> -----Original Message----- > From: IBM Mainframe Discussion List On Behalf Of P S > > Sure, I've been being unnecessarily cagey -- trying to keep the > scenario simple, and overdoing it! Sorry 'bout that. > > I think it really is an access control issue: we have symmetric > encryption keys that are managed by a process, but in the > non-mainframe world, you ask the key server whether you're allowed to > use one or not (keys have names). So the idea is that if you put the > key *names* under ESM control, then our process asks RACF/ACF2/TSS, > "Mother may I use this key?" rather than making the network hop. > > I've been told repeatedly, "RACF does not manage symmetric keys". But > if it can manage an arbitrarily named object -- not the object > *itself*, but access using the name -- then at least in theory, key > names could be stored as resources in RACF, and thus access controlled > by RACF. > > Does that make more sense?
Yes. This is conceptually identical to one means of implementing "screen field security" in CICS. But where CICS provides the QUERY SECURITY command in the high-level programming languages it supports, a non-CICS application would need a little Assembler code to issue the RACROUTE REQUEST=AUTH call. About all you'd need to do, if your application runs non-authorized, is avoid coding any of the keywords that require authorization on the RACROUTE REQUEST=AUTH. Here's the reference: http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/ICHZC680/3.7 -jc- ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
