Sure, I've been being unnecessarily cagey -- trying to keep the scenario simple, and overdoing it! Sorry 'bout that.
I think it really is an access control issue: we have symmetric encryption keys that are managed by a process, but in the non-mainframe world, you ask the key server whether you're allowed to use one or not (keys have names). So the idea is that if you put the key *names* under ESM control, then our process asks RACF/ACF2/TSS, "Mother may I use this key?" rather than making the network hop. I've been told repeatedly, "RACF does not manage symmetric keys". But if it can manage an arbitrarily named object -- not the object *itself*, but access using the name -- then at least in theory, key names could be stored as resources in RACF, and thus access controlled by RACF. Does that make more sense? On Thu, Mar 26, 2009 at 12:06 PM, Rick Fochtman <[email protected]> wrote: > ---------------------------<snip>------------------------------------------ > There seems to be a misconception here. RACF is a security mechanism, NOT a > generalized data-storage mechanism. > > No, definition of arbitrary objects in RACF is NOT an option. Storage in HFS > is fine, or some other small dataset if you like. Whoever told you "They > should be in RACF" has a faulty understanding of RACF function and usage. If > you could go into more detail about the application and its usage, perhaps > we can arrive at an acceptable solution for your issue. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
