Appendix A. 4758 cryptographic coprocessor hardware commands

Command

description



Cmd

code



Standard roles when three profiles are created



Compute Verification

Pattern (N/A AS/400)



001D



Y



Translate Key



001F



Y



Generate Random

Master Key



0020



Y



Clear New Master Key

(symmetric)



0032



Y



Clear Old Master Key

(symmetric)



0033



Y



Generate Diversified

Key



0040



Y



Load 1st Master Key

Part (asymmetric)



0053



Y



Combine Master Key

Parts - middle/last

(asymmetric)



0054



Y



Set Master Key

(asymmetric)



0057



Y



Clear New Master Key

(asymmetric)



0060



Y



Clear Old Master Key

(asymmetric)



0061



Y



Generate Key Set



008C



Generate Key



CRYPSEC



CRYPADMN



Default



Y



Y



Y



Y



Y



Y



Y



Y



Y



Y



008E



Y



Y



Y



Y



Re-encipher to Current Master Key



0090



Y



Y



Y



Y



Generate Clear 3624

PIN



404



00A0



Y



Y



Y



Y



iSeries Wired Network Security



CRYPMSTR



Command

description



Cmd

code



Generate Clear 3624

PIN Offset



Standard roles when three profiles are created

CRYPMSTR



CRYPSEC



CRYPADMN



Default



00A4



Y



Y



Y



Y



Verify Encrypted 3624

PIN



00AB



Y



Y



Y



Y



Verify Encrypted GPB

PIN



00AC



Y



Y



Y



Y



Verify Encrypted VISA

PVV



00AD



Y



Y



Y



Y



Verify Encrypted

InterBank PIN



00AE



Y



Y



Y



Y



Format and Encrypt

PIN



00AF



Y



Y



Y



Y



Generate Formatted

and Encrypted GBP

PIN



00B1



Y



Y



Y



Y



Generate Formatted

and Encrypted InterBank PIN



00B2



Y



Y



Y



Y



Translate PIN with No

Format Control to No

Format Control



00B3



Y



Y



Y



Y



Reformat PIN with No

Format Control to No

Format Control



00B7



Y



Y



Y



Y



Generate Clear VISA

PVV Alternate



00BB



Y



Y



Y



Y



Encipher Under Master Key



00C3



Y



Y



Y



Y



Encipher Under Master Key Extended



00C4



Y



Y



Y



Y



Lower Export Authority



00CD



Y



Y



Y



Y



Appendix A. 4758 cryptographic coprocessor hardware commands



405



Command

description



Cmd

code



Translate Control Vector



Standard roles when three profiles are created

CRYPSEC



CRYPADMN



Default



00D6



Y



Y



Y



Y



Generate Key Set

Extended



00D7



Y



Y



Y



Y



Encipher Crypto Variable



00DA



Y



Y



Y



Y



Replicate Key



00DB



Y



Y



Y



Y



Generate CVV



00DF



Y



Y



Y



Y



Verify CVV



00E0



Y



Y



Y



Y



Derive Key For Unique

Key Per Transaction



00E1



Y



Y



Y



Y



Generate Initial PEK

for UKPT PIN Pad



00E2



Y



Y



Y



Y



Digital Signature

Generate



0100



Y



Digital Signature Verify



0101



Y



Key Token Change



0102



Y



Y



PKA Key Generate



0103



Y



Y



PKA Key Import



0104



Y



Y



Y



Y



Symmetric Key Export



0105



Y



Y



Y



Y



Symmetric Key Import



0106



Y



Y



Y



Y



One Way Hash



0107



Y



Y



Y



Y



Data Key Import



0109



Y



Y



Y



Y



Data Key Export



010A



Y



Y



Y



Y



Compose SET Block



010B



Y



Y



Y



Y



Decompose SET Block



406



CRYPMSTR



010C



Y



Y



Y



Y



iSeries Wired Network Security



Y



Y



Y



Y



Command

description



Cmd

code



PKA92 Symmetric Key

Generate



Standard roles when three profiles are created

CRYPMSTR



CRYPSEC



CRYPADMN



Default



010D



Y



Y



Y



Y



NL-EPP-5 Symmetric

Key Generate



010E



Y



Y



Y



Y



Reset Intrusion Latch



010F



Y



Set Clock



0110



Y



Reinitialize Device



0111



Y



Initialize Access Control



0112



Y



Change Expiration

Date Of Profile



0113



Y



Change Passphrase



0114



Y



Reset Logon Failure

Count



0115



Y



Load Roles And Profiles



0116



Y



Delete Profile



0117



Y



Delete Role



0118



Y



Load FCV



0119



Y



Clear FCV



011A



Y



Force User Logoff



011B



Y



Set EID



011C



Y



Initialize Master Key

Cloning



011D



Y



RSA Encipher Clear

Data



011E



Y



Y



Y



Appendix A. 4758 cryptographic coprocessor hardware commands



Y



407



Command

description



Cmd

code



RSA Decipher Clear

Data



Standard roles when three profiles are created

CRYPSEC



CRYPADMN



Default



011F



Y



Y



Y



Y



Generate Random

Master Key (asymmetric)



0120



Y



Register PKA Public

Key Hash



0200



Y



Register PKA Public

Key with Cloning



0201



Y



Register PKA Public

Key



0202



Y



Delete Retained Key



0203



Y



Y



Y



Y



PKA Clone Key Generate



0204



Y



Y



PKA Clone Key

Generate Part2



0205



Y



Y



Clone Info Obtain 1



0211



Y



Clone Info Obtain 2



0212



Y



Clone Info Obtain 3



0213



Y



Clone Info Obtain 4



0214



Y



Clone Info Obtain 5



0215



Y



Clone Info Obtain 6



0216



Y



Clone Info Obtain 7



0217



Y



Clone Info Obtain 8



0218



Y



Clone Info Obtain 9



0219



Y



Clone Info Obtain 10



021A



Y



Clone Info Obtain 11



408



CRYPMSTR



021B



Y



iSeries Wired Network Security



Command

description



Cmd

code



Standard roles when three profiles are created



Clone Info Obtain 12



021C



Y



Clone Info Obtain 13



021D



Y



Clone Info Obtain 14



021E



Y



Clone Info Obtain 15



021F



Y



Clone Info Install 1



0221



Y



Clone Info Install 2



0222



Y



Clone Info Install 3



0223



Y



Clone Info Install 4



0224



Y



Clone Info Install 5



0225



Y



Clone Info Install 6



0226



Y



Clone Info Install 7



0227



Y



Clone Info Install 8



0228



Y



Clone Info Install 9



0229



Y



Clone Info Install 10



022A



Y



Clone Info Install 11



022B



Y



Clone Info Install 12



022C



Y



Clone Info Install 13



022D



Y



Clone Info Install 14



022E



Y



Clone Info Install 15



022F



Y



List Retained Key



0230



Generate Clear

NL-PIN-1 Offset

Verify Encrypted

NL-PIN-1 Offset



CRYPMSTR



CRYPSEC



CRYPADMN



Default



Y



Y



Y



Y



0231



Y



Y



Y



Y



0232



Y



Y



Y



Y



Appendix A. 4758 cryptographic coprocessor hardware commands



409



Command

description



Cmd

code



PKA92 Symmetric Key

Import



Standard roles when three profiles are created

CRYPSEC



CRYPADMN



Default



0235



Y



Y



Y



Y



PKA92 PIN Key Import



0236



Y



Y



Y



Y



Zero-pad Symmetric

Key Generate



023C



Y



Y



Y



Y



Zero-pad Symmetric

Key Import



023D



Y



Y



Y



Y



Zero-pad Symmetric

Key Export



023E



Y



Y



Y



Y



PKCS-1.2 Symmetric

Key Generate



410



CRYPMSTR



023F



Y



Y



Y



Y



iSeries Wired Network Security



Appendix B. Granting access to the *SYSTEM certificate store

When you run an application that uses a certificate, you need to access the

key database file holding the certificate. For SSL using applications defined in

the Digital Certificate Manager (DCM), this file is the *SYSTEM certificate

store.

The best way to grant a user profile access to the *SYSTEM certificate store

for SSL processing is by using Operations Navigator. There is a specific

option just for this. It is not recommended that you give access by granting

authority to the key database file and to all the directories in the path to the

file. This is because it is cumbersome, it gives users authority to several

directories that they should not use, and IBM may change the DCM

implementation later so it no longer works at all.

When a user profile is named on a DCM application definition, the DCM

grants that profile access to the *SYSTEM certificate store for SSL

processing. When the user profile is taken off the DCM application definition,

or the application definition is removed, the user’s access is not revoked. If it

should be revoked, you must do this manually.

Note



There are two ways of granting access to the *SYSTEM certificate store

with Operations Navigator. The first way, described in this section, shows a

way to authorize individual user profiles to one or more applications or

stores. The second way is to grant access for one application or certificate

store to multiple users at the same time. If you want to read more about the

second approach, refer to 3.3.5, “Authorizing users to use object signing

applications” on page 137. For the second method, just select the

*SYSTEM certificate store instead of the object signing application.



To give a user profile access to the *SYSTEM certificate store using

Operations Navigator, complete these steps:

1. Start Operations Navigator.

2. Open your AS/400 system.

3. Double-click Users and Groups to expand.



© Copyright IBM Corp. 2001



411



Figure 300. Giving access to the *SYSTEM certificate store 1



4. Double-click All Users, or Groups, to expand.

5. Double-click the user profile or group profile you want to give access to so

that their properties are displayed, as shown in Figure 301.



Figure 301. Giving access to the *SYSTEM certificate store 2



6. Click Capabilities and then the Applications tab. You will see the display

in Figure 302.



412



iSeries Wired Network Security