/* REXX */ /* Pervasive (Data Set) Encryption: Step 6 of 10 */ /*-------------------------------------------------------------------*/ /* Generate a secure AES DATA key, store the key in the CKDS and */ /* display the key label and key. If the key label already exists, */ /* return the existing key label. */ /*-------------------------------------------------------------------*/ /* Instructions: */ /* - Update aes_key_label with your desired key label name */ /* */ /* Note: An example key label naming scheme is */ /* DATASET..ENCRKEY. */ /* */ /* - EXECUTE THIS CLIST FROM TSO */ /* (E.G. EX 'HLQ.MLD.LLQ(GENKEY)') */ /*-------------------------------------------------------------------*/ SIGNAL ON NOVALUE; aes_key_label = , LEFT('keylabel.to.be.created',64); /*-------------------------------------------------------------------*/ /* Check if the key exists in the CKDS (to prevent overwriting) */ /*-------------------------------------------------------------------*/ KRR_rc = 'FFFFFFFF'X; KRR_label = aes_key_label; KRR_token = COPIES('00'X,64); CALL CSNBKRR; /* If key is found, print and exit */ IF (KRR_rc = '00000000'X) THEN DO; SAY 'Secure key label: '||STRIP(aes_key_label); SAY ' already exists. Stopping.'; EXIT; END; /*-------------------------------------------------------------------*/ /* Generate a 256-bit AES DATA key */ /*-------------------------------------------------------------------*/ KGN_key_form = 'OP '; KGN_key_length = 'KEYLN32 '; KGN_key_type_1 = 'AESDATA '; KGN_key_type_2 = ''; KGN_kek_identifier_1 = COPIES('00'X,64); KGN_kek_identifier_2 = ''; KGN_generated_key_identifier_1 = COPIES('00'X,64); KGN_generated_key_identifier_2 = ''; CALL CSNBKGN; /*-------------------------------------------------------------------*/ /* Store the key in the CKDS */ /*-------------------------------------------------------------------*/ KRC2_label = aes_key_label; KRC2_token_length = '00000040'X; KRC2_token = KGN_generated_key_identifier_1; CALL CSNBKRC2; /*-------------------------------------------------------------------*/ /* Read the key from the CKDS */ /*-------------------------------------------------------------------*/ KRR_label = aes_key_label; KRR_token = COPIES('00'X,64); CALL CSNBKRR; IF (KRR_rc \= '00000000'X) THEN DO; SAY 'KRR Failed (rc=' C2X(KRR_rc)' rs='C2X(KRR_rs)')' ; SAY 'Secure key label: '||STRIP(aes_key_label); SAY ' was not successfully created'; EXIT; END; IF (KRR_token \= KGN_generated_key_identifier_1) THEN DO; SAY 'Secure key label: '||STRIP(aes_key_label); SAY ' returned from KRR does not match!'; EXIT; END; SAY 'Secure key label: '||STRIP(aes_key_label); SAY ' was successfully created'; SAY "-----------------------------------------------------------------" SAY "End of Sample" SAY "-----------------------------------------------------------------" EXIT; /* --------------------------------------------------------------- */ /* CSNBKGN - Key Generate */ /* */ /* Generates either one or two DES or AES keys encrypted under a */ /* master key (internal form) or KEK (external form). */ /* */ /* See the ICSF Application Programmer's Guide for more details. */ /* --------------------------------------------------------------- */ CSNBKGN: KGN_rc = 'FFFFFFFF'X; KGN_rs = 'FFFFFFFF'X; KGN_exit_data_length = '00000000'X; KGN_exit_data = ''; ADDRESS linkpgm "CSNBKGN", 'KGN_rc' 'KGN_rs' , 'KGN_exit_data_length' 'KGN_exit_data' , 'KGN_key_form' 'KGN_key_length' , 'KGN_key_type_1' 'KGN_key_type_2' , 'KGN_kek_identifier_1' 'KGN_kek_identifier_2' , 'KGN_generated_key_identifier_1' 'KGN_generated_key_identifier_2'; IF (KGN_rc /= '00000000'X) THEN DO; SAY 'KGN Failed (rc=' C2X(KGN_rc)' rs='C2X(KGN_rs)')' ; EXIT; END; RETURN; /* --------------------------------------------------------------- */ /* CSNBKRC2 - Key Record Create2 */ /* */ /* Adds a key token to the CKDS. */ /* */ /* See the ICSF Application Programmer's Guide for more details. */ /* --------------------------------------------------------------- */ CSNBKRC2: KRC2_rc = 'FFFFFFFF'X; KRC2_rs = 'FFFFFFFF'X; KRC2_exit_data_length = '00000000'X; KRC2_exit_data = ''; KRC2_rule_count = '00000000'X; KRC2_rule_array = ''; ADDRESS LINKPGM "CSNBKRC2", "KRC2_rc", "KRC2_rs", "KRC2_exit_data_length", "KRC2_exit_data", "KRC2_rule_count", "KRC2_rule_array", "KRC2_label", "KRC2_token_length", "KRC2_token"; IF (KRC2_rc /= '00000000'X) THEN DO; SAY 'KRC2 Failed (rc=' C2X(KRC2_rc)' rs='C2X(KRC2_rs)')' ; EXIT; END; RETURN; /* --------------------------------------------------------------- */ /* CSNBKRR - Key Record Read (CKDS) */ /* */ /* Reads a key token from the CKDS. */ /* */ /* See the ICSF Application Programmer's Guide for more details. */ /* --------------------------------------------------------------- */ CSNBKRR: KRR_rc = 'FFFFFFFF'X; KRR_rs = 'FFFFFFFF'X; KRR_exit_data_length = '00000000'X; KRR_exit_data = ''; KRR_token = COPIES('00'X, 64); ADDRESS LINKPGM "CSNBKRR", "KRR_rc", "KRR_rs", "KRR_exit_data_length", "KRR_exit_data", "KRR_label", "KRR_token"; RETURN; /* --------------------------------------------------------------- */ /* Debug */ /* --------------------------------------------------------------- */ NOVALUE: SAY 'Condition NOVALUE was raised.' SAY CONDITION('D')||' variable was not initialized.' SAY SOURCELINE(sigl) EXIT;