Re: Crypto question
The user pins can be recovered as long as you still know the pin of the security officer (SO pin). If you forget the SO pin you are out of luck. You must reset the pins. To do that delete the files NVTOK.DAT, MK_USER and MK_SO from /var/lib/opencryptoki/token/ where token is lite for the ica token, ccatok for the cca token and swtok for the software token. Mit freundlichen Grüßen/Best Regards/Cordialement Reinhard Dr. Reinhard Bündgen RAS Crypto Architect for Linux on System z Virtualization and Systems Management Mail:buend...@de.ibm.com Phone: ++49-(0)7031-16-1130 Fax: ++49-(0)7031-16-3456 IBM Deutschland Research Development GmbH Vorsitzender des Aufsichtsrats: Martina Koederitz Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 From: Marcy Cortes marcy.d.cor...@wellsfargo.com To: LINUX-390@vm.marist.edu Date: 05/26/2012 12:19 AM Subject:Crypto question Sent by:Linux on 390 Port LINUX-390@vm.marist.edu So I was asked this about pkcsconf. What if we lose our PINs?Can you find them or clear them? I don't know! Where are these kept?It's got to be somewhere on the server itself or does the HW remember which virtual server has what pin? I can't think of anything in VM that would keep track of them. This is for Linux under VM - CRYPTO APVIRT in the directory. Marcy This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: Res: Re: Crypto question
Is that an encrypted answer? Marcy This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -Original Message- From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of Fernando Gieseler Sent: Sunday, May 27, 2012 8:05 AM To: LINUX-390@VM.MARIST.EDU Subject: [LINUX-390] Res: Re: Crypto question IIOpOoHHHhHhhgx __ Fernando Gieseler IBM System z 051-9988-8177 f...@br.ibm.com - Mensagem original - De: Alan Altmark [alan_altm...@us.ibm.com] Enviada em: 25/05/2012 23:28 AST Para: LINUX-390@vm.marist.edu Assunto: Re: Crypto question Your pins are kept in the guest. Only for secure-key ops (APDED, not APVIRT) does the hardware retain keys. VM does not keep any pins or key material. Regards, Alan Altmark IBM Lab Services - Sent from my BlackBerry Handheld. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Res: Re: Crypto question
IIOpOoHHHhHhhgx __ Fernando Gieseler IBM System z 051-9988-8177 f...@br.ibm.com - Mensagem original - De: Alan Altmark [alan_altm...@us.ibm.com] Enviada em: 25/05/2012 23:28 AST Para: LINUX-390@vm.marist.edu Assunto: Re: Crypto question Your pins are kept in the guest. Only for secure-key ops (APDED, not APVIRT) does the hardware retain keys. VM does not keep any pins or key material. Regards, Alan Altmark IBM Lab Services - Sent from my BlackBerry Handheld. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: Crypto question
So some file on disk that could presumably be restored if one knew where it was, correct? Marcy. Sent from my BlackBerry. - Original Message - From: Alan Altmark [mailto:alan_altm...@us.ibm.com] Sent: Friday, May 25, 2012 10:28 PM To: LINUX-390@VM.MARIST.EDU LINUX-390@VM.MARIST.EDU Subject: Re: [LINUX-390] Crypto question Your pins are kept in the guest. Only for secure-key ops (APDED, not APVIRT) does the hardware retain keys. VM does not keep any pins or key material. Regards, Alan Altmark IBM Lab Services - Sent from my BlackBerry Handheld. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Crypto question
So I was asked this about pkcsconf. What if we lose our PINs?Can you find them or clear them? I don't know! Where are these kept?It's got to be somewhere on the server itself or does the HW remember which virtual server has what pin? I can't think of anything in VM that would keep track of them. This is for Linux under VM - CRYPTO APVIRT in the directory. Marcy This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: Crypto question
Your pins are kept in the guest. Only for secure-key ops (APDED, not APVIRT) does the hardware retain keys. VM does not keep any pins or key material. Regards, Alan Altmark IBM Lab Services - Sent from my BlackBerry Handheld. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: Crypto question
Hi Marcy! When I try to load the driver on a sles8 guest, it cannot find it. z90crypt: Version 1.3.2 loaded, built on May 23 2006 12:23:26 z90crypt: z90main.o ($Revision: 1.9.4.17 $/$Revision: 1.4.6.9 $/$Revision: 1.3.4.7 $) z90crypt: z90hardware.o ($Revision: 1.7.6.12 $/$Revision: 1.4.6.9 $/$Revision: 1.3.4.7 $) z90crypt: probe_crypto_domain - Unable to find crypto domain: No devices found [...] q crypto ap =20 AP 00 CEX2C Queue 06 is superseded by CEX2A =20 AP 01 CEX2C Queue 06 is superseded by CEX2A =20 AP 02 CEX2C Queue 06 is superseded by CEX2A =20 AP 03 CEX2C Queue 06 is superseded by CEX2A =20 AP 04 CEX2C Queue 06 is superseded by CEX2A =20 AP 05 CEX2C Queue 06 is superseded by CEX2A =20 AP 06 CEX2A Queue 06 is installed =20 AP 07 CEX2A Queue 06 is installed =20 Ready; T=3D0.01/0.01 14:42:06 =20 Does sles8 have the ability to use z9-109 Crypto Express 2? z90crypt version 1.3.2 does not support CEX2A or CEX2C cards. Support was added with version 1.3.3 but this version is not available for SLES8. So you have to use at least SLES9 SP3 in order to use the crypto cards. Mit freundlichen Grüßen / Best regards, Ralph Würthner, PMP® IBM Deutschland GmbH [EMAIL PROTECTED] IT Specialist Dept. A177 LocationPhone: +49 (0) 6131 84 55131-12 | 6C 3565 Linux on System z Hechtsheimer Str. 2Cell: +49 (0) 170 Development 55131 Mainz8519785 GermanyFax: +49 (0) 6131 84 6099 Tie Line: *122-3565 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Crypto question
Libica-1.2 cannot access CEX2* devices. Support for CEX2C devices was added in libica-1.3.2, and support for CEX2A devices is available from libica-1.3.3. Best Regards Jan Schmidt (BA-Student) HR Ausbildung HR University Education Germany Gebäudeschlüssel 71083-01, KST 3852 Am Fichtenberg 1, 71083 Herrenberg int.: *175-1167 email: [EMAIL PROTECTED] Zur Zeit im Praxiseinsatz im Labor Böblingen Gebäudeschlüssel 71032-03, KST 8516 int.: *120-3130 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Crypto question
I've got a sles9x server that can see the crypto on a z9-109 with no problem. When I try to load the driver on a sles8 guest, it cannot find it. z90crypt: Version 1.3.2 loaded, built on May 23 2006 12:23:26 z90crypt: z90main.o ($Revision: 1.9.4.17 $/$Revision: 1.4.6.9 $/$Revision: 1.3.4.7 $) z90crypt: z90hardware.o ($Revision: 1.7.6.12 $/$Revision: 1.4.6.9 $/$Revision: 1.3.4.7 $) z90crypt: probe_crypto_domain - Unable to find crypto domain: No devices found lnx67:~ # rpm -qa | grep libica libica-1.2-174 lnx67:~ # Both guests have CRYPTO APVIRT in their directory and I've recycled it several times. From VM: q crypto ap AP 00 CEX2C Queue 06 is superseded by CEX2A AP 01 CEX2C Queue 06 is superseded by CEX2A AP 02 CEX2C Queue 06 is superseded by CEX2A AP 03 CEX2C Queue 06 is superseded by CEX2A AP 04 CEX2C Queue 06 is superseded by CEX2A AP 05 CEX2C Queue 06 is superseded by CEX2A AP 06 CEX2A Queue 06 is installed AP 07 CEX2A Queue 06 is installed Ready; T=0.01/0.01 14:42:06 Does sles8 have the ability to use z9-109 Crypto Express 2? Marcy Cortes WFS Enterprise Hosting Services - z/VM z/Linux (415) 243-6343 This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
