> -----Original Message----- > From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On > Behalf Of Alan Altmark /snip/ > > So, why did IBM update ICSF to support clear keys in the CKDS and > > its address space? Because IBM is marketing its own CPACF solution > > that requires clear keys. As long as the clear keys are kept in > > protected storage, it's not a big issue with most sites. > > Jeffrey, I'm not sure of your point. I was saying that before John McKown > starting including KM and KMC instructions in his program he should > consider the affects of having the keys in cleartext in the application > address space. If that's ok, with all that implies, fine. If that's not > ok, then he should get ICSF functioning again and call the CPACF-based > encryption routines. TDES and AES are available. > > The ICSF book has a section on how to use CPACF with ICSF. > > He can, of course, look at alternative solutions to ICSF if he's not > interested in ICSF. /snip/
When ICSF uses CPACF instructions, it is using clear keys in "application storage". In order for ICSF to use CPACF instruction, the keys must be clear. The keys are not stored encrypted in the CKDS or within the ICSF address space; the keys are always clear. The client program must choose: (1) Use the operational key token (which exposes the clear key in the client space), or (2) use the CKDS label for the clear key (which adds overhead for locating the clear key in the ICSF application storage). There's no advantage for using ICSF with CPACF over using a home-grown solution. So, why bother using ICSF to store clear keys in its VSAM data set? When CPACF is in use, ICSF has no substantive advantage over any other key management repository *and* ICSF is *not* a key management *system*. ICSF is simply a persistent key repository interface for its CKDS. It's not difficult to roll-your-own key repository, with whatever security and encryption you want, now that CPACF is available. btw: I would not recommend hard-coding KM, KMC, etc. through-out an application. I suggest using an API front-end that is easy to use. A key management *system* is much more complex than what ICSF offers. Jeffrey D. Smith Principal Product Architect Farsight Systems Corporation 700 KEN PRATT BLVD. #204-159 LONGMONT, CO 80501-6452 303-774-9381 direct 303-484-6170 FAX http://www.farsight-systems.com/ comments are invited on my encryption project ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
