z/OS Cryptographic Services ICSF Administrator's Guide
Previous topic | Next topic | Contents | Index | Contact z/OS | Library | PDF


Scenario of an ICSF System and a PCF System Establishing Initial Transport Keys

z/OS Cryptographic Services ICSF Administrator's Guide
SA22-7521-17

This scenario describes how an ICSF system and a PCF system establish initial transport keys between themselves. They establish two pairs of complementary importer and exporter keys at each location, as shown in Figure 167.

The systems can use these importer and exporter keys during key exchange.

First the ICSF administrators at the two locations establish the complementary transport keys to send keys from ICSF System A to PCF System B. These keys are the Exporter ATOB key at ICSF System A and the Remote ATOB key at PCF System B.

The ICSF administrator at ICSF System A submits this control statement to ICSF System A's KGUP to create the Exporter ATOB key. 

   ADD  LABEL(ATOB)  TYPE(EXPORTER)  CLEAR  NOCV
Note:
If System B is a PCF system, the ICSF administrator must also specify the keyword SINGLE on this control statement.

KGUP processes this control statement to generate the Exporter ATOB key and places the key in ICSF System A's CKDS. KGUP also creates this control statement and places the statement in the control statement output data set. 

   ADD  LABEL(ATOB)  TYPE(IMPORTER)  CLEAR,
   KEY(B2403EF8125A036F,239AC35A72941EF2)  NOCV

ICSF System A needs to send this control statement to PCF System B so that PCF System B can create the Remote ATOB key. The key value in this control statement is the clear value of the ATOB exporter key. ICSF System A does not send this control statement to PCF System B over the network, because the key value is a clear key value. ICSF System A has a courier deliver the control statement to System B.

The administrator at either system must change the ICSF control statement format into the PCF control statement format. The administrator could also use information from the key output data set to create the PCF control statement.

The control statement submitted at PCF System B would have this syntax: 

   REMOTE ATOB,KEY=B2403EF8125A036F,IKEY=239AC35A72941EF2,ADD

The administrator at PCF System B submits the control statement to the PCF key generation utility program, which processes the control statement to create the ATOB Remote key. The ATOB Exporter key at System A and the ATOB Remote key at PCF System B are complementary keys.

This procedure creates a pair of complementary transport keys for keys sent from ICSF System A to PCF System B. When ICSF System A sends a key to PCF System B, System A enciphers the key using the ATOB exporter key. When PCF System B receives the key, PCF System B deciphers the key using the Remote ATOB key.

Then the ICSF administrators at the two locations establish the complementary transport keys to send keys from PCF System B to ICSF System A. These keys are the Importer BTOA key at ICSF System A and the Local BTOA key at PCF System B.

The ICSF administrator at ICSF System A submits this control statement to ICSF System A's KGUP to generate the Importer BTOA key. 

   ADD  LABEL(BTOA)  TYPE(IMPORTER)  CLEAR  NOCV

KGUP processes this control statement to generate the Importer BTOA key and places the statement in ICSF System A's CKDS. KGUP also creates this control statement and places the statement in the control statement output data set. 

   ADD  LABEL(BTOA)  TYPE(EXPORTER)  CLEAR,
   KEY(6F3463CA3FBC0626,536B1864954A0B1F)  NOCV

System A can send this control statement to System B, which can then use it to create the Local BTOA key. The key value in this control statement is the clear value of the BTOA importer key. ICSF System A does not send this control statement to PCF System B over the network, because the key value is a clear key value. ICSF System A has a courier deliver the control statement to PCF System B.

The administrator at either system must change the ICSF control statement format into the PCF control statement format. The administrator can also use information from the key output data set to create the PCF control statement.

The control statement submitted at PCF System B would have this syntax: 

   LOCAL BTOA,KEY=6F3463CA3FBC0626,IKEY=536B1864954A0B1F,ADD

The administrator at PCF System B submits the control statement to the PCF key generation utility program, which processes the control statement to generate the Local BTOA key. The Importer BTOA key at ICSF System A and the Local BTOA key at PCF System B are complementary keys.

Note:
A single PCF key generation control statement can be used to generate both Remote and Local BTOA keys, also called a CROSS key pair. 
   CROSS BTOA,KEYLOC=6F3463CA3FBC0626,IKEYLOC=536B1864954A0B1F,
              KEYREM=B2403EF8125A036F,IKEYREM=239AC35A72941EF2,ADD

This procedure creates a pair of complementary transport keys for keys sent from PCF System B to ICSF System A. When PCF System B sends a key to ICSF System A, System B enciphers the key, using the Local BTOA key. When ICSF System A receives the key, ICSF System A deciphers the key, using the Importer BTOA key.

By these procedures, two pairs of complementary transport keys are established at each location so that the two systems can exchange keys.

Note:
During these procedures, the special secure mode should be enabled while KGUP generates or receives clear key values.

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014