z/OS Communications Server: SNA Network Implementation Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Cross-domain cryptographic sessions in which both hosts use ICSF/MVS

z/OS Communications Server: SNA Network Implementation Guide
SC27-3672-01

To allow cross-domain cryptographic sessions to be established, file SLU keys for each domain as described in Single-domain cryptographic sessions that use ICSF/MVS. Then use ICSF/MVS to file cross-domain keys on the cryptographic key data set (CKDS) at each host processor as described in the following paragraphs.

A complementary pair of exporter and importer keys must be generated for the two host processors (HOST1 and HOST2). To allow for cross-domain cryptographic sessions between hosts using the ICSF/MVS cryptographic service, perform the following steps:
  • At HOST1, code the following key generation utility program (KGUP) statements: 
    ADD LABEL(name) TYPE(EXPORTER) CLEAR
ADD LABEL(name) TYPE(IMPORTER) CLEAR

    where name is the name of HOST2 CDRM

    These KGUP statements generate an exporter key for HOST1 to use to encrypt session keys sent from HOST1 to HOST2 and an importer key for HOST1 to decrypt session keys sent from HOST2 to HOST1. The exporter and importer keys are placed in HOST1 CKDS. The statements also cause the clear key values to be placed in the KGUP key output data set. Assume clear key value X,XX for the exporter key and clear key value Y,YY for the importer key. These values are to be used on HOST2 to build complement key control statements for these keys.

  • At HOST2, code the following KGUP statements using the clear key values from HOST1: 
    ADD LABEL(name1) TYPE(IMPORTER) CLEAR KEY(x,xx)
ADD LABEL(name1) TYPE(EXPORTER) CLEAR KEY(y,yy)
    where:
    name1
    is the name of HOST1 CDRM.
    x
    is the first half of the double-length clear key value of HOST2 exporter key generated in HOST1.
    xx
    is the second half of the double-length clear key value from HOST2 exporter key generated in HOST1.
    y
    is the first half of the double-length clear key value from HOST2 importer key generated in HOST1.
    yy
    is the second half of the double-length clear key value from HOST2 importer key generated in HOST1.

    These control statements place these keys in HOST2 CKDS.

Figure 1 illustrates the possible coding for cross-domain cryptographic sessions where both hosts use ICSF/MVS. APPL2A can initiate a cryptographic session with LU1A. APPL1A can initiate a cryptographic session with LU2A. APPL2A can be the PLU in a cryptographic session with APPL1A. However, APPL2A cannot be the SLU in a session with APPL1A because there is no TYPE(IMPORTER) statement coded in VTAM2, and APPL2A requires cryptography when it is the SLU.

Figure 1. Cryptography in multiple-domain environment (Both hosts use ICSF/MVS)
Cryptography in multiple-domain environment (Both hosts use ICSF/MVS)

For the configuration in Figure 1 to have any encrypted sessions, start cryptography in both hosts before activating a session.

For more information about ICSF/MVS, see the z/OS Cryptographic Services ICSF Administrator's Guide.

Parent topic: Filing CDRM keys for cross-domain cryptographic sessions

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014