This scenario describes how two ICSF systems, System A and System B, establish initial transport keys between themselves. They establish two pairs of complementary importer and exporter keys at each location, as shown in Figure 166.

Figure 166. Key Exchange Establishment between Two ICSF Systems

The systems can use these importer and exporter keys during key exchange. First the ICSF administrators at the two locations establish the complementary transport keys to send keys from System A to System B. These keys are the Exporter ATOB key at System A and the Importer ATOB key at System B.

The ICSF administrator at System A submits this control statement to System A's KGUP to create the Exporter ATOB key.

   ADD  LABEL(ATOB)  TYPE(EXPORTER)  CLEAR

KGUP processes this control statement to generate the Exporter ATOB key and places the key in System A's CKDS. KGUP creates a record containing the clear key created for the system, and that record is written to the CSFKEYS data set. This key value must be used to create a control statement like this:

   ADD  LABEL(ATOB)  TYPE(IMPORTER)  CLEAR,
   KEY(B2403EF8125A036F,239AC35A72941EF2)

System A can send this control statement to System B, and System B can create the Importer ATOB key. The key value in this control statement is the clear value of the Exporter ATOB key. System A does not send this control statement to System B over the network, because the key value is a clear key value. System A has a courier deliver the control statement to System B.

The administrator at System B submits the control statement to its KGUP. KGUP processes the control statement to create the ATOB importer key. The ATOB exporter key at system A and the ATOB importer key at System B are complementary keys.

This procedure creates a pair of complementary transport keys for keys sent from System A to System B. When System A sends a key to System B it enciphers the key using the ATOB exporter key. When System B receives the key, System B deciphers the key using the ATOB importer key.

Then the ICSF administrators at the two locations establish the complementary transport keys to send keys from System B to System A. These keys are the Importer BTOA key at System A and the Exporter BTOA key at System B.

The ICSF administrator at System A submits this control statement to System A's KGUP to generate the Importer BTOA key.

   ADD  LABEL(BTOA)  TYPE(IMPORTER)  TRANSKEY(ATOB)

KGUP processes this control statement to generate the Importer BTOA key and places the key in System A's CKDS. KGUP also creates this control statement and places the statement in the control statement output data set.

   ADD  LABEL(BTOA)  TYPE(EXPORTER)  TRANSKEY(ATOB),
   KEY(AF04C35A7F1C9636,03CBB854653A0BCF)

System A can send this control statement to System B and System B can use the statement to create the Exporter BTOA key. The key value in this control statement is the value of the Importer BTOA key enciphered under the Exporter ATOB key. System A can send this control statement to System B over the network, because the key value is enciphered.

The ICSF administrator at System B submits the control statement to its KGUP. The program processes the control statement to generate the Exporter BTOA key. The Importer BTOA key at System A and the Exporter BTOA key at System B are complementary keys.

This procedure creates a pair of complementary transport keys for keys sent from System B to System A. When System B sends a key to System A, System B enciphers the key using the Exporter BTOA key. When System A receives the key, System A deciphers the key using the Importer BTOA key.

Using these procedures two pairs of complementary transport keys are established at each facility to allow key exchange between the two facilities.