Previous topic |
Next topic |
Contents |
Index |
Contact z/OS |
Library |
PDF
Examples of Control Statements z/OS Cryptographic Services ICSF Administrator's Guide SA22-7521-17 |
|
Example 1: ADD Control StatementThis example shows a control statement that specifies that KGUP add an entry to the CKDS.
KGUP checks that an entry labeled DASDOCT93401E with a keytype of importer does not already exist in the CKDS. It also checks that there are no DATA, DATAXLAT, DATAM, DATAMV, MAC, MACVER, or NULL key entries with that label. Each of these keys requires a unique label. If the key entry already exists, KGUP stops processing the control statement. If the entry does not exist, KGUP creates the entry with a label of DASDOCT93401E and type of IMPORTER. KGUP generates a double-length key and encrypts the key under the master key variant for an importer key. KGUP places the key in the entry. Note:
Because neither the TRANSKEY nor CLEAR keyword is
specified, KGUP does not create a complementary key. You cannot use
this key to communicate with another system. You can, however, use
the key to encipher a key stored with data in a file. IMPORTER, DATA, DATAM, and
MAC are the only key types that do not require either the TRANSKEY
or CLEAR keyword specified. Example 2: ADD Control Statement with CLEAR KeywordThis example shows a control statement that specifies that KGUP add an entry to the CKDS. Because the CLEAR keyword is specified, KGUP processes only this control statement if ICSF is in special secure mode.
KGUP checks that an entry with the label ATMBRANCH5MO001 with the type EXPORTER does not already exist in the CKDS. It also checks that there are no DATA, DATAXLAT, DATAM, DATAMV, MAC, MACVER, or NULL key entries with that label. Each of these keys requires a unique label. If the entry already exists, KGUP stops processing the control statement. If the entry does not exist, KGUP creates the entry for the label specified and the type exporter. KGUP generates a double-length key, encrypts the key under the master key variant for an exporter key, and places the key in the entry. KGUP stores information to the key output data set. You can send the information to another system that does not use KGUP. The other system uses the information to create the complements of the keys you created. The information contains the clear key value and specifies the key type as importer. For example, the control statement would be in this format:
The key value is the clear key value of the key created. The type of key is the complement of the type of key created. Note:
The key in the previous example is a mixed parity
key. KGUP imports mixed parity keys, but issues a warning message. Example 3: ADD Control Statement with one TRANSKEY KeywordThis example shows a control statement that specifies that KGUP add an entry to the CKDS. Because the TRANSKEY keyword is specified, KGUP also creates a control statement that another installation uses to create the complement of the key for PIN exchange.
KGUP checks that an entry with the label LOCTOJWL.JULY03 for an input PIN-encrypting key does not already exist in the CKDS. It also checks that there are no DATA, DATAM, DATAMV, MAC, MACVER, or NULL key entries with that label. Each of these keys requires a unique label. If the entry already exists, KGUP stops processing the control statement. If the entry does not exist, KGUP creates the entry with a label of LOCTOJWL.JULY03 and type of IPINENC. KGUP generates a double-length key. KGUP encrypts the key under the master key variant for an input PIN-encrypting key and places the key in the entry. KGUP stores information to the key output data set. You can send the information to another system that does not use KGUP. The other system uses the information to create the complement of the key you created. The information contains the key in exportable form. The key is encrypted under the exporter key, labelled SENDJWL.JULY03, that was specified by the TRANSKEY keyword. The information specifies the key type as output PIN-encrypting key (OPINENC). Note:
If SENDJWL.JULY03 is an NOCV exporter,
the exportable OPINENC key is encrypted without a control vector. KGUP stores a control statement to the control statement output data set. You can send the control statement to another system. The other system's KGUP uses the statement to create a key that complements the key that you created. For example, the control statement would be in this format:
The key value is the encrypted value of the key that KGUP created. The key is encrypted under the exporter key, labeled SENDJWL.JULY03, which was the transport key label that was specified on the original control statement. The type of key is the complement of the type of key it created. Example 4: ADD Control Statement with two TRANSKEY KeywordsThis example shows a control statement specifying that KGUP create keys for key exchange between two other sites.
KGUP generates a key value and encrypts the value under the variants of the exporter key-encrypting keys that are specified by the TRANSKEY keyword. KGUP does not alter the CKDS in any way. KGUP stores these two control statements to the control statement output data set:
The control statements create keys that complement each other. You send the statements to two sites that want to exchange keys. The receiving sites process the statements to create a complementary pair of transport keys. KGUP also stores information to create the keys in the key output data set. Example 5: ADD Control Statement with a Range of NULL KeysThis example shows a control statement that creates a range of empty key records in a CKDS. Once the key labels exist, you can enter key types and key values for these records in several ways. One method is to use KGUP to create UPDATE control statements. Another method is to write application programs that use the Key_Record_Write callable service to add key types and key values to the existing empty key records.
KGUP checks for any entries with labels between BRANCH5M001 and BRANCH5M0025 in the CKDS. If any entries in this range already exist, KGUP processes the control statement up to the point where a duplicate label is found. It then stops processing the control statement and issues error messages. If no entries exist, KGUP creates a range of 25 sequentially-numbered key records and adds them to the CKDS. Example 6: ADD Control Statement with OUTTYPE and TRANSKEY KeywordsThis example shows a control statement that specifies that KGUP add an entry with the key type of DATAM to the CKDS. The TRANSKEY keyword instructs KGUP to create a control statement for an intermediate node to use to create the complement DATAMV key for intermediate node data translation.
KGUP checks that an entry with the label DATAKEY.TO.TRANSLATION does not already exist in the CKDS, because DATAM keys require unique labels. If the entry already exists, KGUP stops processing the control statement. If the entry does not exist, KGUP creates the entry with a label of DATAKEY.TO.TRANSLATION and a type of DATAM. KGUP then generates a single-length key, encrypts the key under the master key variant for a DATAM key, and places the key in the CKDS entry. KGUP stores information to the key output data set. You can send the information to another system that does not use KGUP. The other system uses the information to create the complement of the key you created. The information contains the key value of the key in exportable form. The key is encrypted under the exporter key, labeled TKBRANCH2.INTER, that was specified by the TRANSKEY keyword. The information specifies the key type as data-translation key (DATAMV). KGUP stores a control statement to the control statement output data set. You can send the control statement to another system. The other system's KGUP uses the statement to create a key that complements the key you created. For example, the control statement would be in this format:
The key value is the encrypted value of the key that KGUP created. The key is encrypted under the exporter key, labelled TKBRANCH2.INTER, which was the transport key label that was specified on the original control statement. The type of key is the complement of the type of key it created. Example 7: UPDATE Control Statement with Key Value and Transkey KeywordsThis example shows a control statement that specifies that KGUP import a key value. KGUP places the key value into an entry in the CKDS that already exists.
The key value on the control statement is encrypted under a transport key that is shared with another system. The label for the transport key is TKBRANCH5JUNE99. KGUP uses the importer key labelled TKBRANCH5JUNE99 to decrypt the key value. KGUP encrypts the key value under the master key variant for a PIN verification key. KGUP then places the key in a key entry labelled PINVBRANCH5M0002 with the type PINVER in the CKDS. Example 8: DELETE Control StatementThis example shows a control statement that specifies that KGUP delete an entry from the CKDS.
KGUP deletes the entry with a label of GENBRANCH2M0003 and type of PIN generation key from the CKDS. If KGUP cannot find the entry, KGUP gives you an error message. Example 9: RENAME Control StatementThis example shows a control statement that specifies that KGUP rename an entry in the CKDS.
KGUP checks if an entry with a label of JWL@SSIJUNE99 and a key type of EXPORTER already exists in the CKDS. If the entry does exist, KGUP does not process the control statement. KGUP checks if an entry with the label JWL@SSIDEC97 contains a key type of EXPORTER exists. If the entry exists, KGUP renames the entry JWL@SSIJUNE99. Example 10: SET Control StatementThis example shows a control statement that specifies that KGUP send certain installation data every time an exit is called during KGUP processing. KGUP sends the data every time an exit is called until KGUP encounters another SET statement or the job stream completes.
KGUP sends the installation data each time an installation exit is called during KGUP processing. Example 11: OPKYLOAD Control StatementThis example shows a control statement to load a key into the CKDS from a PCIXCC, CEX2C, or CEX3C. The serial number of the card is 94000011. A key has been loaded on the card with the label ERC033.DEC50.
KGUP checks the CKDS for the label and will fail if the label exists. KGUP then queries the PCIXCC, CEX2C or CEX3C to see if the key exists on the card. If the key exists, the key token is retrieved from the card and loaded into the CKDS. Example 12: OPKYLOAD Control Statement for NOCV Key-encrypting KeysThis example shows a control statement to load a key into the CKDS from a PCIXCC, CEX2C, or CEX3C where the key is a key-encrypting key to be used as a NOCV KEK. The serial number of the card is 94000064. A key has been loaded on the card with the label ERC033.NOCV.IMPORTER.
KGUP checks the CKDS for the label and will fail if the label exists. KGUP then queries the PCIXCC, CEX2C, or CEX3C to see if the key exists on the card. If the key exists, the key token is retrieved from the card. If the key is a key-encrypting key with the default control vector, the NOCV token flag is set. The token is then loaded into the CKDS. Example 13 – ADD control statement with CLRDES keywordThis example shows a control statement that adds a CLRDES key to the CKDS with a random 8 byte key.
Example 14 – ADD control statement to add a group of CLRDES keysThis example shows a control statement that adds a group of CLRDES keys to the CKDS. Key value is generated.
Example 15 – ADD control statement to add a group of CLRDES keysThis example shows a control statement that adds a group of CLRDES keys. The clear key value is specified.
Example 16 – ADD control statement to add a range of CLRDES keysThis example shows a control statement that adds a range of CLRDES keys. A different key value is generated for each key label.
Example 17 – UPDATE control statement with CLRDES keywordThis example shows a control statement that changes a CLRDES key.
Example 18 – UPDATE control statement with CLRDES keywordThis example shows a control statement that changes a range of CLRDES keys.
Example 19 – DELETE control statement with CLRDES keywordThis example shows a control statement that deletes a CLRDES key.
Example 20 – DELETE control statement to delete a group of CLRDES key labelsThis example shows a control statement that deletes a group of CLRDES keys.
Example 21 – RENAME Control Statement with CLRDES KeywordThis example shows a control statement that renames a CLRDES key.
Example 22 – ADD Control Statement with CLRAES KeywordThis example shows a control statement that adds a CLRAES key to the CKDS with a random 16 byte key.
Example 23 – ADD Control Statement to Add a Group of CLRAES KeysThis example shows a control statement that adds a group of CLRAES keys to the CKDS. Key value is generated.
Example 24 – ADD Control Statement to Add a Group of CLRAES KeysThis example shows a control statement that adds a group of CLRAES keys. The clear key value is specified.
Example 25 – ADD Control Statement to Add a Range of CLRAES KeysThis example shows a control statement that adds a range of CLRAES keys. A different key value is generated for each key label.
Example 26 – UPDATE Control Statement with CLRAES KeywordThis example shows a control statement that changes a CLRAES key.
Example 27 – UPDATE Control Statement with CLRAES KeywordThis example shows a control statement that changes a range of CLRAES keys.
Example 28 – DELETE Control Statement with CLRAES KeywordThis example shows a control statement that deletes a CLRAES key.
Example 29 – DELETE Control Statement to Delete a Group of CLRAES Key LabelsThis example shows a control statement that deletes a group of CLRAES keys.
Example 30 – RENAME Control Statement with CLRAES KeywordThis example shows a control statement that renames a CLRAES key.
Example 31 – ADD Control Statement for ALGORITHM keywordThis example shows a control statement that adds an AES DATA key to the CKDS with a random 128-bit key value.
This example shows a control statement that adds a DES DATA key to the CKDS with a random 16-byte key value.
This example shows a control statement that adds a group of AES DATA keys to the CKDS. A different key value will generated for each label.
This example shows a control statement that adds a group of DES DATA keys to the CKDS. A different key value will generated for each label.
This example shows a control statement that adds a group of AES DATA keys. The clear key value is specified.
This example shows a control statement that adds a group of DES DATA keys to the CKDS. A different key value will generated for each label.
Example 32 – UPDATE Control Statement with the ALGORITHM keywordThis example shows a control statement that changes an AES DATA key.
This example shows a control statement that changes a range of DES keys.
|
Copyright IBM Corporation 1990, 2014
|