Re: EKM and Public Keys
Jousma, David wrote: If your partner has one of the keys that goes with that label, then I say yes. Send them a test tape _ Dave Jousma Assistant Vice President, Mainframe Services david.jou...@53.com 1830 East Paris, Grand Rapids, MI 49546 MD RSCB1G p 616.653.8429 f 616.653.8497 I'm a bit concerned that you are getting an encryption error when you just use the single key. That tells me that EKM isn't able to use just this key to encrypt the tape. Mark Jacobs -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Lizette Koehler Sent: Wednesday, May 20, 2009 3:21 PM To: IBM-MAIN@bama.ua.edu Subject: Re: EKM and Public Keys According to metadata it says keyalias1=rsaceru keyalias2=EMKLOWES Does this mean it is okay? that my partner will be able to decrypt the tape? Lizette IF you look in the metadata.xml, or use the utility to format it, it tells which key was used to encrypt the tape. Lizette Koehler wrote: Mark, I have tried it with both the KEYLABL1 and KEYLABL2 parms. They both fail the same way - I am not able to encrpyt the key that way. //SYSUT1 DD DISP=SHR,DSN=TSO.LK41591.PDF.CNTL(IDCAMS) //SYSUT2 DD DISP=(,CATLG,DELETE),UNIT=CART,DATACLAS=ENCRYPT, // RETPD=1, // KEYLABL1='EMKLOWES', // KEYENCD1=H, // DSN=STORAGE.ENCRYPT$.TEST.VOL4V IOS000I 0A0C,10,IOE,01,0E00,,**,300113,LK41591T 584 804C08C022402751 0001FF00 0005EE310092 2004E8205D6F2011 ENCRYPTION FAILURE CU = 00 DRIVE = 00 EKM = 05EE31 IEC512I I/O ERR 0A0C,300113,SL,LK41591T,COPYIT1,STORAGE.ENCRYPT$.TEST.VOL4V IEC518I SOFTWARE ERRSTAT: INTLABEL 0A0C,300113,SL,LK41591T,COPYIT1 Lizette Look in the EKM audit log. You might get some additional error information there. I tend to find the real reason for encryption failures there not in the joblog. snip This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- Mark Jacobs Time Customer Service Tampa, FL In theory there is no difference between theory and practice. In practice there is. - Yogi Berra -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
EKM and Public Keys
I have added the public key from our partner into our Top Secret envrionment. Now I need to see if it actually encrypted with that public key. Here I am still not understanding this process of public keys so well. IEC205I SYSUT2,LK41591T,COPYIT1,FILESEQ=1, COMPLETE VOLUME LIST, DSN=STORAGE.ENCRYPT$.TEST.VOL4R,VOLS=300027, LISTED VOL(S) HAVE BEEN DATA ENCRYPTED,KL1CD:L,KL2CD:H, KL1=rsaceru,KL2=EMKLOWES,TOTALBLOCKS=1 I then took the tape and wrote back out the file. Which was successful. I thought if I used a public key I would not be able to read the tape again. Yet my test did not support that thought. So my questions 1) When you encrypt a tape with a public key, can you still read it? 2) How can you verify that the tape is actually setup to use the public key and not my private key? 3) We are using EKM software from IBM, are there any displays that will help me verify that my partner will be able to read the tape? Anything in ISMF, or CA1? Thanks Lizette -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: EKM and Public Keys
Lizette Koehler wrote: I have added the public key from our partner into our Top Secret envrionment. Now I need to see if it actually encrypted with that public key. Here I am still not understanding this process of public keys so well. IEC205I SYSUT2,LK41591T,COPYIT1,FILESEQ=1, COMPLETE VOLUME LIST, DSN=STORAGE.ENCRYPT$.TEST.VOL4R,VOLS=300027, LISTED VOL(S) HAVE BEEN DATA ENCRYPTED,KL1CD:L,KL2CD:H, KL1=rsaceru,KL2=EMKLOWES,TOTALBLOCKS=1 I then took the tape and wrote back out the file. Which was successful. I thought if I used a public key I would not be able to read the tape again. Yet my test did not support that thought. So my questions 1) When you encrypt a tape with a public key, can you still read it? 2) How can you verify that the tape is actually setup to use the public key and not my private key? 3) We are using EKM software from IBM, are there any displays that will help me verify that my partner will be able to read the tape? Anything in ISMF, or CA1? Thanks Lizette If you encrypted the tape with two keylabels, one from your generated keypair and the other one from your partner then yes you should be able to read it. Try encrypting the tape with only their key. Your attempt to read the tape should fail since you don't have the associated private key in your environment. -- Mark Jacobs Time Customer Service Tampa, FL In theory there is no difference between theory and practice. In practice there is. - Yogi Berra -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: EKM and Public Keys
Mark, I have tried it with both the KEYLABL1 and KEYLABL2 parms. They both fail the same way - I am not able to encrpyt the key that way. //SYSUT1 DD DISP=SHR,DSN=TSO.LK41591.PDF.CNTL(IDCAMS) //SYSUT2 DD DISP=(,CATLG,DELETE),UNIT=CART,DATACLAS=ENCRYPT, // RETPD=1, // KEYLABL1='EMKLOWES', // KEYENCD1=H, // DSN=STORAGE.ENCRYPT$.TEST.VOL4V IOS000I 0A0C,10,IOE,01,0E00,,**,300113,LK41591T 584 804C08C022402751 0001FF00 0005EE310092 2004E8205D6F2011 ENCRYPTION FAILURE CU = 00 DRIVE = 00 EKM = 05EE31 IEC512I I/O ERR 0A0C,300113,SL,LK41591T,COPYIT1,STORAGE.ENCRYPT$.TEST.VOL4V IEC518I SOFTWARE ERRSTAT: INTLABEL 0A0C,300113,SL,LK41591T,COPYIT1 Lizette - Lizette Koehler wrote: I have added the public key from our partner into our Top Secret envrionment. Now I need to see if it actually encrypted with that public key. Here I am still not understanding this process of public keys so well. IEC205I SYSUT2,LK41591T,COPYIT1,FILESEQ=1, COMPLETE VOLUME LIST, DSN=STORAGE.ENCRYPT$.TEST.VOL4R,VOLS=300027, LISTED VOL(S) HAVE BEEN DATA ENCRYPTED,KL1CD:L,KL2CD:H, KL1=rsaceru,KL2=EMKLOWES,TOTALBLOCKS=1 I then took the tape and wrote back out the file. Which was successful. I thought if I used a public key I would not be able to read the tape again. Yet my test did not support that thought. So my questions 1) When you encrypt a tape with a public key, can you still read it? 2) How can you verify that the tape is actually setup to use the public key and not my private key? 3) We are using EKM software from IBM, are there any displays that will help me verify that my partner will be able to read the tape? Anything in ISMF, or CA1? Thanks Lizette If you encrypted the tape with two keylabels, one from your generated keypair and the other one from your partner then yes you should be able to read it. Try encrypting the tape with only their key. Your attempt to read the tape should fail since you don't have the associated private key in your environment. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: EKM and Public Keys
Lizette Koehler wrote: Mark, I have tried it with both the KEYLABL1 and KEYLABL2 parms. They both fail the same way - I am not able to encrpyt the key that way. //SYSUT1 DD DISP=SHR,DSN=TSO.LK41591.PDF.CNTL(IDCAMS) //SYSUT2 DD DISP=(,CATLG,DELETE),UNIT=CART,DATACLAS=ENCRYPT, // RETPD=1, // KEYLABL1='EMKLOWES', // KEYENCD1=H, // DSN=STORAGE.ENCRYPT$.TEST.VOL4V IOS000I 0A0C,10,IOE,01,0E00,,**,300113,LK41591T 584 804C08C022402751 0001FF00 0005EE310092 2004E8205D6F2011 ENCRYPTION FAILURE CU = 00 DRIVE = 00 EKM = 05EE31 IEC512I I/O ERR 0A0C,300113,SL,LK41591T,COPYIT1,STORAGE.ENCRYPT$.TEST.VOL4V IEC518I SOFTWARE ERRSTAT: INTLABEL 0A0C,300113,SL,LK41591T,COPYIT1 Lizette Look in the EKM audit log. You might get some additional error information there. I tend to find the real reason for encryption failures there not in the joblog. snip -- Mark Jacobs Time Customer Service Tampa, FL In theory there is no difference between theory and practice. In practice there is. - Yogi Berra -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: EKM and Public Keys
IF you look in the metadata.xml, or use the utility to format it, it tells which key was used to encrypt the tape. _ Dave Jousma Assistant Vice President, Mainframe Services david.jou...@53.com 1830 East Paris, Grand Rapids, MI 49546 MD RSCB1G p 616.653.8429 f 616.653.8497 -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Mark Jacobs Sent: Wednesday, May 20, 2009 2:55 PM To: IBM-MAIN@bama.ua.edu Subject: Re: EKM and Public Keys Lizette Koehler wrote: Mark, I have tried it with both the KEYLABL1 and KEYLABL2 parms. They both fail the same way - I am not able to encrpyt the key that way. //SYSUT1 DD DISP=SHR,DSN=TSO.LK41591.PDF.CNTL(IDCAMS) //SYSUT2 DD DISP=(,CATLG,DELETE),UNIT=CART,DATACLAS=ENCRYPT, // RETPD=1, // KEYLABL1='EMKLOWES', // KEYENCD1=H, // DSN=STORAGE.ENCRYPT$.TEST.VOL4V IOS000I 0A0C,10,IOE,01,0E00,,**,300113,LK41591T 584 804C08C022402751 0001FF00 0005EE310092 2004E8205D6F2011 ENCRYPTION FAILURE CU = 00 DRIVE = 00 EKM = 05EE31 IEC512I I/O ERR 0A0C,300113,SL,LK41591T,COPYIT1,STORAGE.ENCRYPT$.TEST.VOL4V IEC518I SOFTWARE ERRSTAT: INTLABEL 0A0C,300113,SL,LK41591T,COPYIT1 Lizette Look in the EKM audit log. You might get some additional error information there. I tend to find the real reason for encryption failures there not in the joblog. snip This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: EKM and Public Keys
According to metadata it says keyalias1=rsaceru keyalias2=EMKLOWES Does this mean it is okay? that my partner will be able to decrypt the tape? Lizette IF you look in the metadata.xml, or use the utility to format it, it tells which key was used to encrypt the tape. Lizette Koehler wrote: Mark, I have tried it with both the KEYLABL1 and KEYLABL2 parms. They both fail the same way - I am not able to encrpyt the key that way. //SYSUT1 DD DISP=SHR,DSN=TSO.LK41591.PDF.CNTL(IDCAMS) //SYSUT2 DD DISP=(,CATLG,DELETE),UNIT=CART,DATACLAS=ENCRYPT, // RETPD=1, // KEYLABL1='EMKLOWES', // KEYENCD1=H, // DSN=STORAGE.ENCRYPT$.TEST.VOL4V IOS000I 0A0C,10,IOE,01,0E00,,**,300113,LK41591T 584 804C08C022402751 0001FF00 0005EE310092 2004E8205D6F2011 ENCRYPTION FAILURE CU = 00 DRIVE = 00 EKM = 05EE31 IEC512I I/O ERR 0A0C,300113,SL,LK41591T,COPYIT1,STORAGE.ENCRYPT$.TEST.VOL4V IEC518I SOFTWARE ERRSTAT: INTLABEL 0A0C,300113,SL,LK41591T,COPYIT1 Lizette Look in the EKM audit log. You might get some additional error information there. I tend to find the real reason for encryption failures there not in the joblog. snip This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: EKM and Public Keys
If your partner has one of the keys that goes with that label, then I say yes. Send them a test tape _ Dave Jousma Assistant Vice President, Mainframe Services david.jou...@53.com 1830 East Paris, Grand Rapids, MI 49546 MD RSCB1G p 616.653.8429 f 616.653.8497 -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Lizette Koehler Sent: Wednesday, May 20, 2009 3:21 PM To: IBM-MAIN@bama.ua.edu Subject: Re: EKM and Public Keys According to metadata it says keyalias1=rsaceru keyalias2=EMKLOWES Does this mean it is okay? that my partner will be able to decrypt the tape? Lizette IF you look in the metadata.xml, or use the utility to format it, it tells which key was used to encrypt the tape. Lizette Koehler wrote: Mark, I have tried it with both the KEYLABL1 and KEYLABL2 parms. They both fail the same way - I am not able to encrpyt the key that way. //SYSUT1 DD DISP=SHR,DSN=TSO.LK41591.PDF.CNTL(IDCAMS) //SYSUT2 DD DISP=(,CATLG,DELETE),UNIT=CART,DATACLAS=ENCRYPT, // RETPD=1, // KEYLABL1='EMKLOWES', // KEYENCD1=H, // DSN=STORAGE.ENCRYPT$.TEST.VOL4V IOS000I 0A0C,10,IOE,01,0E00,,**,300113,LK41591T 584 804C08C022402751 0001FF00 0005EE310092 2004E8205D6F2011 ENCRYPTION FAILURE CU = 00 DRIVE = 00 EKM = 05EE31 IEC512I I/O ERR 0A0C,300113,SL,LK41591T,COPYIT1,STORAGE.ENCRYPT$.TEST.VOL4V IEC518I SOFTWARE ERRSTAT: INTLABEL 0A0C,300113,SL,LK41591T,COPYIT1 Lizette Look in the EKM audit log. You might get some additional error information there. I tend to find the real reason for encryption failures there not in the joblog. snip This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html