IBM Crypto Education Community

Expand all | Collapse all

Migrating ICSF private key in the PKDS - Different ICSF PKA Master Key

  • 1.  Migrating ICSF private key in the PKDS - Different ICSF PKA Master Key

    Posted Thu March 25, 2021 11:30 AM
    Does anyone know of any way to export a ICSF private key between PKDS with different PKA Master Key?

    ------------------------------
    Renato Almeida de Brito
    ------------------------------


  • 2.  RE: Migrating ICSF private key in the PKDS - Different ICSF PKA Master Key

    Posted Thu March 25, 2021 03:17 PM
    Once encrypted by a CCA master key, there is no way to export a CCA RSA private key.

    If the key is clear or is wrapped by a transport key, it can be copied as-is.

    ------------------------------
    Eric Rossman
    ------------------------------



  • 3.  RE: Migrating ICSF private key in the PKDS - Different ICSF PKA Master Key

    Posted Thu March 25, 2021 04:35 PM
    As Eric said, you can't export the RSA private keys in the PKDS.

    One tip / trick is that you could bring up another LPAR running ICSF with the old PKDS and old Master Key. Then do a Coordinated Change MK to rotate the keys in the old PKDS to a new PKDS with the new Master Key. Then you could just copy the RSA private key from the newly reenciphered PKDS to the target PKDS since the MKs are now the same.

    ------------------------------
    Eysha Shirrine
    ------------------------------



  • 4.  RE: Migrating ICSF private key in the PKDS - Different ICSF PKA Master Key

    Posted Fri March 26, 2021 06:30 AM
    week ago i faced with same problem. (migrate to new zr1)
    the way to solve that problem:

    1.alloctae new  CSFPKDS  CSFCKDS
    2. define new master key
    3. repro old csfpkds to new one.

    work fine for me.

    ------------------------------
    shimon yosef
    ------------------------------