Radoslaw, The "cracking exercise" is not so difficult. Those private keys in RACF are not encrypted. They are stored in field CERTPRVK. I think they are BER encoded. Details are in the RACF Macros and Interfaces manual. It's easy to display them using zSecure if you know how. Good reason to make sure the absolute minimum of people have READ access to the RACF database.
With ICSF the keys are stored in the ICSF CKDS with each key encrypted under the ICSF master key. That master key is protected using FIP-140-2 level 4 standards. Lennie Dymoke-Bradshaw https: //rsclweb.com -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Radoslaw Skorupka Sent: 18 January 2024 22:32 To: [email protected] Subject: Re: I hate to be a pain (Cross-Posted) Is ICSF xKDS file a VSAM? Yes. So, why to keep the keys in CKDS/PKDS instead of RACFdb? 1. Because the keys in CKDS/PKDS are *well encrypted* using secret key (CryptoExpress MK). Assumed you have CEX. 2. Because any key kept in RACF is kept along with the encryption key for that key. 3. Because still a majority of RACF installations do not use encrypted VSAM db (yet). In such scenario any authorized person (i.e. bad RACF admin) can read whole db and then do the cracking excercises. BTW: Recently I did encrypt RACF db. Results: none. Nothing happened. The database is encrypted - the only change, but it is invisible to administrators. -- Radoslaw Skorupka Lodz, Poland W dniu 17.01.2024 o 21:29, Steve Beaver pisze: > On z/OS isn't that the ICSF CKDS VSAM file? Yes > > Steve > > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:[email protected]] On > Behalf Of Farley, Peter > Sent: Wednesday, January 17, 2024 1:38 PM > To:[email protected] > Subject: Re: I hate to be a pain (Cross-Posted) > > On z/OS isn't that the ICSF CKDS VSAM file? > > Peter > > From: IBM Mainframe Discussion List<[email protected]> On Behalf Of > Steve Beaver > Sent: Wednesday, January 17, 2024 1:32 PM > To:[email protected] > Subject: I hate to be a pain (Cross-Posted) > > > This is not may area of expertise, and I can't find a YOUTUBE or a step by > > step checklist > > > > How does one create a keystore on zOS? > > > > Regards, > > > > Steve > > -- ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
