I'm going to take this offline, unless someone else is really interested in this thread.
>________________________________ > From: Rob Schramm <[email protected]> >To: [email protected] >Sent: Friday, September 14, 2012 6:12 PM >Subject: Re: loading cryptographic coprocessor key part registers > >Frank, > >Sorry... I was just referring to ways to get operational keys in... Not >under dual control or separation. > >If you need real control over MK and operational keys... Then TKE and DKMS >is it. > >How many keys are you going to be managing? > >Rob Schramm >On Sep 14, 2012 7:14 PM, "Frank Swarbrick" <[email protected]> >wrote: > >> Color me very confused. Do you not agree with the following statement >> from http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS189? >> >> Abstract:The ICSF, application key generation >> utility, KGUP, does not provide the capability to enter keys using dual >> custody >> of key parts. Without using a TKE Workstation there is no way to enter >> multiple >> values that will be used to create a key value. If a TKE Workstation is not >> desired nor required for any other reason, this working sample application >> provides the ability to enter application keys under multiple custody from >> the >> TSO terminal. >> >> >> I can't get the K function to even do anything for me. It either says >> "CKDS RECORD EXISTS" and when I press ENTER again says "KEY NOT FOUND", or, >> in the case where the label in fact does not already exist it just says >> "KEY NOT FOUND" and then says it again when I press enter. >> >> From the documentation I'm looking at ("Loading Operational Keys to the >> CKDS" in the TKE Workstation Guide) it doesn't even show any examples (that >> I can see) of entering key components from this screen. >> >> So I am lost. >> >> In any case, we share operational keys with Visa and MasterCard, where >> they create the key parts and send them to us (triple custody). Would you >> agree that this is a case where this is required. Actually, I am referring >> to transport keys (key exchange keys), not "operational keys", so perhaps I >> am going totally down the wrong path...? >> >> >> >> >> >> >________________________________ >> > From: Rob Schramm <[email protected]> >> >To: [email protected] >> >Sent: Friday, September 14, 2012 10:29 AM >> >Subject: Re: loading cryptographic coprocessor key part registers >> > >> >Frank, >> > >> >That is not true. Try option "k". But the only reason you would need >> >it would be if you need to store the operational key parts outside of >> >the mainframe. Also, KGUP should support key part entry... although >> >it is one of the oldest interfaces for ICSF. Auto generating keys is >> >probably be the best if the keys are not required outside of the >> >mainframe. Although you should be able to leverage a transport key or >> >temporary session key if you need to exchange the key. >> > >> >The problems are that the management of the operational key parts are >> >not really being managed outside of some interface like TKE or DKMS. >> > >> >TKE can actually enforce the presence of multiple people for key >> >entry. DKMS has a whole host of ways of actually managing key >> >materials. >> > >> >Rob Schramm >> >Senior Systems Consultant >> >Imperium Group >> > >> > >> > >> >On Fri, Sep 14, 2012 at 11:34 AM, Frank Swarbrick >> ><[email protected]> wrote: >> >> Key part entering is available in ICSF's ISPF interface only for master >> keys, not for operational keys. Bizarre but true. Operational keys can >> only be entered in full (not parts) or simply generated. >> >> >> >> >> >> >> >> >> >>>________________________________ >> >>> From: Mark Jacobs <[email protected]> >> >>>To: [email protected] >> >>>Sent: Thursday, September 13, 2012 1:30 PM >> >>>Subject: Re: loading cryptographic coprocessor key part registers >> >>> >> >>>ICSF has an ISPF interface that you'll use to enter the key parts. >> >>> >> >>>On 09/13/12 14:43, Frank Swarbrick wrote: >> >>>> We are migrating our PIN/card security process to use ICSF and a >> Crypto3 card. All of our vendor's other customers have used the TKE >> Workstation to load their operational keys (in multiple key part/component >> format). We were not planning on purchasing the TKE feature. But I cannot >> see any way outside of TKE to enter operational key components in to the >> "cryptographic >> >>>> coprocessor's keypartregisters" outside of using TKE. Help! >> >>>> Frank >> >>>> >> >>>> ---------------------------------------------------------------------- >> >>>> For IBM-MAIN subscribe / signoff / archive access instructions, >> >>>> send email to [email protected] with the message: INFO >> IBM-MAIN >> >>>> >> >>>> >> >>>-- Mark Jacobs >> >>>Time Customer Service >> >>>Tampa, FL >> >>>---- >> >>> >> >>>The quiet ones are the ones that change the universe... >> >>>The loud ones only take the credit. >> >>> >> >>>Londo Mollari - Babylon 5 >> >>> >> >>>---------------------------------------------------------------------- >> >>>For IBM-MAIN subscribe / signoff / archive access instructions, >> >>>send email to [email protected] with the message: INFO IBM-MAIN >> >>> >> >>> >> >>> >> >> >> >> ---------------------------------------------------------------------- >> >> For IBM-MAIN subscribe / signoff / archive access instructions, >> >> send email to [email protected] with the message: INFO IBM-MAIN >> > >> >---------------------------------------------------------------------- >> >For IBM-MAIN subscribe / signoff / archive access instructions, >> >send email to [email protected] with the message: INFO IBM-MAIN >> > >> > >> > >> >> ---------------------------------------------------------------------- >> For IBM-MAIN subscribe / signoff / archive access instructions, >> send email to [email protected] with the message: INFO IBM-MAIN >> > >---------------------------------------------------------------------- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to [email protected] with the message: INFO IBM-MAIN > > > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
