I'm going nuts. I just spent about 2 hours going through ibm.com searching for "ICSF key generation" "ICSF Keys"... etc and am getting nowhere. The z/OS encryption facility books aren't very helpful. I have an application called VDR from Opentech, it allows the use of labels for kek key encryption keys that are generated by icsf(kgup). Using kgup I generated an exporter key. I thought this is all I had to do, but now I'm very confused as to what I really need and how to go about getting it done.
-----Original Message----- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Hal Merritt Sent: Wednesday, April 19, 2006 2:08 PM To: [email protected] Subject: Re: ICSF Herea key, therea key, everywhere a key key, eieio* Don't forget to mention Master Keys. Products that use ICSF may also use the key clusters as key repositories for the various types of keys. Those clusters are encrypted using the Master key. So, part of a recovery plan would have to include setting the Master keys on each LPAR of the target processor. Which assumes that your DR processor has compatible crypto features installed and active. And, of course, the Master Key should not be transported in the open. Some auditors insist that the Master key (even encrypted) be in parts, one part per security officer (not the sysprog), and entered from a secure point (such as a Trusted Key Entry device). It follows that you will need transporter(?) keys for the Master Key, and, depending on your set up, key entry keys for your security officers. Then, after your DR is complete, the crypto facility on the processor has to be cleared. Head hurting? Yea, mine too ;-) *Play on a US nursery rhyme. --SNIP-- ============================================================================================================================= This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed.If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
