This task applies only to CCF systems. It does not apply to z890,
z990, z9, z10, or z196 systems.
Run the JCL to set the SMP/E pass phrase for SMP/E electronic delivery
only.
The JCL uses a pass phrase value to load the DES and PKA master
keys. The DES and PKA master keys will be set in the Cryptographic Coprocessor Feature. Change This Pass Phrase is the default pass phrase.
The entry point is CSFEUTIL and will have 2 or (optionally) 3 parameters.
The first parameter must be the CKDS name. The second parameter
(optional) is the pass phrase. The last parameter is the function
PPINIT. If you do not use the default pass phrase and create your
own:
- It must be sixteen to sixty-four bytes in length.
- Any EBCDIC character is allowed.
- Leading and trailing blanks will be removed.
- Embedded blanks are allowed.
Important:
The same pass phrase
will always produce the same master key values, and is therefore as
critical and sensitive as the master key values themselves. Make sure
you save the pass phrase so that you can later reenter it if needed
(for example, if you need to restore master key values that have been
cleared).
See this example:
//CSFSETMK JOB (JOB CARD PARAMETERS)
//********************************************************************
//* Licensed Materials - Property of IBM *
//* 5694-A01 *
//* (C) Copyright IBM Corp. 2002 *
//* *
//* THIS JCL USES A PASS PHRASE VALUE TO LOAD DES AND PKA MASTER KEYS*
//* *
//* CAUTION: This is neither a JCL procedure nor a complete JOB. *
//* Before using this JOB step, you will have to make the following *
//* modifications: *
//* *
//* 1) Add the job parameters to meet your system requirements. *
//* 2) The first parameter must be the CKDS name *
//* 3) An optional second parameter may be used. The second *
//* parameter must be 16-64 character pass phrase. *
//* For the pass phrase any EBCDIC character is allowed. *
//* Leading and trailing blanks will be removed. *
//* Embedded blanks are allowed. *
//* It is STRONGLY recommended that the pass phrase NOT contain *
//* any commas. Commas are used as a delimiter for the *
//* parameters of the CSFEUTIL program. *
//* 4) The last parameter must be the function PPINIT. *
//* 5) If the default pass phrase of "Change This Pass Phrase" *
//* is desired, the PARM= would look like this: *
//* PARM='CSF.CSFCKDS,PPINIT' *
//* *
//* If a customer selected pass phrase is to be used the *
//* PARM= would look like this: *
//* PARM='CSF.CSFCKDS,Different Pass Phrase,PPINIT' *
//* *
//********************************************************************
//* User supplied pass phrase of Different Pass Phrase
//STEP EXEC PGM=CSFEUTIL,
// PARM='CSF.CSFCKDS,Different Pass Phrase,PPINIT'
//SYSPRINT DD SYSOUT=*
//*
OR:
//* Using the default pass phrase of Change This Pass Phrase
//STEP EXEC PGM=CSFEUTIL,
// PARM='CSF.CSFCKDS,PPINIT'
//SYSPRINT DD SYSOUT=*
//*
In order to successfully run the CSFSETMK job, determine if these
services are RACF protected in the CSFSERV class. If the services
are not RACF protected in the CSFSERV class, then nothing needs to
be done. If the services are protected in the CSFSERV class, then
the issuer of the CSFSETMK JCL must be permitted to the profile for
each service.
- CSFOWH
- CSFPMCI
- CSFCMK
- CSFREFR
|