Previous topic |
Next topic |
Contents |
Index |
Contact z/OS |
Library |
PDF
Scenario of an ICSF System and 4758 PCI Cryptographic Coprocessor Establishing Initial Transport Keys z/OS Cryptographic Services ICSF Administrator's Guide SA22-7521-17 |
|
This scenario describes how an ICSF system and a 4758 PCI Cryptographic Coprocessor establish initial transport keys between themselves. They establish two pairs of complementary importer and exporter keys at each location, as shown in Figure 168. The systems can use these importer and exporter keys during key exchange. First, the ICSF System A administrator and the TSS System B administrator establish the complementary transport keys to send keys from ICSF System A to TSS System B. These keys are the Exporter ATOB key at System A and the Importer ATOB key at System B. The ICSF administrator at System A submits this control statement to System A's KGUP to create the Exporter ATOB key.
KGUP processes this control statement to generate the Exporter ATOB key and places the key in System A's CKDS. KGUP creates a record containing the clear key created for the system, and that record is written to the CSFKEYS data set. ICSF System A then sends this clear key to TSS System B. Because the key value is in the clear, System A has a courier deliver the key, rather than sending it over the network. The TSS administrator at System B uses the Secure_Key_Import verb to import the ATOB importer key, because the key value is in the clear. The administrator can then use the Key_Record_Create and the Key_Record_Write verbs to place the key in TSS key storage. The ATOB exporter key at ICSF system A and the ATOB importer key at TSS System B are complementary keys. This procedure creates a pair of complementary transport keys for keys sent from ICSF System A to TSS System B. When ICSF System A sends a key to TSS System B, it enciphers the key using the ATOB exporter key. When TSS System B receives the key, it deciphers the key using the ATOB importer key. Next, the administrators at the two facilities establish the complementary transport keys to send keys from TSS System B to ICSF System A. These keys are the Importer BTOA key at ICSF System A and the Exporter BTOA key at TSS System B. The ICSF administrator at System A submits this control statement to System A's KGUP to generate the Importer BTOA key.
KGUP processes this control statement to generate the Importer BTOA key and places the key in System A's CKDS. The ICSF System A administrator can send this key to the TSS System B over the network, because the key value is enciphered. The TSS administrator at System B uses Key_Import, Key_Record_Create, and the Key_Record_Write verbs to import the key and place it in TSS key storage. The Importer BTOA key at System A and the Exporter BTOA key at System B are complementary keys. This procedure creates a pair of complementary transport keys for keys sent from TSS System B to ICSF System A. When TSS System B sends a key to ICSF System A, TSS System B enciphers the key using the Exporter BTOA key. When ICSF System A receives the key, it deciphers the key using the Importer BTOA key. Using these procedures two pairs of complementary transport keys are established at each location to allow key exchange between the two systems. Notes:
|
Copyright IBM Corporation 1990, 2014
|