IBM Crypto Education Community

IBM Crypto Education Community

IBM Crypto Education Community

Join the IBM Crypto Education community to explore and understand IBM cryptography technology. This community is operated and maintained by the IBM Crypto Development team.

 View Only
  • 1.  Same private key in two system

    Posted Mon July 14, 2025 08:48 AM

    The goal: create assymetric key pair on two systems (with same private key value).

    The key value need not to be known for the user (no clear form needed), just same key in two systems. 

    I mean new key, so there is no need to export existing private key (which is impossible as far as I know).

    Well, I tried to use CSNDPKG. The service allow to provide KEK label to export the assymetric key. I've got rc=8, rsn=85e, which means "The key usage attributes of the variable-length key token does not allow the requested operation."

    The KEK is AES EXPORTER key. I can't guess what key usage is missing or how to change it. I could use other KEK, however I still don't know how to create the KEK. 

    BTW: My understanding is the CSNDPKG with KEK will create assym key par encrypted under the KEK. Then I have to import it (how?) on both, this (local) system and the remote system. Am I right? 



    ------------------------------
    Radosław Skorupka
    ------------------------------


  • 2.  RE: Same private key in two system

    Posted Mon July 14, 2025 09:55 AM

    AES EXPORTER keys have key usage flags that determine what is allowed. For your use case, I would expect that you are missing WR-RSA. In CSNBKTB2, the rule array group Key-usage wrap algorithm control says "Keywords WR-DES, WR-AES, and WR-HMAC are defaults unless one or more keywords are specified." In CSNDPKG, under transport_key_identifier, it says "When this parameter is a variable-length CCA AES internal key token, it must have the appropriate wrapping flag (for example, WR-RSA, WR-ECC, or WR-QSA) enabled for the source key token."

    If you are specifying the XPORT rule with an AES EXPORTER, you will need to use CSNDPKI using the corresponding AES IMPORTER.



    ------------------------------
    Eric Rossman
    ------------------------------



  • 3.  RE: Same private key in two system

    Posted Tue July 15, 2025 08:52 AM

    hi,

    not sure but maybe this doc "Transporting AES encrypted data keys from one z/OS host to another" will help to somehow.



    ------------------------------
    Paweł Romanko
    ------------------------------