We just dismantled the last Crypto application on one of our lpars and our CKDS is now empty. My colleague thinks that the MK can now be deleted as we do not have any application keys in the CKDS.
We still have several middleware software products active(file transfer...etc) that use SSL. Do we still need to maintain the Master Key in order to access the co- processor? For example using ICSF API CSNERNG(Random Number Generate). The ICSF System Programmer's guide states the following: ------------------------------------------------------- In order for the coprocessor to become active, either the DES-MK or the AES- MK (or both) verification patterns must match those in the CKDS. If neither match, the coprocessor will not be active. My understanding is that one always needs a Master Key in order to keep the CEXnC active, even if the CKDS has no Application keys. Suggestions/guideance welcome. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
