Re: Implementing ICSF - FOTS1949 PRNG is not seeded

Thu, 20 Oct 2016 14:21:47 -0700 

David,
Now it's clear for me.
It's matter of language - in Polish there is no such gismo like article (a, an, the). Yes, you are right, *assuming proper setiing* it is possiblem to control other domains from a TKE. AFAIK, it's not possible to do it from z/OS. However there's a trick: changing usage domain (or just have an LPAR with several domains) and restart ICSF with another domain ID. 


From the otheer hand it's IMHO better to explain something to someone, 
than sho the things are more complex. Some simplifications are sometimes 
justified ;-)




BTW: Has anybody heard about RCE? Regional Crypto Enablement. A card, 
defined in HCD as a function. Available in z13 GA2.


Regards
--
Radoslaw Skorupka
Lodz, Poland








W dniu 2016-10-20 o 20:06, Jousma, David pisze:

RS,

I should have elaborated more.  You need *a* system up and running on the box, 
but not *the* system.   For example we use TKE, and connect to a TECH system on 
the box that is running.   That tech system IMAGE profile is setup to be able 
to administer all crypto domains.   So when we bring in a new box, we ipl a 
tech system onto it, and then we can reload MK's for all domains, including 
systems that are not yet operational.  If there is a new MK waiting to load in 
the crypto card register, ICSF will load that MK automatically upon 
initialization.

I don't believe that there is a way to load MK's for other domains via the ISPF 
panels, but I could be wrong.

_________________________________________________________________
Dave Jousma
Manager Mainframe Engineering, Assistant Vice President
[email protected]
1830 East Paris, Grand Rapids, MI  49546 MD RSCB2H
p 616.653.8429
f 616.653.2717


-----Original Message-----
From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf 
Of R.S.
Sent: Thursday, October 20, 2016 12:34 PM
To: [email protected]
Subject: Re: Implementing ICSF - FOTS1949 PRNG is not seeded

Well, again, this is straightforward approach: you have your own (or
dedicated) DR machine. You prepare your system for DR, part of preparation can 
be MK entry. That means *some* z/OS system IPL-ed, preferrably a copy of your 
prod system.
@David, AFAIK even with TKE station you have to IPL the z/OS...

Of course, if the machine is to be reused by other company, then leaving MK is 
not the best idea.

--
Radoslaw Skorupka
Lodz, Poland







W dniu 2016-10-20 o 17:18, Jousma, David pisze:

If you have a TKE, then you can load it in advance.  If not then your only 
option is to use the ISPF based ICSF panels.

_________________________________________________________________
Dave Jousma
Manager Mainframe Engineering, Assistant Vice President
[email protected]
1830 East Paris, Grand Rapids, MI  49546 MD RSCB2H
p 616.653.8429
f 616.653.2717


-----Original Message-----
From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf 
Of Jesse 1 Robinson
Sent: Thursday, October 20, 2016 11:06 AM
To: [email protected]
Subject: Re: Implementing ICSF - FOTS1949 PRNG is not seeded

Thanks. I'm on board except for this statement. "You can do [the Master Key] in advance or 
during DR IPL." What is "in advance"? These systems are IPLed only in DR (test) 
mode. Is there any alternative to actual IPL?






---
Tre tej wiadomoci moe zawiera informacje prawnie chronione Banku 
przeznaczone wycznie do uytku subowego adresata. Odbiorc moe by jedynie 
jej adresat z wyczeniem dostpu osób trzecich. Jeeli nie jeste adresatem 
niniejszej wiadomoci lub pracownikiem upowanionym do jej przekazania 
adresatowi, informujemy, e jej rozpowszechnianie, kopiowanie, rozprowadzanie 
lub inne dziaanie o podobnym charakterze jest prawnie zabronione i moe by 
karalne. Jeeli otrzymae t wiadomo omykowo, prosimy niezwocznie 
zawiadomi nadawc wysyajc odpowied oraz trwale usun t wiadomo 
wczajc w to wszelkie jej kopie wydrukowane lub zapisane na dysku.

This e-mail may contain legally privileged information of the Bank and is 
intended solely for business use of the addressee. This e-mail may only be 
received by the addressee and may not be disclosed to any third parties. If you 
are not the intended addressee of this e-mail or the employee authorized to 
forward it to the addressee, be advised that any dissemination, copying, 
distribution or any other similar activity is legally prohibited and may be 
punishable. If you received this e-mail by mistake please advise the sender 
immediately by using the reply facility in your e-mail software and delete 
permanently this e-mail including any copies of it either printed or saved to 
hard drive.

mBank S.A. z siedzib w Warszawie, ul. Senatorska 18, 00-950 Warszawa, 
www.mBank.pl, e-mail: [email protected]
Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru 
Sdowego, nr rejestru przedsibiorców KRS 0000025237, NIP: 526-021-50-88. 
Wedug stanu na dzie 01.01.2016 r. kapita zakadowy mBanku S.A. (w caoci 
wpacony) wynosi 168.955.696 zotych.


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN























					Reply via email to