Managing Cryptographic Keys Using the Key Generator Utility Program

The key generator utility program (KGUP) generates and maintains keys in the cryptographic key data set (CKDS). The CKDS stores DATA keys, MAC keys, PIN keys, transport keys and other AES and DES keys.

Note: There are restrictions on some key types depending on the cryptographic coprocessors available on your systems. These restrictions are listed in the section describing the TYPE keyword.

There are three formats of the CKDS:

Fixed-length record (supported by all releases of ICSF).
Variable-length record (supported by HCR7780 and later releases).
KDSR variable-length record (supported by HCR77A1 and later releases).

All formats are supported by KGUP.

To run KGUP, ICSF must be active, the user must have access to KGUP, and the CKDS must be initialized. On systems with cryptographic coprocessors. master keys must be loaded on the cryptographic coprocessors. On systems without coprocessors, for release HCR77A0 and later, random number can be generated to create clear DES and AES keys.

Use the CSFKGUP profile in the CSFSERV class to permit or deny users access to the utility.

You use KGUP to perform these tasks:

Generate or enter keys
Maintain CKDS entries by deleting or renaming the entries
Load completed operational keys into the CKDS that were entered from a TKE workstation.

When KGUP generates or receives a key value, the program either adds a new entry or updates an existing entry in the CKDS. For information about how KGUP generates and receives keys to establish key exchange with other systems, see Using KGUP for key exchange.

Each key that KGUP generates (except clear DES and AES data-encrypting keys) exists in the CKDS enciphered under your system's master key.

You use control statements to specify the functions for KGUP to perform. The control statement specifies the task you want KGUP to perform and information about the CKDS entry that is affected. For example, to have KGUP generate an importer key-encrypting key, you use a control statement like:

ADD  LABEL(KEY1)  TYPE(IMPORTER)

When KGUP processes the control statement, the program generates a key value and encrypts the value under a master key variant for an importer key-encrypting key. KGUP places the key in a CKDS entry labelled KEY1. The key type field of the entry specifies IMPORTER. For a description of the fields in a CKDS entry, see Specifying KGUP data sets.

You store the control statements in a data set. You must also specify other data sets that KGUP uses when the program processes control statements. You submit a batch job stream to run KGUP. In the job control statements, you specify the names of the data sets that KGUP uses.

KGUP changes a disk copy of the CKDS according to the functions you specify with the control statements. When KGUP changes the disk copy of the CKDS, you may replace the in-storage copy of the CKDS with the disk copy using the ICSF panels. This operation should be performed on all systems sharing the updated CKDS.

To use KGUP, you must perform these tasks:

Create control statements
Specify data sets
Submit a job stream

You may also want to refresh the CKDS with the disk copy of the CKDS that KGUP updated. You can use the KGUP panels to help you perform these tasks. However you can also use KGUP without accessing the panels. This topic first describes each of the tasks to run KGUP, and then describes how to use the panels to perform the tasks.