All of our TN3270 traffic is SSL encrypted. I will definitely be documenting everything!
We have a naming convention as suggested by our vendor, but if you have any particular good practices I'd love to hear them. Your point about DR is also well taken. We'll have to discuss that. Another question, since I've got your attention. Our vendor mentions that at all of their other customers the CKDS/PKDS are shared between production and non-production. It wasn't clear to me if this was because they run prod and non-prod in the same LPAR or for some other reason (such as perhaps they didn't know any better). Because of this they had keys with names like KEKKIM.TEST.ABCD and KEKKIM.PROD.ABCD. We, on the other hand, will have production in one crypto region with it's own CKDS/PKDS, totally separate from non-production. This seems the obvious, best way to go, but I'm curious what others have to say. Because of this we could have both a production and a non-production key with the same label name, but they would not refer to the same actual key value. (One could not access the production keys from a non-prod LPAR.) Thanks! Frank >________________________________ > From: Rob Schramm <[email protected]> >To: [email protected] >Sent: Thursday, September 13, 2012 5:54 PM >Subject: Re: loading cryptographic coprocessor key part registers > >I am hoping that you have already considered the need for encrypting the >TSO session. > >Additionally, having the procedure actually documented before entering >your production MK is a really good idea. Also, secured key part storage >onsite as well as offsite for disaster recovery. > >Also, naming convention for the operational keys is critical!!! > >Rob Schramm >On Sep 13, 2012 5:50 PM, "Frank Swarbrick" <[email protected]> >wrote: > >> Looks like we found a solution: >> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS189. >> Frank >> >> >> >> >> >________________________________ >> > From: Frank Swarbrick <[email protected]> >> >To: [email protected] >> >Sent: Thursday, September 13, 2012 12:43 PM >> >Subject: loading cryptographic coprocessor key part registers >> > >> >We are migrating our PIN/card security process to use ICSF and a Crypto3 >> card. All of our vendor's other customers have used the TKE Workstation to >> load their operational keys (in multiple key part/component format). We >> were not planning on purchasing the TKE feature. But I cannot see any way >> outside of TKE to enter operational key components in to the "cryptographic >> >coprocessor's keypartregisters" outside of using TKE. Help! >> > >> >Frank >> > >> >---------------------------------------------------------------------- >> >For IBM-MAIN subscribe / signoff / archive access instructions, >> >send email to [email protected] with the message: INFO IBM-MAIN >> > >> > >> > >> >> ---------------------------------------------------------------------- >> For IBM-MAIN subscribe / signoff / archive access instructions, >> send email to [email protected] with the message: INFO IBM-MAIN >> > >---------------------------------------------------------------------- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to [email protected] with the message: INFO IBM-MAIN > > > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
