Previous topic |
Next topic |
Contents |
Index |
Contact z/OS |
Library |
PDF
Scenario of an ICSF System and a PCF System Establishing Initial Transport Keys z/OS Cryptographic Services ICSF Administrator's Guide SA22-7521-17 |
|
This scenario describes how an ICSF system and a PCF system establish initial transport keys between themselves. They establish two pairs of complementary importer and exporter keys at each location, as shown in Figure 167. The systems can use these importer and exporter keys during key exchange. First the ICSF administrators at the two locations establish the complementary transport keys to send keys from ICSF System A to PCF System B. These keys are the Exporter ATOB key at ICSF System A and the Remote ATOB key at PCF System B. The ICSF administrator at ICSF System A submits this control statement to ICSF System A's KGUP to create the Exporter ATOB key.
Note:
If System B is a PCF system, the ICSF administrator
must also specify the keyword SINGLE on this control statement. KGUP processes this control statement to generate the Exporter ATOB key and places the key in ICSF System A's CKDS. KGUP also creates this control statement and places the statement in the control statement output data set.
ICSF System A needs to send this control statement to PCF System B so that PCF System B can create the Remote ATOB key. The key value in this control statement is the clear value of the ATOB exporter key. ICSF System A does not send this control statement to PCF System B over the network, because the key value is a clear key value. ICSF System A has a courier deliver the control statement to System B. The administrator at either system must change the ICSF control statement format into the PCF control statement format. The administrator could also use information from the key output data set to create the PCF control statement. The control statement submitted at PCF System B would have this syntax:
The administrator at PCF System B submits the control statement to the PCF key generation utility program, which processes the control statement to create the ATOB Remote key. The ATOB Exporter key at System A and the ATOB Remote key at PCF System B are complementary keys. This procedure creates a pair of complementary transport keys for keys sent from ICSF System A to PCF System B. When ICSF System A sends a key to PCF System B, System A enciphers the key using the ATOB exporter key. When PCF System B receives the key, PCF System B deciphers the key using the Remote ATOB key. Then the ICSF administrators at the two locations establish the complementary transport keys to send keys from PCF System B to ICSF System A. These keys are the Importer BTOA key at ICSF System A and the Local BTOA key at PCF System B. The ICSF administrator at ICSF System A submits this control statement to ICSF System A's KGUP to generate the Importer BTOA key.
KGUP processes this control statement to generate the Importer BTOA key and places the statement in ICSF System A's CKDS. KGUP also creates this control statement and places the statement in the control statement output data set.
System A can send this control statement to System B, which can then use it to create the Local BTOA key. The key value in this control statement is the clear value of the BTOA importer key. ICSF System A does not send this control statement to PCF System B over the network, because the key value is a clear key value. ICSF System A has a courier deliver the control statement to PCF System B. The administrator at either system must change the ICSF control statement format into the PCF control statement format. The administrator can also use information from the key output data set to create the PCF control statement. The control statement submitted at PCF System B would have this syntax:
The administrator at PCF System B submits the control statement to the PCF key generation utility program, which processes the control statement to generate the Local BTOA key. The Importer BTOA key at ICSF System A and the Local BTOA key at PCF System B are complementary keys. Note:
A single PCF key generation control statement can
be used to generate both Remote and Local BTOA keys, also called a
CROSS key pair.
This procedure creates a pair of complementary transport keys for keys sent from PCF System B to ICSF System A. When PCF System B sends a key to ICSF System A, System B enciphers the key, using the Local BTOA key. When ICSF System A receives the key, ICSF System A deciphers the key, using the Importer BTOA key. By these procedures, two pairs of complementary transport keys are established at each location so that the two systems can exchange keys. Note:
During these procedures, the special secure mode should
be enabled while KGUP generates or receives clear key values. |
Copyright IBM Corporation 1990, 2014
|