The key generator utility program (KGUP) generates and maintains keys in the cryptographic key data set (CKDS). The CKDS stores DATA keys, MAC keys, PIN keys, and transport keys. If you are running a z890, z990, z9 EC, z9 BC, z10 EC, z10 BC, or z196 KGUP supports double length MAC and MACVER keys. Although ANSI transport keys are stored in the CKDS, KGUP does not support the generation or import of ANSI transport keys. KGUP does not support non-standard CV keys.

Starting with release HCR7780, there are two formats of the CKDS: a fixed-length record (supported by all releases of ICSF) and a new, variable-length record (supported by HCR7780 and later releases). Both formats are supported by KGUP.

Restriction: KGUP does not support DATAXLAT keys on a z990, z890, z9 EC, z9 BC, z10 EC, z10 BC, or z196.

To run KGUP, ICSF must be active, master keys must be loaded on the cryptographic coprocessors, the user must have access, and the CKDS must be initialized.

Use the CSFKGUP profile in the CSFSERV class to permit or deny users access to the utility.

You use KGUP to perform these tasks:

• Generate or enter keys
• Maintain CKDS entries by deleting or renaming the entries
• Load completed operational keys into the CKDS that were entered from a TKE workstation.

When KGUP generates or receives a key value, the program either adds a new entry or updates an existing entry in the CKDS. For information about how KGUP generates and receives keys to establish key exchange with other systems, see Using KGUP for key exchange.

Each key that KGUP generates (except clear key value data-encrypting keys and clear AES keys) exists in the CKDS enciphered under your system's master key. When the master key enciphers a key, the cryptographic facility exclusive ORs the master key with a pattern of characters called a control vector. A master key exclusive ORed with a control vector is called a master key variant.

A unique control vector exists for each type of key the master key enciphers. The cryptographic facility exclusive ORs the master key with the control vector associated with the type of key the master key will encipher. The control vector ensures that a key is only used in the cryptographic functions for which the key is intended. For example, the control vector for an input PIN encryption key ensures that such a key can be used only in PIN translate and PIN verification functions.

When you specify to KGUP to generate an input PIN-encrypting key, the cryptographic facility creates a master key variant for the key. The master key variant is a product of exclusive ORing the master key with the control vector associated with an input PIN-encrypting key. This master key variant enciphers the input PIN-encrypting key so the input PIN-encrypting key is in operational form. KGUP places the input PIN-encrypting key in a CKDS entry.

You use control statements to specify the functions for KGUP to perform. The control statement specifies the task you want KGUP to perform and information about the CKDS entry that is affected. For example, to have KGUP generate an importer key-encrypting key, you use a control statement like:

ADD  LABEL(KEY1)  TYPE(IMPORTER)

When KGUP processes the control statement, the program generates a key value and encrypts the value under a master key variant for an importer key-encrypting key. KGUP places the key in a CKDS entry labelled KEY1. The key type field of the entry specifies IMPORTER. For a description of the fields in a CKDS entry, see Specifying KGUP data sets.

You store the control statements in a data set. You must also specify other data sets that KGUP uses when the program processes control statements. You submit a batch job stream to run KGUP. In the job control statements, you specify the names of the data sets that KGUP uses.

KGUP changes a disk copy of the CKDS according to the functions you specify with the control statements. When KGUP changes the disk copy of the CKDS, you may replace the in-storage copy of the CKDS with the disk copy using the ICSF panels. This operation should be performed on all systems sharing the updated CKDS.

To use KGUP, you must perform these tasks:

• Create control statements
• Specify data sets
• Submit a job stream

You may also want to refresh the CKDS with the disk copy of the CKDS that KGUP updated. You can use the KGUP panels to help you perform these tasks. However you can also use KGUP without accessing the panels. This topic first describes each of the tasks to run KGUP, and then describes how to use the panels to perform the tasks.