Although z/OS® does not support LTO drives, you can run your Security Key Lifecycle Manager for z/OS and allow an off-platform LTO drive to retrieve keys from your z/OS. Your Security Key Lifecycle Manager for z/OS can service TS1120, TS1130, TS1140, LTO Ultrium 4 and LTO Ultrium 5 drives at the same time. However, for LTO Ultrium 4 and LTO Ultrium 5 drives you must manually create the symmetric keys in your Security Key Lifecycle Manager for z/OS keystore to be used for data encryption. See How the Security Key Lifecycle Manager for z/OS Processes Encryption Keys for an overview.
Symmetric keys are not supported by RACF®. Your Security Key Lifecycle Manager for z/OS keystore must be of type JCEKS or JCECCAKS in order to create symmetric keys for use with LTO Ultrium 4 and LTO Ultrium 5 drives. The minimum required SDK installation for creating symmetric keys in a JCEKS type keystore is 50sr5. For JCECCAKS type keystore it is 50sr6.
For more information about using the Java keytool, see Generating Keys and Aliases for Encryption on LTO Ultrium 4 and LTO Ultrium 5.
/u/giampor/tkms:>cat populatesymmkeys.jceccaks.sh # echo "Creating RSA Certificate and Public and Private KeyPair in isklm2sharedkeysjceccaksPKDSlabel" # keytool -genkey -alias symmkeywrapper -dname "CN=sharedkeysjceccaksSymmetricKeyWrapper" \ -keystore isklm2sharedkeysjceccaksPKDSlabel -provider IBMJCECCA -keyalg RSA -keysize 2048 \ -keypass "password" -storepass "password" -storetype JCECCAKS -validity 999 # echo "List isklm2sharedkeysjceccaksPKDSlabel" keytool -list -keystore isklm2sharedkeysjceccaksPKDSlabel -storepass "password" \ -storetype JCECCAKS # # echo "Exporting RSA Certificate/Public Key to isklm2sharedkeysjceccaksPKDSlabelCA.crt" # keytool -export -alias symmkeywrapper -file isklm2sharedkeysjceccaksPKDSlabelCA.crt \ -keystore isklm2sharedkeysjceccaksPKDSlabel -provider IBMJCECCA -storepass "password" \ -storetype JCECCAKS # # echo "Creating Symmetric keys in symmkeystorejceccaks" # keytool -genseckey -keystore symmkeystorejceccaks -storetype JCECCAKS \ -storepass "symmpassword" -aliasrange ibm01-05 -keyAlg DESede # echo "Listing Symmetric keys created" # keytool -list -keystore symmkeystorejceccaks -storepass "symmpassword" -storetype JCECCAKS # # echo "import public keys from keystores who want a copy of symmetric keys using a different alias - in this case isklm2sharedkeysjceccaksPKDSlabelCA.crt from isklm2sharedkeysjceccaksPKDSlabel" # keytool -import -trustcacerts -alias sharedkeysjceccaksCA \ -file isklm2sharedkeysjceccaksPKDSlabelCA.crt \ -keystore symmkeystorejceccaks -storepass "symmpassword" -storetype JCECCAKS # # echo "Listing keystore with public key imported and Symmetric keys" # keytool -list -keystore symmkeystorejceccaks -storepass "symmpassword" -storetype JCECCAKS # # echo "Export the Symmetric keys from symmetrickeystore for sharedkeysjceccaksCA/isklm2sharedkeysjceccaksPKDSlabel" # keytool -exportseckey -aliasrange ibm01-05 -keyalias sharedkeysjceccaksCA \ -keystore symmkeystorejceccaks \ -storepass "symmpassword" -storetype JCECCAKS -keypass "symmpassword" \ -exportfile symKeysexported.jcecca.cer # # echo "Import the Symmetric keys into isklm2sharedkeysjceccaksPKDSlabel - i.e., sharedkeysjceccaksCA but assume must use my orignal alias symmkeywrapper or it won't know how to get the private key" # keytool -importseckey -keyalias symmkeywrapper -keypass "password" \ -keystore isklm2sharedkeysjceccaksPKDSlabel \ -storepass "password" -storetype JCECCAKS -importfile symKeysexported.jcecca.cer # # echo "list isklm2keystore containing RSA keypair and symmetric keys" # keytool -list -keystore isklm2sharedkeysjceccaksPKDSlabel -storepass "password" \ -storetype JCECCAKS /u/giampor/tkms:>