Steps for setting up ICSF

Perform these tasks to use the ENCIPHER and DECIPHER parameters with ICSF:

1. Define the key value that is used to encrypt and decrypt the data key. To define the key value, use one of these ICSF key administrative options:
   • Trusted Key Entry (TKE) workstation. For information about how to define the key value by using the TKE workstation, see z/OS Cryptographic Services ICSF TKE Workstation User's Guide.
   • Key generator utility program (KGUP). Use the KGUP panel ICSF - Create ADD, UPDATE, or DELETE Key Statement to define the key value. For more information about how to use KGUP panels, see z/OS Cryptographic Services ICSF Administrator's Guide.
     Be aware of the following restrictions:

     • The length of the data encryption key is limited to 8 bytes, or 56-bit DES. Triple DES support is not available.
     • Key labels are limited to 8 characters because of the fixed size of REPRO storage areas.
     • The REPRO command's encryption algorithm variables are not documented, so you cannot use them to write decryption applications on another system. Therefore, cross-platform exchange is not possible.
2. Refresh ICSF's cryptographic key data set (CKDS) so that the key value can be used by REPRO.
3. Ensure that ICSF can support PCF macro calls by specifying COMPAT(YES) in the ICSF installation options. For more information about how to specify ICSF installation options, see Installation, initialization, and customization.

   If you had to change the ICSF installation options, you must restart ICSF.

4. Run the REPRO ENCIPHER or DECIPHER job.

Restrictions: The REPRO command's encryption algorithm variables are not documented, so you cannot use them to write decryption applications on another system. Therefore, cross-platform exchange is not possible.

Recommendation: Do not specify the REPRO parameter PRIVATEKEY because it exposes the clear data key value. Instead, specify either EXTERNALKEY or INTERNALKEY, and STOREDATAKEY.