During key generator utility program (KGUP) processing, you store the information you supply and receive in these data sets:
You specify the names of the data sets in the job control language to submit the job.
These topics describe the data sets that KGUP accesses or generates in detail.
The first record in the CKDS is a header record. The header record is the same for both types of CKDS.
When you initialize the CKDS and master key or change the master key, ICSF calculates an authentication pattern and places it into this field. ICSF calculates the authentication pattern by using the current master key and the authentication pattern algorithm.
When you initialize the CKDS and AES master key or change the AES master key, ICSF calculates a verification pattern and places it into this field. ICSF calculates the verification pattern by using the current master key and the verification algorithm.
The variable-length record format of the CKDS doesn't generate the authentication code for the header record.
In the KGUP job stream, it is defined by the CSFCKDS data definition statement.
This data set is a physical sequential data set with a fixed logical record length (LRECL) of 80 bytes.
In the KGUP job stream, the control statement input data set is defined by the CSFIN data definition statement.
KEY GENERATION DIAGNOSTIC REPORT DATE:1997/9/14 (YYYY/MM/DD) TIME:12:10:15 PAGE 1
/* THIS IS A KEY USED TO EXPORT KEYS FROM A TO B */
ADD TYPE(EXPORTER) TRANSKEY(TK1),
LABEL(ATOB)
> > > CSFG0321 STATEMENT SUCCESSFULLY PROCESSED.
/* THIS IS A KEY USED TO IMPORT KEYS FROM B TO A */
ADD TYPE(IMPORTER) TRANSKEY(TK1),
LABEL(BTOA)
> > > CSFG0321 STATEMENT SUCCESSFULLY PROCESSED.
> > > CSFG0780 A REFRESH OF THE IN-STORAGE CKDS IS NECESSARY TO ACTIVATE CHANGES MADE BY KGUP.
> > > CSFG0002 CRYPTOGRAPHIC KEY GENERATION - END OF JOB. RETURN CODE = 0.
In the KGUP job stream, the data set is defined by the CSFDIAG data definition statement.
This data set is a physical sequential data set with a fixed logical record length (LRECL). The minimum LRECL is 208 bytes. This will accommodate 64 byte DES key tokens. If you are exporting AES keys that use the variable-length key token, the LRECL should be at least 500. The maximum supported LRECL is 1044.
To establish key exchange with a system that does not use KGUP control statements, you can send that system information from this data set. The receiving system can then use this information to create the complement of the key you created. You can print or process this data set when KGUP ends.
KGUP only lists a record for the key if the TRANSKEY or CLEAR keyword was in the control statement. If the TRANSKEY keyword was specified in the output key data set, KGUP lists, for the key type, the complement of the control statement key type. KGUP lists, for the key value, the key encrypted under the transport key as specified by the TRANSKEY keyword.
The encrypted key is in the form of an external key token. An external key token contains the encrypted key value and control information about the key. For example, the token contains the control vector for the key type or the associated data.
If the CLEAR keyword was specified, in the output key data set KGUP lists, for the key type, the complement of the control statement key type. KGUP lists, for the key value, the clear key value of the key. With this information another system could generate keys that are complements of the keys your system generated. This would permit your system and the other system to exchange keys.
When KGUP generates two complementary keys, each encrypted by a different transport key, KGUP lists a record for each key. The first record contains a key that is encrypted under the first transport key variant and the type that is specified on the control statement. The second record contains a key that is encrypted under the second transport key variant and a type that is the complement of the first key.
In the KGUP job stream, the data set is defined by the CSFKEYS data definition statement.
You can edit the output control statements and distribute them to the appropriate sites for input to KGUP at those locations.
The data set is a physical sequential data set with a fixed logical record length (LRECL) of 80 bytes.
One output control statement appears when you have KGUP generate a key value and create an operational and exportable key pair using a transport key.
Two output control statements appear when you have KGUP generate two exportable keys by using two different transport keys. These statements generate complementary keys types. You can send each statement to a different site to establish communication between the two sites.
In the KGUP job stream, the data set is defined by the CSFSTMNT data definition statement. The data set will contain information only when the input control statement contains the TRANSKEY keyword. The TRANSKEY keyword indicates that you will be transporting the key to another system.
The specific name of these types of data sets must appear in the job stream that runs KGUP.