> Hi Todd, > Are you saying that the Redbook SG24-7848-00 System z Crypto andTKE Update is > just plain wrong ?
Actually, I cannot figure out what that text from the RedBook is trying to say :-) All protected-mode keys are stored as CCA secure key tokens, wrapped by the master key of the Crypto Express (CEX) card. The CEX unwraps the key when it is needed by CPACF, which then rewraps it using a temporary CPACF key. That CPACF key is lost whenever the system is restarted, and a new CPACF key is generated at that time. Thus, the only long-term storage of the protected-mode keys is under the CEX master keys. Those can't be used, of course, unless you have the CEX. Thus, a CEX is required in order to use protected-mode CPACF. If you take a clear key and import it to protected mode, the result is a protected key that cannot be used without having a CEX. Todd Arnold ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
