z/OS Cryptographic Services ICSF Administrator's Guide
Previous topic | Next topic | Contents | Index | Contact z/OS | Library | PDF


Scenario of an ICSF System and 4758 PCI Cryptographic Coprocessor Establishing Initial Transport Keys

z/OS Cryptographic Services ICSF Administrator's Guide
SA22-7521-17

This scenario describes how an ICSF system and a 4758 PCI Cryptographic Coprocessor establish initial transport keys between themselves. They establish two pairs of complementary importer and exporter keys at each location, as shown in Figure 168.

The systems can use these importer and exporter keys during key exchange. First, the ICSF System A administrator and the TSS System B administrator establish the complementary transport keys to send keys from ICSF System A to TSS System B. These keys are the Exporter ATOB key at System A and the Importer ATOB key at System B.

The ICSF administrator at System A submits this control statement to System A's KGUP to create the Exporter ATOB key. 

   ADD  LABEL(ATOB)  TYPE(EXPORTER)  CLEAR

KGUP processes this control statement to generate the Exporter ATOB key and places the key in System A's CKDS. KGUP creates a record containing the clear key created for the system, and that record is written to the CSFKEYS data set. ICSF System A then sends this clear key to TSS System B. Because the key value is in the clear, System A has a courier deliver the key, rather than sending it over the network.

The TSS administrator at System B uses the Secure_Key_Import verb to import the ATOB importer key, because the key value is in the clear. The administrator can then use the Key_Record_Create and the Key_Record_Write verbs to place the key in TSS key storage. The ATOB exporter key at ICSF system A and the ATOB importer key at TSS System B are complementary keys.

This procedure creates a pair of complementary transport keys for keys sent from ICSF System A to TSS System B. When ICSF System A sends a key to TSS System B, it enciphers the key using the ATOB exporter key. When TSS System B receives the key, it deciphers the key using the ATOB importer key.

Next, the administrators at the two facilities establish the complementary transport keys to send keys from TSS System B to ICSF System A. These keys are the Importer BTOA key at ICSF System A and the Exporter BTOA key at TSS System B. The ICSF administrator at System A submits this control statement to System A's KGUP to generate the Importer BTOA key. 

   ADD  LABEL(BTOA)  TYPE(IMPORTER)  TRANSKEY(ATOB)

KGUP processes this control statement to generate the Importer BTOA key and places the key in System A's CKDS. The ICSF System A administrator can send this key to the TSS System B over the network, because the key value is enciphered.

The TSS administrator at System B uses Key_Import, Key_Record_Create, and the Key_Record_Write verbs to import the key and place it in TSS key storage. The Importer BTOA key at System A and the Exporter BTOA key at System B are complementary keys.

This procedure creates a pair of complementary transport keys for keys sent from TSS System B to ICSF System A. When TSS System B sends a key to ICSF System A, TSS System B enciphers the key using the Exporter BTOA key. When ICSF System A receives the key, it deciphers the key using the Importer BTOA key.

Using these procedures two pairs of complementary transport keys are established at each location to allow key exchange between the two systems.

Notes:
  1. During these procedures, the special secure mode must be enabled on ICSF while KGUP is generating or receiving clear key values, and the Secure_Key_Import verb must be enabled on TSS to receive clear keys.
  2. The ICSF administrator at System A can submit in the same KGUP job both the ADD control statements meant for processing at System A.

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014