Hello ICSF System Programmers,
Could you please assist/advise me on the following issue/concern.
Due to the fact that we only have a couple of crypto keys to support legacy
applications on our mainframe and because of cost saving exercise, we decided
not to include the optional TKE workstation in our order of the new EC12
machine.
This means we are reverting to ICSF TSO panels for Master Key(MK) management.
We have 12 lpars connected to the Crypto Express co-processor and previously
used TKE on the 1st lpar started in new hardware environment to load MK to all
lpars.
Now the Key Management guys are concerned that without the TKE workstation,
loading new Master keys will be a prolonged process, i.e executing the new MK
process x12 (on each lpar).
Our Environment:
· Only DES Masterkey defined
· We have 3 categories of MKs : PRODUCTION, ACCEPTANCE, TEST
· FMID HCR7780 and HCR77A0 in progress
· Masterkey change every 2/3 years when new mainframe is installed
OUTPUT OF ICSF COPROCESSOR MANAGEMENT PANELS
----------------------------------------------------------------
COPROCESSOR SERIAL NUMBER STATUS AES DES ECC RSA P11
----------- ------------- ------ --- --- --- --- ---
G00 9XXXXXX1 ACTIVE U A U U
G01 9XXXXXX2 ACTIVE U A U U
G02 9XXXXXX2 ACTIVE U A U U
G03 9XXXXXX2 ACTIVE U A U U
QUESTIONS:
--------------
1. Does ICSF TSO panels method mean that the Key Management guys will have to
logon to each lpar and load the new Master keys?
2. Could we alternatively use the “pass phrase initialization utility” to
reduce ICSF set-up time and then use our Change Management procedures to plan a
new MK at a later date?
regards
Francis van Zutphen
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
