Todd... ooops. That's what I get for relying on memory!!
Rob Schramm Senior Systems Consultant Imperium Group On Wed, May 15, 2013 at 8:08 AM, Todd Arnold <arno...@us.ibm.com> wrote: > > There is/was a way to set a CEX card to allow it to keep the MK loaded > > while being transferred between machines. > > Yes, but you also need a TKE to do this. You can "enable" or "disable" > the crypto card. When the card is "disabled", you cannot perform any > application-oriented crypto functions with it - for example, encrypting > data, managing keys, etc. The only things you can do are the functions > related to re-enabling the card, which is done via TKE. While the card is > in "disabled" state, you can remove it from your machine and it will not > lose any of the stored data such as the master keys - but you also cannot > USE those master keys for anything until the card is re-enabled, and that > is not possible except through TKE by two authorized administrators. > > Here is part of the description that is in the TKE user's manual: > > -------------------------- > A crypto module is either enabled or disabled. When a crypto module is > enabled, it is available for processing. You can change the status of the > module > by pressing the Enable Crypto Module / Disable Crypto Module push button. > Enable Crypto Module is a dual-signature command and another authority may > need to co-sign. Disable Crypto Module is a single signature command. > > Disabling a crypto module disables all the cryptographic functions for a > single > crypto module, a group of crypto modules, or a domain group. This disables > the > crypto module for the entire system, not just the LPAR that issued the > disable. > -------------------------- > > Todd Arnold > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
