Migrating to the Cryptographic Coprocessor

 

If you have worked with cryptography before, you may have a requirement to migrate from a previous cryptography product to the 4764 or 4758 Cryptographic Coprocessor.

Migrating from the 4758 to the 4764:

If you are replacing your 4758 Cryptographic Coprocessor with the newer 4764 Cryptographic Coprocessor, then ensure that the roles and profiles for the 4764 Coprocessor are setup similar to those used with the 4758 Coprocessor. Both the 4758 and 4764 Cryptographic Coprocessors can use the same CCA APIs and key store files.

You may have cryptographic cross-domain files from Cryptographic Support for OS/400® (5722-CR1). Or you may have key store files from the IBM® Common Cryptographic Architecture Services for OS/400 (5799-FRF) product. If this is the case, you can migrate their contents to your new Cryptographic Coprocessor. There is an example migration program available for each cryptographic product:

  • Cryptographic Support for AS/400® or i5/OS™ (5769–CR1 or 5722–CR1): Cryptographic Support is a software-only product that encrypts cross-domain keys under a host master key. Cryptographic Support then stores the cross-domain keys in a file. You can migrate cross-domain key files from Cryptographic Support for AS/400 or i5/OS to your Cryptographic Coprocessor. See Migrate Cryptographic Support for AS/400 cross-domain key files.

  • IBM CCA Services (5799–FRF) PRPQ: This product provides cryptographic function on cryptographic hardware by using Data Encryption Standard (DES). The CCA Services PRPQ requires that you have a cryptographic processor, hardware feature number 2620 or 2628, installed on your system. You can migrate key store files from the IBM CCA Services to your Cryptographic Coprocessor. See Migrate key store files from the IBM CCA Services for OS/400 PRPQ.

  • Migrating key store files from the IBM CCA Services for OS/400 PRPQ
    If you currently use the Common Cryptographic Architecture (CCA) Services for OS/400 (5799-FRF), you can migrate the keys in the key store file so that your Cryptographic Coprocessor can use them. The Coprocessor uses the migrated keys with the CCA Cryptographic Service Provider (CCA CSP, which is packaged as i5/OS Option 35).

  • Migrating Cryptographic Support for system cross-domain key files
    If you have worked with cryptography before on your system running the i5/OS operating system, you may have cryptographic cross-domain files from Cryptographic Support (5769-CR1). You can migrate existing cross-domain keys to your new Cryptographic Coprocessor.

 

Parent topic:

4764 and 4758 Cryptographic Coprocessors