z/OS Communications Server: SNA Network Implementation Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Cross-domain cryptographic sessions in which both hosts use PCF/CUSP

z/OS Communications Server: SNA Network Implementation Guide
SC27-3672-01

To allow cross-domain cryptographic sessions to be established, file SLU keys for each domain as described in Single-domain cryptographic sessions that use PCF/CUSP. Start the PCF/CUSP compatible cryptographic product before you activate the external CDRM for which cross statements have been filed in the cryptographic keys data set. Use the PCF/CUSP compatible cryptographic product to file cross-domain keys on the cryptographic key data set (CKDS) at each host processor as follows:
  • For each pair of host processors (HOST1 and HOST2) that are to have cross-domain cryptographic sessions between their domains, code the following at HOST1, where name is the name of HOST2 CDRM: 
    CROSS name

    This CROSS statement generates two cross-domain keys, one defined as local and the other defined as remote.1 It stores the local cross-domain key in the CKDS enciphered under the first variant of HOST1 host master key and stores the remote cross-domain key in the CKDS enciphered under the second variant of HOST1 host master key. Both of these keys are associated with the name of HOST2 CDRM. This CROSS statement also returns clear copies of the two keys.

  • The cross-domain keys generated at HOST1 must be used at HOST2 and supplied as input to PCF/CUSP in a CROSS statement.
    When HOST2 has PCF
    CROSS name,KEYLOC=x,KEYREM=y,ADD
    When HOST2 has CUSP
    CROSS name,KEYLOC=x,IKEYLOC=xx,KEYREM=y,IKEYREM=yy,ADD
    where:
    • name is the name of HOST1 CDRM
    • x is the clear remote cross-domain key from HOST1
    • xx is the second half of double key value from HOST1 remote key
    • y is the clear local cross-domain key from HOST1
    • yy is the second half of double key value from HOST1 local key
    This CROSS statement does the following actions:
    • Adds the two cross-domain keys to HOST2 CKDS
    • Associates the two keys with the name of HOST1 CDRM
    • Reverses the local/remote relationship of the two keys
    • Enciphers key x and its intermediate key xx under the first variant of HOST2 host master key, and key y and its intermediate key yy under the second variant of HOST2 host master key

Figure 1 illustrates the possible coding for cross-domain cryptographic sessions where both hosts use PCF/CUSP. APPL2A can initiate a cryptographic session with LU1A. APPL2A can be the primary LU (PLU) in the cryptographic session with APPL1A. However, APPL2A cannot be the secondary LU in a cryptographic session with APPL1A because there is no REMOTE statement for APPL2A in VTAM2.

Figure 1. Cryptography in multiple-domain environment (Both hosts use PCF/CUSP)
Cryptography in multiple-domain environment (Both hosts use PCF/CUSP)

For the configuration in Figure 1 to have any encrypted sessions, start cryptography in both hosts before activating a session.

Parent topic: Filing CDRM keys for cross-domain cryptographic sessions
1 The terms local and remote in reference to the keys used by the CROSS statement do not have the same meaning here as they do in other contexts in this document. For more information about PCF, see the z/OS Cryptographic Services ICSF Application Programmer's Guide. For more information about CUSP, see the z/OS Cryptographic Services ICSF Administrator's Guide.

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014