Frank, Sorry... I was just referring to ways to get operational keys in... Not under dual control or separation.
If you need real control over MK and operational keys... Then TKE and DKMS is it. How many keys are you going to be managing? Rob Schramm On Sep 14, 2012 7:14 PM, "Frank Swarbrick" <[email protected]> wrote: > Color me very confused. Do you not agree with the following statement > from http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS189? > > Abstract:The ICSF, application key generation > utility, KGUP, does not provide the capability to enter keys using dual > custody > of key parts. Without using a TKE Workstation there is no way to enter > multiple > values that will be used to create a key value. If a TKE Workstation is not > desired nor required for any other reason, this working sample application > provides the ability to enter application keys under multiple custody from > the > TSO terminal. > > > I can't get the K function to even do anything for me. It either says > "CKDS RECORD EXISTS" and when I press ENTER again says "KEY NOT FOUND", or, > in the case where the label in fact does not already exist it just says > "KEY NOT FOUND" and then says it again when I press enter. > > From the documentation I'm looking at ("Loading Operational Keys to the > CKDS" in the TKE Workstation Guide) it doesn't even show any examples (that > I can see) of entering key components from this screen. > > So I am lost. > > In any case, we share operational keys with Visa and MasterCard, where > they create the key parts and send them to us (triple custody). Would you > agree that this is a case where this is required. Actually, I am referring > to transport keys (key exchange keys), not "operational keys", so perhaps I > am going totally down the wrong path...? > > > > > > >________________________________ > > From: Rob Schramm <[email protected]> > >To: [email protected] > >Sent: Friday, September 14, 2012 10:29 AM > >Subject: Re: loading cryptographic coprocessor key part registers > > > >Frank, > > > >That is not true. Try option "k". But the only reason you would need > >it would be if you need to store the operational key parts outside of > >the mainframe. Also, KGUP should support key part entry... although > >it is one of the oldest interfaces for ICSF. Auto generating keys is > >probably be the best if the keys are not required outside of the > >mainframe. Although you should be able to leverage a transport key or > >temporary session key if you need to exchange the key. > > > >The problems are that the management of the operational key parts are > >not really being managed outside of some interface like TKE or DKMS. > > > >TKE can actually enforce the presence of multiple people for key > >entry. DKMS has a whole host of ways of actually managing key > >materials. > > > >Rob Schramm > >Senior Systems Consultant > >Imperium Group > > > > > > > >On Fri, Sep 14, 2012 at 11:34 AM, Frank Swarbrick > ><[email protected]> wrote: > >> Key part entering is available in ICSF's ISPF interface only for master > keys, not for operational keys. Bizarre but true. Operational keys can > only be entered in full (not parts) or simply generated. > >> > >> > >> > >> > >>>________________________________ > >>> From: Mark Jacobs <[email protected]> > >>>To: [email protected] > >>>Sent: Thursday, September 13, 2012 1:30 PM > >>>Subject: Re: loading cryptographic coprocessor key part registers > >>> > >>>ICSF has an ISPF interface that you'll use to enter the key parts. > >>> > >>>On 09/13/12 14:43, Frank Swarbrick wrote: > >>>> We are migrating our PIN/card security process to use ICSF and a > Crypto3 card. All of our vendor's other customers have used the TKE > Workstation to load their operational keys (in multiple key part/component > format). We were not planning on purchasing the TKE feature. But I cannot > see any way outside of TKE to enter operational key components in to the > "cryptographic > >>>> coprocessor's keypartregisters" outside of using TKE. Help! > >>>> Frank > >>>> > >>>> ---------------------------------------------------------------------- > >>>> For IBM-MAIN subscribe / signoff / archive access instructions, > >>>> send email to [email protected] with the message: INFO > IBM-MAIN > >>>> > >>>> > >>>-- Mark Jacobs > >>>Time Customer Service > >>>Tampa, FL > >>>---- > >>> > >>>The quiet ones are the ones that change the universe... > >>>The loud ones only take the credit. > >>> > >>>Londo Mollari - Babylon 5 > >>> > >>>---------------------------------------------------------------------- > >>>For IBM-MAIN subscribe / signoff / archive access instructions, > >>>send email to [email protected] with the message: INFO IBM-MAIN > >>> > >>> > >>> > >> > >> ---------------------------------------------------------------------- > >> For IBM-MAIN subscribe / signoff / archive access instructions, > >> send email to [email protected] with the message: INFO IBM-MAIN > > > >---------------------------------------------------------------------- > >For IBM-MAIN subscribe / signoff / archive access instructions, > >send email to [email protected] with the message: INFO IBM-MAIN > > > > > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
