If you just want a list of the key labels, then a 'PRINT INDA('ckds name')
COUNT(9999)' will probably work, if you have read access to the keystore. (Be
careful and see below.) If you want something to format the flags and fields
in the record then you can do that either processing the data thru the ICSF
APIs or directly reading the VSAM file. I've got REXX EXECs but they are not
very comprehensive. I use the RXVSAM package from the CBTape to read the VSAM
record and then display specific fields.
The problem is that in most shops, the CKDS contains clear keys, and anyone
that has authority to read the keystore can also see the actual key value of
those clear keys. (The secure keys are encrypted under the master key, so that
key material is protected.) I recommend that only the ICSF address space
should have authority to the keystore.
In addition, if you use the APIs, then the application must run APF authorized
to process a clear key.
The last several releases of ICSF have introduced a number of enhancements
related to key management, so I suspect that somebody, somewhere is working on
a key management tool (or set of tools) that will provide details about
existing key records. Since key management is the hard part of crypto, such a
tool is sorely needed.
Greg
[email protected]
www.mainframecrypto.com
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
