Thank you to both Lennie and Colin. I would like to also ask that if there are enhancements or utilities that you feel strongly ICSF should have natively, please open an Aha (formerly RFE) so IBM can take that into consideration. I try to get new things in every release that have been requested.
Eric Rossman --------------------------------- ICSF Security Architect z/OS Security --------------------------------- -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Lennie Bradshaw Sent: Monday, May 19, 2025 6:48 PM To: [email protected] Subject: [EXTERNAL] Re: CSFKGUP does not feed CSFSTMNT file Radolslaw, I wrote a key movement facility for DES keys many years ago. I feel sure it could be modified for AES keys. It requires a common transport key however. You can find CSKXFER on this page in a package with documentation. https://rsclweb.com/downloads/ Lennie -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Radoslaw Skorupka Sent: 19 May 2025 20:20 To: [email protected] Subject: Re: CSFKGUP does not feed CSFSTMNT file I have found KEYXFER utility. It is one of the Tools & Toys (read: unsupported), however mentioned in official documentation as a tool to do some operations. One of the disadvantages of the KEYXFER is... it doesn't work with contemporary KDS formats. The other one is/was common (shared between systems) MK. Nevermind, I have found yet another tools, I'm going to ...find out why it doesn't work :-) :-) :-) -- Radoslaw Skorupka Lodz, Poland W dniu 19.05.2025 o 14:55, Eric Rossman pisze: > Yeah, I agree that it is a pity. We just didn't have the demand for it when > AES was implemented in KGUP and your question was the first one I can recall. > I don't believe that the TRANSKEY is even used when you are generating a > random AES key but we don't do a great job documenting that (we're trying to > improve our doc). > > That said, you have a number of options. > > One is to do as you suggest and use the same control cards on both systems to > create identical AES keys. > > Another option would be to use callable services. ICSF callable services are > accessible from (almost) any language you can name. I have personally > implemented calls from C, C++, COBOL, Python, REXX, and ASM (that I can think > of). I know that PL/I is also supported and I did some research and found > that GoLang (and any other language that can speak LE) should work. > > Eric Rossman > --------------------------------- > ICSF Security Architect > z/OS Security > --------------------------------- > > -----Original Message----- > From: IBM Mainframe Discussion List <[email protected]> On > Behalf Of Radoslaw Skorupka > Sent: Monday, May 19, 2025 8:33 AM > To: [email protected] > Subject: [EXTERNAL] Re: CSFKGUP does not feed CSFSTMNT file > > It's a pity. > How can I (safely) export the AES key to another system? > Should I create the statement manually, by using CSFKEYS DD output? > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
