> -----Original Message----- > From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On > Behalf Of Patrick O'Keefe > Sent: Friday, April 25, 2008 4:12 PM > To: [email protected] > Subject: Re: CPACF performance info? <Snipped> > At this point we are using CLEAR keys. We are apparently going > be changing our ICFS master key(s) sometime in the fairly near > future. Our ICSF person wants the key databases to be as empty > as possible when that is done. After that is done we will move the > keys from our SAF database to the ICSF key database.
That makes a lot of sense, changing the master key is a complex process from what little I have read about it. > I'm still confused about what happens then. Is it just our private > key(s) that go into the KSDS? As far as I know the symmetric > encryption key that is generated and exchanged during the SSL > handshake still has to be in stoage because the symmetric > encryption/decryption still has to use CPACF (or software). At > this point it is invoked by ISCF rather than System SSL, but it's > outside of the CEX2. Or do I have the wrong? There you've got me. When I investigated ICSF for a project I discovered that my local hardware does not have any crypto co-processor installed, and *none* of the ICSF calls that I was trying to use would work at all. I was told that they all required the co-processor, hence my statement to you. Obviously I am not an expert, so I could be way off-base about that. > >IBM's ICSF product (which *requires* a crypto co-processor) ... > > I don't think so. Access to the crypto coprocessors requires ICSF, > but ICSF switches to software ecryption if it can't find the crypto > coprocessor. That, at least, is what happens if the something > happens to the coprocessor once ICSF is up. Maybe it requires > the coprocessor during ICSF initialization. All I can say is that no ICSF calls worked in my situation. The CPACF instructions worked just fine though. HTH Peter This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
