Hi,

I have a customer who has three z/OS systems - these are not sysplexed, but do have some shared DASD. Each System has exactly the same master keys loaded in ICSF (against recommendations but they are only a very small shop - 280 MIPS, with limited staff).

They would like to be able to transport any data key from any system to any system - has anyone got a matrix of which of the Transport REXX samples need to run on each system and with what input  to allow this to happen.

Next question - if they rerun GENECC2 after this has been setup do they need to start again or are the derived keys for transport still valid?

Thanks

Pat

Hi Pat,

If they are sharing their CKDS and PKDS among the three systems (SYSA, SYSB, SYSC), they will generate/add the key to the KDS on SYSA and then do a KDS refresh on SYSB and SYSC.

If they are not sharing their KDSes, after generate/add the DATA key to CKDS on SYSA, use CSNBKRR2 to read the DATA key from SYSA and use CSNBKRC2 to write the key to SYSB and SYSC.

This is only possible because they are using the same master keys on all three systems.

I don't understand your question about GENECC2.  GENECC2 generates an ECC key pair. 

hi,

The KDS's are not shared. In the redbook (and the shorter techdocs 'Transporting AES Data keys') for pervasive encryption, there are samples rexx execs which can be used to build transport keys and send/receive a data key from one system to another without having to write any programs to use the ICSF callable services.

This is their preferred method.

( GENECC2 is one of these samples, which is used to generate the private/public keys ).

Pat

I reviewed the Techdoc.  I am not familiar with the IDCAMS REPRO approach to distributing keys.  My preference would be to use CSNBKRR2 and CSNBKRC2.

You can also wrap an AES DATA key with RSA key-encrypting keys using CSNDSYX to encrypt and CSNDSYI to decrypt.