This scenario describes how an ICSF system and a PCF system establish initial transport keys between themselves. They establish two pairs of complementary importer and exporter keys at each location, as shown in Figure 1.
The systems can use these importer and exporter keys during key exchange.
First the ICSF administrators at the two locations establish the complementary transport keys to send keys from ICSF System A to PCF System B. These keys are the Exporter ATOB key at ICSF System A and the Remote ATOB key at PCF System B.
ADD LABEL(ATOB) TYPE(EXPORTER) CLEAR NOCV
ADD LABEL(ATOB) TYPE(IMPORTER) CLEAR,
KEY(B2403EF8125A036F,239AC35A72941EF2) NOCV
ICSF System A needs to send this control statement to PCF System B so that PCF System B can create the Remote ATOB key. The key value in this control statement is the clear value of the ATOB exporter key. ICSF System A does not send this control statement to PCF System B over the network, because the key value is a clear key value. ICSF System A has a courier deliver the control statement to System B.
The administrator at either system must change the ICSF control statement format into the PCF control statement format. The administrator could also use information from the key output data set to create the PCF control statement.
REMOTE ATOB,KEY=B2403EF8125A036F,IKEY=239AC35A72941EF2,ADD
The administrator at PCF System B submits the control statement to the PCF key generation utility program, which processes the control statement to create the ATOB Remote key. The ATOB Exporter key at System A and the ATOB Remote key at PCF System B are complementary keys.
This procedure creates a pair of complementary transport keys for keys sent from ICSF System A to PCF System B. When ICSF System A sends a key to PCF System B, System A enciphers the key using the ATOB exporter key. When PCF System B receives the key, PCF System B deciphers the key using the Remote ATOB key.
Then the ICSF administrators at the two locations establish the complementary transport keys to send keys from PCF System B to ICSF System A. These keys are the Importer BTOA key at ICSF System A and the Local BTOA key at PCF System B.
ADD LABEL(BTOA) TYPE(IMPORTER) CLEAR NOCV
ADD LABEL(BTOA) TYPE(EXPORTER) CLEAR,
KEY(6F3463CA3FBC0626,536B1864954A0B1F) NOCV
System A can send this control statement to System B, which can then use it to create the Local BTOA key. The key value in this control statement is the clear value of the BTOA importer key. ICSF System A does not send this control statement to PCF System B over the network, because the key value is a clear key value. ICSF System A has a courier deliver the control statement to PCF System B.
The administrator at either system must change the ICSF control statement format into the PCF control statement format. The administrator can also use information from the key output data set to create the PCF control statement.
LOCAL BTOA,KEY=6F3463CA3FBC0626,IKEY=536B1864954A0B1F,ADD
The administrator at PCF System B submits the control statement to the PCF key generation utility program, which processes the control statement to generate the Local BTOA key. The Importer BTOA key at ICSF System A and the Local BTOA key at PCF System B are complementary keys.
CROSS BTOA,KEYLOC=6F3463CA3FBC0626,IKEYLOC=536B1864954A0B1F,
KEYREM=B2403EF8125A036F,IKEYREM=239AC35A72941EF2,ADD
This procedure creates a pair of complementary transport keys for keys sent from PCF System B to ICSF System A. When PCF System B sends a key to ICSF System A, System B enciphers the key, using the Local BTOA key. When ICSF System A receives the key, ICSF System A deciphers the key, using the Importer BTOA key.
By these procedures, two pairs of complementary transport keys are established at each location so that the two systems can exchange keys.