You can use the KGUP
installation exit (CSFKGUP) to modify records in the CKDS, write copies
of records to alternate data sets, or put additional information in
the SMF record. There are many other uses for the KGUP exit depending
on your installation's needs. Examine the calling points for an exit
and the active control block fields at each calling point to determine
other applications for the exit.
KGUP calling points
After an ICSF administrator
submits a KGUP job for processing, KGUP calls exits at four points
in processing:
- During KGUP initialization. This is known
as the KGUP preprocessing exit. After the KGUP job begins but before
KGUP starts processing a control statement, KGUP calls this exit.
You
can use this exit to place additional information in the installation
data field of the CKDS header record. You may want to do this if you
need to process different cryptographic key data sets differently.
You can place information in the installation data field of the record,
and then subsequent calls of the exit can use this information as
the basis for performing processes.
- Before KGUP processes a key that is identified
by a control statement. This is known as the record preprocessing
exit. Before KGUP accesses the CKDS to retrieve the key that is requested
in the control statement, KGUP calls the exit again.
Note:
This
call occurs before KGUP accesses the CKDS. If an exit routine alters
a key entry at this call, KGUP accesses the CKDS with the altered
entry.
You can use this exit to provide additional
security for entering clear key values. When a user enters a clear
key in a control statement, use the exit to change the value. In this
way, the user never knows the actual clear value in the CKDS. For
example, a user enters zeros for clear key values. Your exit generates
some random number and replaces the user's clear key value. KGUP then
processes the exit's random number as the value to write to the CKDS.
- Before KGUP updates the CKDS with a key entry. This
is known as the record postprocessing exit. After KGUP processes
a key and before KGUP updates the CKDS, KGUP calls the exit a third
time.
At this call, the installation exit can change any information
in the Key Output Data Set. Changing the Key Output Data Set also
enters the changed keys into the Control Statement Output Data Set,
if the keys are exportable. You can use this exit to create audit
trails.
- During KGUP termination. This is known as
the KGUP postprocessing exit. Calls to this exit occur after KGUP
completes processing but before KGUP returns control to ICSF.
Note:
If an error occurs in exit processing, KGUP does not
call the remaining exit invocations. If an error occurs in KGUP processing
that does not result in an abnormal ending, KGUP does not call the
remaining exit invocations.
Processing in the exit
At each call, the exit receives the address of the KGUP exit parameter
block (KGXP) in register 1. The exit can access any of the data in
KGXP. The exit can alter some of the fields in KGXP, while others
are simply references. Also, the KGUP exit can alter some fields at
some calls but not at other calls.
A field in KGXP gives the calling point of the exit. The exit uses
this field to determine when to call the exit to perform appropriate
processing. Input gives a more detailed explanation
of the KGXP control block, the values it contains, and when an exit
can use or change the values.
|