What a shame. However, If you configure your Crypto Express as an accelerator rather than a full processor then it will still work with SSL and TLS. The calls used by SSL and TLS use clear key calls and so do not need the master keys. Master keys are not used by accelerator mode. Running as an accelerator rather than as a full processor makes those calls slightly faster as they use a shorter path with the Crypto Express device.
So the short answer is that you do not need the master keys. Longer answer is to configure as an accelerator for better performance of SSL and TLS. Lennie Dymoke-Bradshaw https://rsclweb.com 'Dance like no one is watching. Encrypt like everyone is.' -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Frank Swarbrick Sent: 28 October 2022 17:59 To: [email protected] Subject: Crypto Express question We are pushing our "host security module" processing off our mainframe back to our card issuer processor, and I have a couple of questions. If we use ICSF just for TLS and the like, does this still require the DES and RSA keys to be loaded? We already don't have AES or ECC master keys, so I am thinking we wouldn't need DES or RSA keys either. But someone who should know seems to think we still need master keys, even if we're not using it as a crypto coprocessor. Other question is, can TLS encryption processes that use ICSF services work at all if there is no crypto card at all? ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
