I did have a process years ago, not sure its still valid ...not sure this is what you need?
Clone the ICSF CKDS from one system to another 1) allocate a new CKDS 2) generate a random number and then get the checksum for it (write the key part down and save it) 3) enter this key part as the FIRST key part 4) generate another random number and then get the checksum for it (write the key part down and save it) 5) enter this key part as the FINAL key part 6) reencipher the current CKDS into the new CKDS the new CKDS is now the active CKDS and the master key is now changed now take this new CKDS and the master key parts to the other system. on the other system do the following: stop ICSF repro the new CKDS into a new CKDS, ensure the CSFPRMxx member has the new CKDS name in it. 1) enter the DES key parts (first and final) 2) set the master key (option 2.2 from the ICSF panel) the master key is now set and the new CKDS is now the active CKDS. Carmen Vitullo ----- Original Message ----- From: "Frank Swarbrick" <[email protected]> To: [email protected] Sent: Friday, September 28, 2018 1:41:02 PM Subject: Re: ICSF crypto domain sharing We unfortunately have opted to not (yet?) purchase a TKE. While it's "too late" for this time, does anyone know if there is a method to "copy" master keys from one domain to another? ________________________________ From: IBM Mainframe Discussion List <[email protected]> on behalf of Jousma, David <[email protected]> Sent: Friday, September 28, 2018 9:03 AM To: [email protected] Subject: Re: ICSF crypto domain sharing Radoslaw. OK, you made me go look at the IMAGE profiles for my PROD systems. We have 3 PROD systems on a single CPC. My recollection was incorrect, and should have looked before I replied. We have 3 domains, one for each prod lpar assigned USAGE on each, with 4 crypto engines online. All 3 prod lpars have Control access to all 3 domains, and was the source of my mis-information and are set that way, so that when we do TKE key ceremony, we can load the PROD master keys for all PROD domains in one operation. My apologies for spreading FAKE NEWS. :) -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of R.S. Sent: Friday, September 28, 2018 10:43 AM To: [email protected] Subject: Re: ICSF crypto domain sharing **CAUTION EXTERNAL EMAIL** **DO NOT open attachments or click on links from unknown senders or unexpected emails** W dniu 2018-09-28 o 12:54, Jousma, David pisze: > Yes, they can be shared. Our PROD lpars are all on the same domain. IMHO no, domains cannot be shared. Maybe your prod LPARs reside on different CPC each? Some remarks: 1. Single LPAR can have more than one domain, but z/OS ICSF can use only one at a time. However you can change domain number in PARMLIB and recycle ICSF. 2. Domain number cannot be assigned to more than one active LPAR. Deactivated LPARs could share domain id. 3. In the old days it was possible to have i.e. 40 LPARs and number of domains was 16. In that case More crypto engines were needed, for example Crypto 1 and 3 were assigned to LPARs 01-0F, Crypto engines 2 and 4 were assigned to LPARs 10-1F and remaining LPARs had no access to Crypto engines (CPACF is not affected). In that case LPAR 01 and LPAR 11 may have Domain Id 2 assigned, but on separated Crypto engines. 4. It is impossible to have i.e. Domain 12 on Crypto1 and Domain 07 on Crypto2 at a time. 5. It is also possible to have the same master keys on different domains (and even different CPCs) - in that case, CKDS/PKDS can be shared/copied between that systems. -- Radoslaw Skorupka Lodz, Poland ====================================================================== Jeśli nie jesteś adresatem tej wiadomości: - powiadom nas o tym w mailu zwrotnym (dziękujemy!), - usuń trwale tę wiadomość (i wszystkie kopie, które wydrukowałeś lub zapisałeś na dysku). Wiadomość ta może zawierać chronione prawem informacje, które może wykorzystać tylko adresat.Przypominamy, że każdy, kto rozpowszechnia (kopiuje, rozprowadza) tę wiadomość lub podejmuje podobne działania, narusza prawo i może podlegać karze. mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 Warszawa,www.mBank.pl, e-mail: [email protected]. Sąd Rejonowy dla m. st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, KRS 0000025237, NIP: 526-021-50-88. Kapitał zakładowy (opłacony w całości) według stanu na 01.01.2018 r. wynosi 169.248.488 złotych. If you are not the addressee of this message: - let us know by replying to this e-mail (thank you!), - delete this message permanently (including all the copies which you have printed out or saved). This message may contain legally protected information, which may be used exclusively by the addressee.Please be reminded that anyone who disseminates (copies, distributes) this message or takes any similar action, violates the law and may be penalised. mBank S.A. with its registered office in Warsaw, ul. Senatorska 18, 00-950 Warszawa,www.mBank.pl, e-mail: [email protected]. District Court for the Capital City of Warsaw, 12th Commercial Division of the National Court Register, KRS 0000025237, NIP: 526-021-50-88. Fully paid-up share capital amounting to PLN 169,248,488 as at 1 January 2018. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN **CAUTION EXTERNAL EMAIL** **DO NOT open attachments or click on links from unknown senders or unexpected emails** This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
