Hello! Yes we are out of date...
On Tuesday (Monday is a holiday in my country) I let you know if we have more troubles. :) Thanks. On Fri, Aug 13, 2021 at 5:28 PM Eric D Rossman <[email protected]> wrote: > I've got questions. :) > > > Our scenario: > > We are running z/OS 2.2, Crypto Express 5 and FMID=HCR77B0 > > This is a little out of service but I think we can make this work. > > > We want to calculate a hash using sha-256 with a certain secret key (or > > seed) that is provided by someone external (and given to us). We are not > > sure how to store that key in the CKDS Dataset. The length of the key is > 32 > > bits and has the form of n(1)n(2)....n(32) where each n(i) is an > > hexadecimal character (I don't know why...) > > I assume you mean 32 nibbles long (128 bits) because ICSF won't allow an > HMAC key of less than 80 bits. > > Since you are on HCR77B0, you would convert it to binary and then use > CSNBSKI2 to import clear key material as a secure key token. Doing this > will require enabling SSM (special secure mode) in ICSF options dataset. > > Then, you can use CSNBKRC2 to put the token into the CKDS. > > > We already created and stored an AES master key in the cryptographic > > hardware and we also changed the format of our CKDS in order to use > HMAC. > > Perfect. > > > We tried different ways of putting this key in the CKDS using different > > verbs, like using a REXX example from the web (HMAC Generation from a > Clear > > Key ) > > Do you have a link to that example? CSNBHMG doesn't allow clear key tokens > until "Cryptographic Support for z/OS V2R2 - z/OS V2R4 (HCR77D1)" (five > releases after the release you have). > > > In our mainframe we want to use the callable service (verb) CSNBHMG in a > > Cobol program to calculate the hash using the key stored in the CKDS. > This > > output should be the same as the output using > > (with the same key). > > To be clear, that page is treating the data as ASCII, so you will need to > account for that in your COBOL (ensure that the data is kept as binary > until it is HMACed. > > > Our biggest issue is how to put this secret key (or seed) in the CKDS > > dataset. > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
