Its been a long time since I've used and defined master keys, the keys I've used were transport keys, those keys were generated after the DES master key was set using the ISPF CSF utility. so my use and examples are probably not usable for you, sorry
On Fri, 23 Oct 2020 15:00:18 -0300, Isabel <[email protected]> wrote: >Hello Carmen, I don't have problems with the job, but probably with the >syntax of my control card. > >I successfully define it in the CKDS, but after running the program, the >reason code is ICSF 2738 (10040) > >Thank you > >On Fri, Oct 23, 2020 at 2:56 PM Carmen Vitullo <[email protected]> wrote: > >> I think this is still valid >> >> //KGUP EXEC PGM=CSFKGUP >> //CSFCKDS DD DISP=SHR,DSN=CSF.CPU3.CSFCKDS >> //CSFDIAG DD SYSOUT=*,DCB=(RECFM=FBA,LRECL=133,BLKSIZE=13300) >> //CSFKEYS DD SYSOUT=*,DCB=(RECFM=FB,LRECL=208,BLKSIZE=3328) >> //CSFSTMNT DD SYSOUT=*,DCB=(RECFM=FB,LRECL=80,BLKSIZE=3200) >> //CSFIN DD * >> ADD LABEL(xxxxxx) TYPE(EXPORTER) CLEAR <<---- your control cards >> may be different >> //* >> //REFRESH EXEC PGM=CSFEUTIL,PARM='CSF.CPU3.CSFCKDS,REFRESH' >> >> >> On Fri, 23 Oct 2020 14:33:36 -0300, Isabel <[email protected]> wrote: >> >> >I add the label the CKDS, with the KGUP utility (in a sandbox), the user >> >who submit the job, needs permission to the profile in the csfkeys class. >> >My problem is with the syntax of the "add" command to add this register in >> >the ckds. >> > >> >Thanks again! >> > >> >On Fri, Oct 23, 2020 at 1:45 PM Farley, Peter x23353 < >> >[email protected]> wrote: >> > >> >> OK, I can see permission being needed to save the key from the other >> side >> >> into the CKDS (one does not want to let just anyone update CKDS), but >> does >> >> the program / userid that just wants to USE the saved key also need >> >> permission just to compute a hash with that key? >> >> >> >> That's the part I would see as a roadblock to implementation. >> >> >> >> Peter >> >> >> >> -----Original Message----- >> >> From: IBM Mainframe Discussion List <[email protected]> On >> Behalf >> >> Of Isabel >> >> Sent: Friday, October 23, 2020 12:37 PM >> >> To: [email protected] >> >> Subject: Re: CSNBHMG - ICSF >> >> >> >> Peter, >> >> >> >> We are given a key from the other side to do the hash, and this key is >> >> that we want to preserve >> >> >> >> Thank you >> >> >> >> On Fri, Oct 23, 2020 at 1:33 PM Farley, Peter x23353 < >> >> [email protected]> wrote: >> >> >> >> > PMFJI here and perhaps I misunderstand the requirement, but requiring >> >> > ESF permission to compute a hash makes no sense to me, even from the >> >> > POV of a paranoid liability attorney. >> >> > >> >> > What possible technical justification is there (other than "the >> >> > lawyers said we needed it") is there for such a requirement? What >> >> > possible harm can a program computing a hash do that requires ESF >> >> permission? >> >> > >> >> > Unless this is computing a hash using a protected key rather than a >> >> > clear key? I can sort of see permission needed to create or update a >> >> > protected key in the CKDS, but why would permission be needed to just >> >> use it? >> >> > >> >> > Peter >> >> > >> >> > -----Original Message----- >> >> > From: IBM Mainframe Discussion List <[email protected]> On >> >> > Behalf Of Pierre Fichaud >> >> > Sent: Friday, October 23, 2020 12:17 PM >> >> > To: [email protected] >> >> > Subject: Re: CSNBHMG - ICSF >> >> > >> >> > Hi, >> >> > CSNB* calls are DES >> >> > CSND* calls are AES. >> >> > If you are using CSNBHMG you need the DES master key to be >> set. >> >> > And the label used in the call needs to be in the CKDS. >> >> > And you need permissions defined in RACF. >> >> > Regards, Pierre. >> >> -- >> >> >> >> This message and any attachments are intended only for the use of the >> >> addressee and may contain information that is privileged and >> confidential. >> >> If the reader of the message is not the intended recipient or an >> authorized >> >> representative of the intended recipient, you are hereby notified that >> any >> >> dissemination of this communication is strictly prohibited. If you have >> >> received this communication in error, please notify us immediately by >> >> e-mail and delete the message and any attachments from your system. >> >> >> >> >> >> ---------------------------------------------------------------------- >> >> For IBM-MAIN subscribe / signoff / archive access instructions, >> >> send email to [email protected] with the message: INFO IBM-MAIN >> >> >> > >> >---------------------------------------------------------------------- >> >For IBM-MAIN subscribe / signoff / archive access instructions, >> >send email to [email protected] with the message: INFO IBM-MAIN >> >> ---------------------------------------------------------------------- >> For IBM-MAIN subscribe / signoff / archive access instructions, >> send email to [email protected] with the message: INFO IBM-MAIN >> > >---------------------------------------------------------------------- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
