W dniu 30.06.2022 o 15:56, Mark A. Brooks pisze:
If you run the policy utility IXCMIAPU to create/replace an administrative policy in the
CFRM CDS, then for any structure definition that specifies ENCRYPT(YES), the system will
create an encryption key for that structure provided the CFRM CDS does not already have a
key for the structure. That is, a key is generated if neither the current active policy
nor any of the existing administrative policies specify ENCRYPT(YES) for the structure.
Any such key is wrapped by the master AES key and stored in the CFRM CDS. Depending on
CFLEVEL, the wrapped key may also be stored in the CF as well. However, one should think
of the CFRM CDS as being "the" key repository for encrypted CF structures.
Yes, all the encryption/decryption is performed by z/OS.
Now it's clear and reasonable. By reasonable I mean the design. Of
course the best place for the key is store is CDS. Every sysplex member
has to have access to the CDS and this is the place which survive any
restart, IPL, POR, power outage, etc.
Thank you for the clarification!
--
Radoslaw Skorupka
Lodz, Poland
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
