[prev in list] [next in list] [prev in thread] [next in thread]
List: racf-l
Subject: Re: ISCF keys to new Co-processor - ICSF RELEASE FMID=HCR77A0. - z9
From: "Gibney, Dave" <gibney () WSU ! EDU>
Date: 2017-02-28 23:28:42
Message-ID: 0DE6A9840123E547B061AC5B6765C026211C081A () EXMB-05 ! ad ! wsu ! edu
[Download RAW message or body]
The old card has EMPTY for both new and old MK AES/DES/RSA registers.
The Current MK register for AES/DES and RSA Valid for the old card and the AES matches the new card.
The Current DES and RSA show empty on the new card.
> -----Original Message-----
> From: RACF Discussion List [mailto:RACF-L@LISTSERV.UGA.EDU] On Behalf Of
> Dan Little
> Sent: Tuesday, February 28, 2017 2:46 PM
> To: RACF-L@LISTSERV.UGA.EDU
> Subject: Re: ISCF keys to new Co-processor - ICSF RELEASE FMID=HCR77A0. -
> z9
>
> Yes don't think you want that.
>
> If you select a card does the des and aes master key hash match up with
> other cards?
>
> Are the new master registers loaded and is current different for the
> different types?
>
>
>
> On Tue, Feb 28, 2017 at 5:41 PM Gibney, Dave <gibney@wsu.edu> wrote:
>
> > 3 Update an existing CKDS returns OPERATION NOT APPLICABLE CURRENT
> > STATE OF THE CKDS HEADER MK VPs NOT VALID FOR UPDATE
> >
> > And I am pretty sure I don't want to
> > 1 Initialize an empty CKDS
> > Record authentication required? (Y/N) ===>.
> >
> > > -----Original Message-----
> > > From: RACF Discussion List [mailto:RACF-L@LISTSERV.UGA.EDU] On
> > > Behalf Of Dan Little
> > > Sent: Tuesday, February 28, 2017 2:33 PM
> > > To: RACF-L@LISTSERV.UGA.EDU
> > > Subject: Re: ISCF keys to new Co-processor - ICSF RELEASE
> > > FMID=HCR77A0. -
> > > z9
> > >
> > > In master key management does option 1 give you an Update option if
> > > you
> > go
> > > in? Option update existing ckds?
> > >
> > >
> > >
> > > On Tue, Feb 28, 2017 at 17:25 Gibney, Dave <gibney@wsu.edu> wrote:
> > >
> > > 2 MASTER KEY MGMT ->
> > > 1 CKDS MK MANAGEMENT -?
> > > 2 REFRESH - Activate an updated CKDS has no effect.
> > > And
> > > 4 SET MK - Set master keys returns MASTER KEY NOT SET
> > >
> > > > -----Original Message-----
> > > > From: RACF Discussion List [mailto:RACF-L@LISTSERV.UGA.EDU] On
> > > > Behalf Of Dan Little
> > > > Sent: Tuesday, February 28, 2017 2:18 PM
> > > > To: RACF-L@LISTSERV.UGA.EDU
> > > > Subject: Re: ISCF keys to new Co-processor - ICSF RELEASE
> > > > FMID=HCR77A0. -
> > > > z9
> > > >
> > > > Yes I am thinking you need to go to option 2 and then select the
> > > > options
> > > to
> > > > set the master keys.
> > > >
> > > > Dan
> > > >
> > > >
> > > > On Tue, Feb 28, 2017 at 17:02 Gibney, Dave <gibney@wsu.edu>
> wrote:
> > > >
> > > > > The C was an A before I did the different order of doing AES
> > > > > keys before loading the new card. I would like to return all C's
> > > > > to A and also get the U (on the new card) to A.
> > > > > Which panel do you refer to? The path down 2 ICSF - Master Key
> > > > Management?
> > > > > It's been almost 10 years (June 2007) since I was in here. That
> > > > > was when the box first arrived.
> > > > >
> > > > > This is how my other three lpars show
> > > > > COPROCESSOR SERIAL NUMBER STATUS AES DES ECC
> > RSA
> > > > > P11
> > > > > ----------- ------------- ------ --- --- ---
> > ---
> > > > > ---
> > > > > E00 xxxxxxxxx ACTIVE A A -
> > A
> > > > > <- This is the new card
> > > > > E02 xxxxxxxxx ACTIVE A A -
> > A
> > > > > E03 xxxxxxxxx ACTIVE A A -
> > A
> > > > > F01 ACTIVE
> > > > > <- This is the new card
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: RACF Discussion List [mailto:RACF-L@LISTSERV.UGA.EDU] On
> > > > > > Behalf Of Dan Little
> > > > > > Sent: Tuesday, February 28, 2017 1:53 PM
> > > > > > To: RACF-L@LISTSERV.UGA.EDU
> > > > > > Subject: Re: ISCF keys to new Co-processor - ICSF RELEASE
> > > > > > FMID=HCR77A0. -
> > > > > > z9
> > > > > >
> > > > > > Status of C means
> > > > > >
> > > > > > C (correct - the current master key matches the MKVP in the
> > > > > > key data set
> > > > > but
> > > > > > the master key is not active)
> > > > > >
> > > > > > Did you do a Set Master Key in the panels?
> > > > > >
> > > > > > Dan
> > > > > >
> > > > > >
> > > > > > On Tue, Feb 28, 2017 at 16:04 Gibney, Dave <gibney@wsu.edu>
> > > wrote:
> > > > > >
> > > > > > > We recently had to replace one of our Crypto Express2
> > > > > > > Feature cards on our z9. So I need to load our master keys
> > > > > > > to the new card. I have four
> > > > > Lpars.
> > > > > > > For reasons or errors lost in time, we did not have any AES
> > > > > > > keys
> > > > > loaded.
> > > > > > > For the first two lpars, I went to the ICSF screen titled
> > > > > > > ICSF - Pass Phrase MK/CKDS/PKDS Initialization Entered my
> > > > > > > pass phrase and marked / Add coprocessors - Initialize
> > > > > > > additional online coprocessors with the same AES, DES and
> asymmetric master keys.
> > > > > > > I then marked / Add AES MK - Add the AES master key to all
> > > > > > > active coprocessors and the current CKDS. And all was well
> > > > > > > showing
> > > > > > > ------------------------- ICSF Coprocessor Management
> > > > > > > -------- Row
> > > > > > > 1 to 4 of 4
> > > > > > >
> > > > > > > Select the coprocessors to be processed and press ENTER.
> > > > > > > Action characters are: A, D, E, K, R, S and V. See the help
> > > > > > > panel for details.
> > > > > > >
> > > > > > > COPROCESSOR SERIAL NUMBER STATUS AES DES
> > ECC
> > > > > RSA
> > > > > > > P11
> > > > > > > ----------- ------------- ------ --- ---
> > ---
> > > > > ---
> > > > > > > ---
> > > > > > > . E00 xxxxxxxxx ACTIVE A A
> > -
> > > > > A
> > > > > > > . E02 xxxxxxxxx ACTIVE A A
> > -
> > > > > A
> > > > > > > . E03 xxxxxxxxx ACTIVE A A
> > -
> > > > > A
> > > > > > > . F01 ACTIVE
> > > > > > >
> > > > > > > I got "creative" for the third Lpar and did the / Add AES MK
> > first.
> > > > > > > This also activated the new co-processor and now I appear to
> > > > > > > have no DES or RSA active
> > > > > > > ------------------------- ICSF Coprocessor Management
> > > > > > > -------- Row
> > > > > > > 1 to 4 of 4
> > > > > > > COMMAND ===>
> > SCROLL
> > > > > ===>
> > > > > > > PAGE
> > > > > > >
> > > > > > > Select the coprocessors to be processed and press ENTER.
> > > > > > > Action characters are: A, D, E, K, R, S and V. See the help
> > > > > > > panel for details
> > > > > > >
> > > > > > > COPROCESSOR SERIAL NUMBER STATUS AES DES
> > ECC
> > > > > RSA
> > > > > > > P11
> > > > > > > ----------- ------------- ------ --- ---
> > ---
> > > > > ---
> > > > > > > ---
> > > > > > > . E00 xxxxxxxxx ACTIVE A U
> > -
> > > > > U
> > > > > > > . E02 xxxxxxxxx ACTIVE A C
> > -
> > > > > C
> > > > > > > . E03 xxxxxxxxx ACTIVE A C
> > -
> > > > > C
> > > > > > > . F01 ACTIVE
> > > > > > > I get "NO INACTIVE COPROCESSORS" when I try the / Add
> > > > > > > coprocessors
> > > > > > >
> > > > > > > Do I need to / / Reinitialize system - Load the AES, DES and
> > > > > > > asymmetric master keys to all coprocessors and make the
> > > > > > > specified CKDS and PKDS the current key data ?
> > > > > > > Using the same CKDS and PKDS?
> > > > > > >
> > > > > > > The warning on the next page seems a bit scary.
> > > > > > >
> > > > > > >
> > > > > > > Dave Gibney
> > > > > > > Information Technology Services Washington State University
> > > > > > >
> > > > >
> >
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic