the new-master-key registers. Then set the master key in each of
the Coprocessors. Finally, if you are going to use key storage, initialize
key storage.
If all of the Coprocessors have the same current master-key, when you
undertake to set the master key in the first Coprocessor, the code will
attempt to set the directory-open flags (SDO and ADO). This should
succeed if you have the proper key-storage files (or key storage is not
initialized). Note that the verification pattern in the key-storage header is
changed as soon as the first master-key is set.
When you set the master key in the additional Coprocessors, because the
directory-open flags are already set, no check is made to ensure that the
verification patterns in key storage and for the current-master-key match
(and they would not match because the header was updated when the
first Coprocessor master-key was set). As soon as the master key is set,
its verification pattern will be copied to the header in key storage.
Note that the key in the new-master-key register is not verified. You may
wish to confirm the proper and consistent contents of these registers
using the key-test service prior to undertaking setting of the master keys.
Setting the master key in a Coprocessor after other Coprocessor(s) are
successfully in operation.
If you have one or more Coprocessors in operation and then wish to add an
additional Coprocessor and need to set its current, and possibly old, master
keys to the keys already in the other Coprocessors, special care must be
taken. Two cases should be considered:
1. If the new Coprocessor has a current master-key that is not the same as
that in the other Coprocessors, and if key storage is initialized for use with
the other Coprocessors, when you start a new thread and attempt to set
the master key, the action will fail unless you take precautions. Because
the directory-open flag(s) are initially set to false, the CCA host code will
compare the verification pattern for the current master-key in the
Coprocessor and in the key-storage header record. This comparison will
fail and processing will terminate with an error indication.
2. If the new Coprocessor did not have a key in the current master-key
register, the set-master-key operation would proceed. Note that the
verification pattern for this master key will be copied to an initialized
key-storage header record.
A solution to the first situation is to proceed as follows:
Allocate a Coprocessor that has the desired current master key(s)
Perform a DES_Key_Record_List or other action that will cause the
key-storage-valid flag(s) to be set.
Deallocate the Coprocessor
Allocate the new Coprocessor
Set the master key.
Note that you may need to install two master keys into the new Coprocessor
in order have both the current and the old master-keys agree with those in the
other Coprocessor(s).
Chapter 2. CCA Node-Management and Access-Control 2-19