Previous topic |
Next topic |
Contents |
Index |
Contact z/OS |
Library |
PDF
Entering keys into the cryptographic key data set (CKDS) z/OS Cryptographic Services ICSF Administrator's Guide SA22-7521-17 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||
All DES, AES, and HMAC keys (except for master keys) can be stored in the CKDS. Note:
FMID HCR7780 introduced a new variable-length
record format for CKDS records. HMAC keys, also introduced in FMID
HCR7780, are variable-length keys. Variable-length AES
keys are introduced in FMID HCR7790. To store variable-length
keys in the CKDS, the CKDS must first have been converted to the variable-length
record format. ICSF provides a CKDS conversion program, CSFCNV2, that
converts a fixed-length record format CKDS to a variable-length record
format. For more information in this utility, refer to z/OS Cryptographic Services ICSF System Programmer’s Guide. There are several methods you can use to enter keys into the CKDS.
The table in Table 2 shows which keys can be entered by each of these methods.
Notes:
Entering keys by using the key generator utility programOne function that KGUP performs is to enter key values that you supply into the CKDS. You can enter a clear or encrypted key value by using KGUP. You submit KGUP control statements to specify to KGUP the function that you want KGUP to perform. To enter a key, you specify the key value in a KGUP control statement. You can either specify an encrypted or clear key value. When you enter an encrypted key value, the key value must be encrypted under an importer key-encrypting key that exists in the CKDS. You use the KGUP control statement to specify which importer key-encrypting key encrypts the key. KGUP reenciphers the key from under the importer key-encrypting key to under the master key and places the key in the CKDS. When you enter a clear key value, KGUP enciphers the clear key value under the master key and places the key in the CKDS. Because entering clear keys may endanger security, ICSF must be in special secure mode before you can enter a clear key by using KGUP. Special secure mode lowers the security of your system to allow you to use KGUP to enter clear keys, and to produce clear PINs. Special Secure ModeTo use special secure mode, several conditions must be met.
If these conditions permit the use of special secure mode, it is enabled automatically when you specify that you are entering clear key values in a KGUP statement. For a detailed description of how to use KGUP to enter keys, see Managing Cryptographic Keys Using the Key Generator Utility Program. Entering keys by using the dynamic CKDS update servicesICSF provides a set of callable services that allow applications to dynamically update the CKDS. Applications can use these services to create, write, and delete records from the CKDS. These dynamic updates affect both the DASD copy of the CKDS currently in use and the in-storage copy. Another service allows an application to retrieve the key token from a record in the in-storage CKDS. That token can be used directly in subsequent CALLs to cryptographic services. The key part import callable service combines the clear key parts and returns the key value either in an internal key token or as a dynamic update to the CKDS. For more information on using the dynamic CKDS update services or the key part import service, refer to z/OS Cryptographic Services ICSF Application Programmer’s Guide. |
Copyright IBM Corporation 1990, 2014
|