z/OS Cryptographic Services ICSF System Programmer's Guide
Previous topic | Next topic | Contents | Index | Contact z/OS | Library | PDF


Using the conversion program override file

z/OS Cryptographic Services ICSF System Programmer's Guide
SA22-7520-17

The conversion program converts all entries in a PCF CKDS into ICSF entries. The conversion program also converts each type of PCF key into a specific ICSF key type. If you want the conversion program to bypass certain key entries or convert a specific key or key type differently than it does by default, use the override file.

By specifying override records, you can have the conversion program:

  • Bypass conversion of key entries
  • Include information in key entries
  • Convert key types differently than it does by default

These actions can relate to entries explicitly identified with a key label or entries that are identified globally.

You specify information in certain fields in an override record and leave other fields blank, depending on the action you want the conversion program to take. You can specify a global record affecting more than one PCF CKDS entry or a record that affects only one PCF CKDS entry.

All the override data set records should be in ascending sequence by key label and old key type. If you use global entries, they must be the initial entries in the override record. Table 24 shows the syntax of a record in the override file.

Note:
All the fields should contain character values and be left-justified.

If you specify a key label in an override record, the conversion program processes the key entry identified by that key label. If you do not specify a key label in an override record, you are using a global override record. The conversion program processes all the key labels that pertain to the information specified by the override file.

You can use a global override record to affect all the entries in a CKDS and then use override records to explicitly affect entries you did not want to have that global override record affect.

Table 24. Format of Records in the Override File
ColumnLengthDescription
18Key Label

The key label of the PCF entry you want to convert

The field can have these values:

  • Blanks
  • A key label existing in the PCF CKDS that you want to convert
91

This field must be blank.

108Old Key Type

The key type of the key entry you want to convert in the PCF CKDS.

The field can have these values:

  • Blanks
  • LOCAL
  • REMOTE
181

This field must be blank.

198New Key Type

The key type that you want the converted key entry to be in the ICSF CKDS. The master key variant for the key type enciphers the key in the ICSF CKDS entry that the conversion program creates.

The field can have these values:

  • Blanks
  • OPINENC
  • EXPORTER
  • IPINENC
  • IMPORTER
271

This field must be blank.

288Ignored

In ICSF/MVS Version 1 Release 1, this field contained the key qualifier. The CKDS for ICSF/MVS Version 1 Release 2 or above does not support key qualifiers. If your installation has a PCF conversion program override file created with ICSF/MVS Version 1 Release 1, you can still use it with z/OS ICSF. Any key qualifier entries are ignored.

361

This field must be blank.

371Bypass Flag

Used to indicate that an input CKDS entry is not to be included in the new ICSF CKDS. If you set this field to Y, the conversion program does not convert the entry.

The field can have these values:

  • Blank (same as N)
  • N
  • Y
381

This field must be blank.

3952Installation Data

Any additional information your installation records about a key. The information appears in the installation data field of the new ICSF CKDS.

The field can contain any value.

Bypassing Conversion of Entries

Using an override record, you can bypass a PCF entry so it is not converted and placed in the ICSF CKDS. You can use a global override record to bypass all the entries in the data set and then use explicit override records to convert certain entries. You can also convert most of a PCF CKDS and just bypass certain entries using explicit override records.

These are some examples of override records for bypassing conversion.

Example 1

This example shows an override record specifying that the conversion program not convert any PCF CKDS entry with a certain key label. 

   EXTOATM3                            Y

The conversion program bypasses any PCF CKDS entry with the label EXTOATM3.

Example 2

This example shows an override record specifying that the conversion program not convert any PCF CKDS entry with a certain key label and key type. 

   CRLABEL4 REMOTE                     Y

The conversion program bypasses any PCF CKDS entry with the label CRLABEL4 and key type REMOTE.

Example 3

This example shows a global override record specifying that the conversion program bypass all the entries in a PCF CKDS. 

                                       Y

The conversion program does not convert any of the entries in the PCF CKDS.

After you specify this global override record, you can use explicit override records to convert certain entries in the PCF CKDS. For example, you can use an override record like this one to explicitly convert PCF entries with a certain label. 

   ATM03                               N

In this example, the conversion program converts any PCF CKDS entry with the label ATM03.

Example 4

This example shows a global override record specifying that the conversion program bypass all the entries with a certain PCF key type in a PCF CKDS. 

   REMOTE                              Y

The conversion program does not convert any of the entries with a key type of REMOTE in the PCF CKDS. After you specify this global override record, you can use explicit override records to convert specific entries with a key type of REMOTE in the PCF CKDS.

Programming Interface information

Including Information in a Key Entry

An ICSF key entry contains an installation data field that an installation can use to further identify a key. The installation data field contains any information that an installation wants to supply about a key.

PCF records contain an installation data field. The conversion program places the information in the field into the installation data field of the converted entry in the output ICSF CKDS. You can use an override record to specify installation data information for the converted entry in the output ICSF CKDS. The installation data information supplied in the override record overrides any information from the PCF installation data field. If you do not use an override record, the conversion program places any installation data from the PCF entry into the leftmost 8 bytes of the ICSF entry.

These are examples of override records for including key information.

Example 1

This example shows an override record providing the conversion program with installation data information to place in the ICSF CKDS for any converted PCF entry with a certain key label. 

   ATMKEY12                             CONVERTED FROM CUSP1.CKDS 10/01/98

When the conversion program converts an entry that is labeled ATMKEY12, it places CONVERTED FROM CUSP1.CKDS 10/01/98 in the installation data field for the converted entry.

Example 2

This example shows an override record providing the conversion program with installation data information to place in the ICSF CKDS for any converted PCF entry with a certain key label and key type. 

   LOCAL890 LOCAL                       CONVERTED FROM PCF12.CKDS

When the conversion program converts an entry that is labeled LOCAL890 with a key type of LOCAL, it places CONVERTED FROM PCF12.CKDS in the installation data field for the converted entry.

Example 3

This example shows a global override record that provides the conversion program with installation data information to place in the ICSF CKDS for all converted entries. 

                                        CONVERTED FROM PCF10.CKDS

When the conversion program converts the PCF CKDS, it places CONVERTED FROM PCF10.CKDS in the installation data field. The information is placed into every converted key entry. After you specify this global override record, you can use explicit override records to provide different information for specific entries in the PCF CKDS.

End of Programming Interface information

Converting Key Types

By default, the conversion program converts PCF keys into certain ICSF key types. You can use the override file to override the defaults. For example:

  • Instead of automatically converting a PCF local key into a NOCV exporter key-encrypting key, you can convert the local key into an output PIN-encrypting key.
  • Instead of automatically converting a PCF remote key into a NOCV importer key-encrypting key, you can convert the remote key into an input PIN-encrypting key.
  • Instead of automatically converting a PCF cross key into a NOCV exporter key-encrypting key and a NOCV importer key-encrypting key, you can convert the cross key into an output PIN-encrypting key and an input PIN-encrypting key.

You can use a global override record to convert all keys of a certain type into a type other than the conversion program default key type. Then using an explicit override record, you can specify that the conversion program convert a specific record into a the default key type. For example, you can use a global override record to convert all remote keys into input PIN-encrypting keys, and then use an override record to convert specific remote entries into importer key-encrypting keys.

These are some examples of override records for key type conversion.

Example 1

This example shows an override record specifying that the conversion program convert a local key to an output PIN-encrypting key for any PCF CKDS entry with a certain key label. The override record also provides the conversion program with installation data. 

   CRLABEL1    LOCAL  OPINENC            OPINENC FOR ATM123

When the conversion program converts any PCF entry labeled CRLABEL1 with a key type of local, it converts the key from a local key type to an output PIN-encrypting key type. The program also places OPINENC FOR ATM123 in the installation data field.

If you did not specify this override record, the conversion program would automatically convert the entry from a local key type to an exporter key-encrypting key type.

Example 2

This example shows an override record specifying that the conversion program convert a remote key to an input PIN-encrypting key for any PCF CKDS entry with a certain key label. The override record also provides the conversion program with installation data. 

   CRLABEL2   REMOTE  IPINENC            IPINENC FOR ATM123

When the conversion program converts any PCF CKDS entry labeled CRLABEL2 with a key type of remote, it converts the key from a remote key type to an input PIN-encrypting key type. The program also places IPINENC FOR ATM123 in the installation data field.

If you did not specify this override record, the conversion program would automatically convert the entry from a remote key type to an importer key-encrypting key type.

Example 3

This example shows an override record specifying that the conversion program convert a local key to an exporter key-encrypting key for any PCF CKDS entry with a certain key label. The override record also provides the conversion program with installation data. 

   LOLABEL1 LOCAL    EXPORTER            EXPORTER CONVERTED FROM CUSP12.CKDS

The conversion program automatically converts a local key to an exporter key-encrypting key. You can use this override record if you previously submitted an override record that had the conversion program convert all the local key types to output PIN-encrypting keys. You can use this override record to explicitly convert the key entry that is labeled LOLABEL1 from a local key type to an exporter key-encrypting key type.

With the example override record, when the conversion program converts any PCF entry labelled LOLABEL1 with a key type of local, it converts the key from a local key type to an exporter key-encrypting key type. The program also places EXPORTER CONVERTED FROM CUSP12.CKDS in the installation data field.

Example 4

This example shows an override record specifying that the conversion program convert a remote key to an importer key-encrypting key for any PCF CKDS entry with a certain key label. The override record also provides the conversion program with installation data. 

   RECKDS12 REMOTE   IMPORTER            IMPORTER CONVERTED FROM CUSP12.CKDS

The conversion program automatically converts remote keys to importer key-encrypting keys. You can use this override record if you supplied an override record to convert all the remote key types to input key-encrypting keys. Use this override record to explicitly convert key entries labeled RECKDS12 from remote key types to importer key-encrypting key types.

With the example override record, when the conversion program converts any PCF entry labeled RECKDS12 with a key type of remote, it converts the key from a remote key type to an importer key-encrypting key type. The program also places IMPORTER CONVERTED FROM CUSP12.CKDS in the installation data field.

Example 5

This example shows a global override record specifying that the conversion program convert a local key to an output PIN-encrypting key for any PCF CKDS entry with a key type of local. The override record also provides the conversion program with installation data. 

   LOCAL  OPINENC            OPINENC FROM CUSP.PIN12.CKDS

When the conversion program converts any PCF entry with a key type of local, the program converts the key from a local key type to an output PIN-encrypting key type. The program also places OPINENC FROM CUSP.PIN12.CKDS in the installation data field. After you specify this global override record, you can use explicit override records to place different installation data in the ICSF CKDS entries.

Example 6

This example shows a global override record specifying that the conversion program convert a remote key to an input PIN-encrypting key for any PCF CKDS entry with a key type of remote. The override record also provides the conversion program with installation data. 

   REMOTE  IPINENC            IPINENC FROM CUSP.PIN12.CKDS

When the conversion program converts any CUSP/PCF entry with a key type of remote, it converts the key from a remote key type to an input PIN-encrypting key type. The program also places IPINENC FROM CUSP.PIN12.CKDS in the installation data field for the entry in the ICSF CKDS. After you specify this global override record, you can use explicit override records to place different installation data information in the ICSF CKDS entries.

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014