IBM Crypto Education Community

One of our application plan to use HMAC alogrithm so i have generated the HMAC Operational key and it is stored in the CKDS. I would like to know how to export this HMAC operational key to a file so that it can be transferred to remote system to use it?

It is mentioned that HMAC keys may be exported/imported under RSA keys. I have tried to export it using the ICSF service CSNDSYX but dont know how to store it to file to transfer it.

Please advise.

There is more than one way to do this, so I will ask a few questions to try to get to the best solution for you.

1. Are you planning to use the HMAC key through ICSF or is ICSF just generating it and storing it?
2. What library/application is on this remote system that will use the key?
3. How is the z/OS system connected to the other system? (shared DASD, NFS mount, FTP, something else?)
4. How many of these keys are you planning to create and export?

CSNDSYX is probably one of the easier ways to do this. In our test environment, I would probably call CSNDPKB (to turn the RSA public key into an ICSF RSA public key token and then CSNDSYX (rule PKOAEP2) using REXX and then print out the RSA-encrypted in the joblog, then copy and paste that onto the remote system where I would use a utility to convert from printable to a binary file and then import it using the corresponding RSA private key, but this is presuming that you're doing this once and don't mind the overhead. REXX also support file I/O. Other languages (C, ASM, Cobol, etc) support file I/O as well and might be useful in this case.

Thanks Much for your reply.

1. We are planning to use the HMAC keys through ICSF for application running in mainframe.

2. At remote, The HMAC key will be used in a cloud application PaaS.

3. Its accessed through the network webservices.

4. we would be generating one or two keys...

So i need to use the RSA public key from the remote system, build the Public key token using CSNDPKB, export it through CSNDSYX, write the enciphered key to a file and transfer to the remote system. Please correct me if i am wrong.

I think you have it correct. As long as the cloud application can import a key that was exported using RSA DSI PKCS #1 v2.1 RSAES-OAEP (an open standard), you should be all set.

Thankyou :-)

Have exported the HMAC key through CSNDSYX using the RSA public key, printed to file and transferred in Binary format . 

But receiving the below error when decrypting at the PaaS end. Any thoughts/suggestions?

RSA operation error

25769803792:error:0406506C:rsa routines:rsa_ossl_private_decrypt:data greater than mod len:crypto/rsa/rsa_ossl.c:398: