Re: ICSF Question

2017-02-20 Thread Todd Arnold 
You might want to look at the IBM Crypto Analytics Tool (CAT), offered by the 
excellent IBM crypto team in Denmark.  It is intended to analyze your crypto 
system and provide a variety of reports on many things you might need for 
system management, compliance, etc. (including things having to do with your 
keys).  There is a brief summary at this page, but it's quite old and I'm sure 
there is more current information somewhere:  
http://www-05.ibm.com/dk/security//products/ekmp-cat.html

Here is some summary information from that web page:

"The IBM Crypto Analytics Tool (CAT) is part of the IBM Enterprise Key 
Management Foundation EKMF) and has been developed to help provide up-to-date 
monitoring of crypto related information on the z Systems in the enterprise. 
CAT is designed to combine and present crypto information in a way that helps 
ensure compliance and policy enforcement. The CAT Agent collects cryptographic 
information across the enterprise that is then made available to the CAT 
Monitor running on your desktop. The CAT Monitor provides overviews, queries 
and reports to better manage the cryptographic setup.

...

CAT is designed to provide fast, reliable crypto information to help people in 
different roles of the organization make qualified decisions about crypto 
systems. CAT collects cryptographic information from across the enterprise and 
ensures that each crypto system is following best practices by providing:
  -A comprehensive overview of the cryptographic security of the system.
  -Up-to-date monitoring of crypto keys and functions.
  -Key data for better policy and compliance enforcement.
  -Awareness if key material used in testing has leaked into production 
environments.
  -A comparison of the current crypto state with a previous 'snapshot' for 
error and problem determination or change control validation."

Questions about CAT can be addressed to the Denmark team at c...@dk.ibm.com.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: ICSF Question

2017-02-19 Thread Greg Boyd 
If you just want a list of the key labels, then a 'PRINT INDA('ckds name') 
COUNT()' will probably work, if you have read access to the keystore.  (Be 
careful and see below.)  If you want something to format the flags and fields 
in the record then you can do that either processing the data thru the ICSF 
APIs or directly reading the VSAM file.  I've got REXX EXECs but they are not 
very comprehensive.  I use the RXVSAM package from the CBTape to read the VSAM 
record and then display specific fields.  

The problem is that in most shops, the CKDS contains clear keys, and anyone 
that has authority to read the keystore can also see the actual key value of 
those clear keys.  (The secure keys are encrypted under the master key, so that 
key material is protected.)  I recommend that only the ICSF address space 
should have authority to the keystore.

In addition, if you use the APIs, then the application must run APF authorized 
to process a clear key.

The last several releases of ICSF have introduced a number of enhancements 
related to key management, so I suspect that somebody, somewhere is working on 
a key management tool (or set of tools) that will provide details about 
existing key records.  Since key management is the hard part of crypto, such a 
tool is sorely needed.

Greg
gregboyd@mainframecrypto.comprehensive
www.mainframecrypto.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: ICSF Question

2017-02-16 Thread Mark Jacobs - Listserv 
The key labels are readable, so you know what keys are there. The field 
that describes what the key is used for, DATA, EXPORTER,... is also 
readable. What information are you looking to ascertain?


Mark Jacobs


Steely.Mark 
February 16, 2017 at 6:20 PM
Is there anything out there that will generate a report of what is in 
the variable length CKDS ?


I am able to browse the file but some type of report would be nice.

Thanks

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Please be alert for any emails that may ask you for login information 
or directs you to login via a link. If you believe this message is a 
phish or aren't sure whether this message is trustworthy, please send 
the original message as an attachment to 'phish...@timeinc.com'.





--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: ICSF Question

2017-02-16 Thread zMan 
"What is in the CKDS" -- keys? How would this report know?

On Thu, Feb 16, 2017 at 6:20 PM, Steely.Mark 
wrote:

> Is there anything out there that will generate a report of what is in the
> variable length CKDS ?
>
> I am able to browse the file but some type of report would be nice.
>
> Thanks
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>



-- 
zMan -- "I've got a mainframe and I'm not afraid to use it"

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

ICSF Question

2017-02-16 Thread Steely.Mark 
Is there anything out there that will generate a report of what is in the 
variable length CKDS ? 

I am able to browse the file but some type of report would be nice. 

Thanks

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN