Using import and export CP/SSCP KEK names

By using unique import and export KEKs, VTAM® may support other cryptographic products that implement CCA and provide you with a choice between ICSF and these other cryptographic products. VTAM appends a unique prefix and suffix to the CP/SSCP name that is used to reference import and export KEKs.

To change the export and import KEKs in the CKDS of a host, you must also change these keys in the other host. Instead of bringing down sessions to change the master keys, you can force VTAM to temporarily use an alternate name that matches the new LU master key name. The user should update the LU master key in the CKDS at the CP/SSCP as soon as possible after being notified that the keys are changed.

Note: For migration purposes, VTAM tries the CP/SSCP name again without the suffix if a request fails because the KEK could not be found for the CP/SSCP name with the suffix. This alleviates having to change the CKDS.

Follow these steps when using alternate KEK names for CPs and SSCPs:

File an alternate set of export and import keys in each CKDS, in addition to the original export and import key-encrypting key names. You must file keys in the CKDS of each host on each end of a cross-domain session or each end of an APPN session (for example, HOST1, HOST2):
HOST1
- IMPORTER.CP2
- EXPORTER.CP2
- IMPORTER.CP2.ALT
- EXPORTER.CP2.ALT
HOST2
- IMPORTER.CP1
- EXPORTER.CP1
- IMPORTER.CP1.ALT
- EXPORTER.CP1.ALT
Delete export keys in each host.
HOST1

EXPORTER.CP2

HOST2

EXPORTER.CP1
Issue the MODIFY SECURITY command to specify that VTAM use the .ALT KEKs.
Define new import and export values for the KEK fields in the CKDS of each host. VTAM starts all new sessions using the new values. Keep the alternate names in the CKDS until you are sure that all pending sessions using the alternate names have completed.