On Fri, 25 Apr 2008 14:32:00 -0400, Farley, Peter x23353 <[EMAIL PROTECTED]> wrote:
>... >I also wanted to point out to you that using just the basic CPACF >instructions (KM, KMAES, KMC, KMCAES, KIMD, KLMD, KMAC) will also >require you to use CLEAR KEYS in your programs that encrypt or decrypt. >The basic CPACF instructions do not support encrypted keys. >... At this point we are using CLEAR keys. We are apparently going be changing our ICFS master key(s) sometime in the fairly near future. Our ICSF person wants the key databases to be as empty as possible when that is done. After that is done we will move the keys from our SAF database to the ICSF key database. I'm still confused about what happens then. Is it just our private key(s) that go into the KSDS? As far as I know the symmetric encryption key that is generated and exchanged during the SSL handshake still has to be in stoage because the symmetric encryption/decryption still has to use CPACF (or software). At this point it is invoked by ISCF rather than System SSL, but it's outside of the CEX2. Or do I have the wrong? >IBM's ICSF product (which *requires* a crypto co-processor) ... I don't think so. Access to the crypto coprocessors requires ICSF, but ICSF switches to software ecryption if it can't find the crypto coprocessor. That, at least, is what happens if the something happens to the coprocessor once ICSF is up. Maybe it requires the coprocessor during ICSF initialization. Pat O'Keefe ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
