Color me very confused. Do you not agree with the following statement from
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS189?
Abstract:The ICSF, application key generation
utility, KGUP, does not provide the capability to enter keys using dual custody
of key parts. Without using a TKE Workstation there is no way to enter multiple
values that will be used to create a key value. If a TKE Workstation is not
desired nor required for any other reason, this working sample application
provides the ability to enter application keys under multiple custody from the
TSO terminal.
I can't get the K function to even do anything for me. It either says "CKDS
RECORD EXISTS" and when I press ENTER again says "KEY NOT FOUND", or, in the
case where the label in fact does not already exist it just says "KEY NOT
FOUND" and then says it again when I press enter.
From the documentation I'm looking at ("Loading Operational Keys to the CKDS"
in the TKE Workstation Guide) it doesn't even show any examples (that I can
see) of entering key components from this screen.
So I am lost.
In any case, we share operational keys with Visa and MasterCard, where they
create the key parts and send them to us (triple custody). Would you agree
that this is a case where this is required. Actually, I am referring to
transport keys (key exchange keys), not "operational keys", so perhaps I am
going totally down the wrong path...?
>________________________________
> From: Rob Schramm <rob.schr...@gmail.com>
>To: IBM-MAIN@LISTSERV.UA.EDU
>Sent: Friday, September 14, 2012 10:29 AM
>Subject: Re: loading cryptographic coprocessor key part registers
>
>Frank,
>
>That is not true. Try option "k". But the only reason you would need
>it would be if you need to store the operational key parts outside of
>the mainframe. Also, KGUP should support key part entry... although
>it is one of the oldest interfaces for ICSF. Auto generating keys is
>probably be the best if the keys are not required outside of the
>mainframe. Although you should be able to leverage a transport key or
>temporary session key if you need to exchange the key.
>
>The problems are that the management of the operational key parts are
>not really being managed outside of some interface like TKE or DKMS.
>
>TKE can actually enforce the presence of multiple people for key
>entry. DKMS has a whole host of ways of actually managing key
>materials.
>
>Rob Schramm
>Senior Systems Consultant
>Imperium Group
>
>
>
>On Fri, Sep 14, 2012 at 11:34 AM, Frank Swarbrick
><frank.swarbr...@yahoo.com> wrote:
>> Key part entering is available in ICSF's ISPF interface only for master
>> keys, not for operational keys. Bizarre but true. Operational keys can
>> only be entered in full (not parts) or simply generated.
>>
>>
>>
>>
>>>________________________________
>>> From: Mark Jacobs <mark.jac...@custserv.com>
>>>To: IBM-MAIN@LISTSERV.UA.EDU
>>>Sent: Thursday, September 13, 2012 1:30 PM
>>>Subject: Re: loading cryptographic coprocessor key part registers
>>>
>>>ICSF has an ISPF interface that you'll use to enter the key parts.
>>>
>>>On 09/13/12 14:43, Frank Swarbrick wrote:
>>>> We are migrating our PIN/card security process to use ICSF and a Crypto3
>>>> card. All of our vendor's other customers have used the TKE Workstation
>>>> to load their operational keys (in multiple key part/component format).
>>>> We were not planning on purchasing the TKE feature. But I cannot see any
>>>> way outside of TKE to enter operational key components in to the
>>>> "cryptographic
>>>> coprocessor's keypartregisters" outside of using TKE. Help!
>>>> Frank
>>>>
>>>> ----------------------------------------------------------------------
>>>> For IBM-MAIN subscribe / signoff / archive access instructions,
>>>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>>>>
>>>>
>>>-- Mark Jacobs
>>>Time Customer Service
>>>Tampa, FL
>>>----
>>>
>>>The quiet ones are the ones that change the universe...
>>>The loud ones only take the credit.
>>>
>>>Londo Mollari - Babylon 5
>>>
>>>----------------------------------------------------------------------
>>>For IBM-MAIN subscribe / signoff / archive access instructions,
>>>send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>>>
>>>
>>>
>>
>> ----------------------------------------------------------------------
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
>----------------------------------------------------------------------
>For IBM-MAIN subscribe / signoff / archive access instructions,
>send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
>
>
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
