Specify the encryption key management primary and secondary host
names and the maximum number of concurrent socket connections that
are allowed for the communication with the encryption key manager.
By default, the primary and the secondary host names for the encryption
key manager are set to NONE. Use the MAXCONN keyword to set the maximum
number of socket connections that are possible with the encryption
key manager. Some of the socket connections can remain open for faster
communication. Use the MAXPCONN keyword to set the number of connections
that remain open for faster communication. By default, the maximum
number of socket connections to the encryption key manager is 255;
eight socket connections are permanently connected. However, if the
sockets for communication are not needed, the sockets are not opened.
In-band tape encryption requires that the IOS address space has
security permission for a z/OS® UNIX System Services segment. The z/OS UNIX System
Services segment is only for TCP/IP connectivity. UID(0) or super
user ability is not required. For example, in RACF®, issue the following command:
ADDUSER IOSAS OMVS(UID(xxxx) HOME('/'))
where xxxx is a unique user id.
- PRIMARY=host_name[:port|,PRIPORT=port]|ipv4_address[:port |
,PRIPORT=port]| ipv6_address[,PRIPORT=port]|
NONE
- Specifies
the host name, IPv4 address or IPv6 address and optional port number
of the primary key manager. The primary host is used exclusively
unless a failure occurs and all attempts to retry fail. In subsequent
requests after a failure, the primary host is retried before the use
of the secondary host. When a connection to the primary host is established
again, normal operation continues.
- host_name[:port | ,PRIPORT=port]
- The host name of the encryption key manager.
- port
- The port number of the encryption key manager. The specification
of port is mutually exclusive with the PRIPORT keyword. If port is
not specified and the PRIPORT keyword is not specified, the default
port is 3801.
- PRIPORT=port
- Specifies the port number for the host name or IP address for
the primary key manager. PRIMARY= must be specified for PRIPORT= to
be valid.
Default: 3801 (if not specified on the PRIMARY
keyword)
- ipv4_address[:port | ,PRIPORT=port]
- The IP address of the encryption key manager. The IP addresses
must be specified as a dotted decimal quad: ddd.ddd.ddd.ddd.
- port
- The port number of the encryption key manager. The specification
of port is mutually exclusive with the PRIPORT keyword. If port is
not specified and the PRIPORT keyword is not specified, the default
port is 3801.
- PRIPORT=port
- Specifies the port number for the host name or IP address for
the primary key manager. PRIMARY= must be specified for PRIPORT= to
be valid.
Default: 3801 (if not
specified on the PRIMARY keyword)
- ipv6_address[,PRIPORT=port]
- The IP address of the encryption key manager in IPv6 format (for
example, ::FFFF:127.0.0.1 or 2001:0db8:85a3:08d3:1319:8a2e:0370:7344).
The optional port number for an IPv6 address must be specified
with the PRIPORT keyword.
- PRIPORT=port
- Specifies the port number for the host name or IP address for
the primary key manager. PRIMARY= must be specified for PRIPORT=
to be valid.
Default: 3801 (if not
specified on the PRIMARY keyword)
- NONE
- No encryption key manager is specified.
Default: None.
- SECONDARY=host_name[:port |
,SECPORT=port] | ipv4_address[:port |
,SECPORT=port]| ipv6_address[,SECPORT=port]|
NONE
- Specifies
the host name, IPv4 address, or IPv6 address and optional port number
of the secondary key manager.
- host_name[:port | ,SECPORT=port]
- The host name of the encryption key manager.
- port
- The port number of the encryption key manager. The specification
of port is mutually exclusive with the SECPORT keyword. If port is
not specified and the SECPORT keyword is not specified, the default
port is 3801.
- SECPORT=port
- Specifies the port number for the host name or IP address for
the primary key manager. SECONDARY= must be specified for SECPORT=
to be valid.
Default: 3801 (if not
specified on the SECONDARY keyword)
- ipv4_address[:port | ,SECPORT=port]
- The IP address of the encryption key manager. The IP addresses
must be specified as a dotted decimal quad: ddd.ddd.ddd.ddd.
- port
- The port number of the encryption key manager. The specification
of port is mutually exclusive with the SECPORT keyword. If port is
not specified and the SECPORT keyword is not specified, the default
port is 3801.
- SECPORT=port
- Specifies the port number for the host name or IP address for
the secondary key manager. SECONDARY= must be specified for SECPORT=
to be valid.
Default: 3801 (if not
specified on the SECONDARY keyword)
- ipv6_address[,SECPORT=port]
- The IP address of the encryption key manager in IPv6 format (for
example, ::FFFF:127.0.0.1 or 2001:0db8:85a3:08d3:1319:8a2e:0370:7344).
The optional port number for an IPv6 address must be specified with
the SECPORT keyword.
- SECPORT=port
- Specifies the port number for the host name or IP address for
the secondary key manager. SECONDARY= must be specified for SECPORT=
to be valid.
Default: 3801 (if not
specified on the SECONDARY keyword)
- NONE
- No encryption key manager is specified.
Default: None.
- MAXCONN=ddd
- Specifies
the maximum number of concurrent socket connections for Encryption
Key Management. If high network stress occurs because of the high
socket utilization for Encryption Key Management, this number can
be lowered.
Value range: 1 to 255
Default: 255
- MAXPCONN=ddd
- Specifies
the maximum number of concurrent socket connections for Encryption
Key Management that remain open to prevent the overhead of opening
and closing socket communication. This MAXPCONN keyword specifies
the number of total connections reserved to be permanent connections.
Value range: 0 to the number specified in
MAXCONN
Default: 8
The following figure shows syntax examples. To prevent contention while updating
the EKM parameter, it is suggested that all operands are specified
on the same EKM statement.
EKM PRIMARY=key.manager.com:3801,SECONDARY=key.manager.com
EKM PRIMARY=127.0.0.1:3801,SECONDARY=127.0.0.1
EKM PRIMARY=127.0.0.1,PRIPORT=3801,
SECONDARY=127.0.0.1,SECPORT=3801
EKM PRIMARY=::1
EKM PRIMARY=::FFFF:127.0.0.1,PRIPORT=3801
EKM PRIMARY=2001:0db8:85a3:08d3:1319:8a2e:0370:7344,
PRIPORT=3801
EKM PRIMARY=NONE,SECONDARY=NONE
EKM MAXCONN=255,MAXPCONN=8