I just checked one of the systems that I have access to and it works as you described. The random number is 'remembered' from the RNG panel to the Checksum panel, but not to the Master Key Entry panel. This system is very current and I don't know when things changed.
Back when I was first getting started with crypto, one of the POK folks did a presentation at Share, where they showed the behavior you expected ... random numbers were remembered from the RNG panel to the checksum panel to the key entry panel. I was in the back of the room getting excited, because that was not the way it worked on my systems! After the session we talked and she confirmed that was the way it was supposed to work, and that had been a relatively recent 'fix' based on a request from a customer. I disagreed with the fix, because I didn't like the idea of my key material being stored as an ISPF variable. However, in retrospect, whether it was remembered on a panel or not, I suspect it was (and still is) in an ISPF variable.
I later went back and looked at the TSO Logon proc and confirmed that mine was not set up as documented in the ICSF SPG. I don't remember what the issue was, but by modifying it to match the SPG, I did get the same behavior that she had described. There is a section in the SPG: 'Steps to provide access to the ICSF panels'.
I like this new behavior (of not remembering my key part), but it does mean I have to do more typing!
Greg
------------------------------
Greg Boyd
Consultant
Mainframe Crypto
Winchester, VA 22603
240-772-1539
gregboyd@mainframecrypto.com------------------------------
Original Message:
Sent: Fri January 22, 2021 08:41 PM
From: ALEX KIM
Subject: Does RANDOM number for AES-MK Entry in ICSF support auto populating in Master Key Entry?
Thank you Greg!
- I could not find doc describing logon proc for enabling this yet(our sysprg says everything looks fine). Although, RANDOM to CHECKSUM auto population DOES work..(it's been working from the beginning). we opened a support ticket and the support said it's not supposed to pre-populate as something about protecting key value from someone stealing it so not sure it was a recent change. I do see this pre-population was mentioned from both Redbook and some of the key PPTs out there online(at least 3~4 yrs old)...so wanted to check if this is a still valid behavior to get auto populated from RANDOM-CHECKSUM-MASTER KEY ENTRY or not.
------------------------------
ALEX KIM
IBM Z/LinuxONE Solutions Architect
IBM Champion for Z/Blockchain
Vicom Infinity
New York NY
Original Message:
Sent: Wed January 20, 2021 07:51 AM
From: Greg Boyd
Subject: Does RANDOM number for AES-MK Entry in ICSF support auto populating in Master Key Entry?
Take a look at your TSO Logon Proc and how the ISPF libraries are configured, following the instructions in the ICSF Systems Programmers Guide exactly. Years ago, I had a similar issue, but in my case after the random number was generated, it was not populated into either the Checksum panel nor the master key entry panel. I don't remember exactly what we had done wrong, but I think the ISPF variables were stored in the wrong place.
------------------------------
Greg Boyd
Consultant
Mainframe Crypto
Winchester, VA 22603
240-772-1539
Original Message:
Sent: Tue January 19, 2021 08:15 PM
From: ALEX KIM
Subject: Does RANDOM number for AES-MK Entry in ICSF support auto populating in Master Key Entry?
Hi all,
I am using RANDOM number generator for generating AES-MK within ICSF. Once RANDOM number is generated, it gets automatically populated into CHECKSUM menu okay.
However, if I go to CEX card menu(1. COPRPCESSOR MGMT) and select card to enter Master Key and Checksum. Somehow I was under the impression that it would be auto populated from RANDOM number generator(like it did for CHECKSUM) - as it was described in RedBook as well as in Knowledge Center below, but it does NOT auto populate the value and just shows all ZEROs.
Was this always the case?
Thanks for your help in advance!
from: https://www.ibm.com/support/knowledgecenter/SSLTBW_2.2.0/com.ibm.zos.v2r2.csfb300/cmxenr.htm
Fill in the panel- Enter the master key type in the Key Type field.
In this example we are entering the DES-MK master key.
- Enter FIRST in the Part field.
- Enter the two-digit checksum and the two 16-digit key values (if you did not use random number generate).
When you end the utility panels and access the Master Key Part Entry panel, the key parts you generated are transferred automatically to the Master Key Part Entry panels. For this reason, you will not need to enter the key parts on the Master Key Part Entry panels.Although the key parts are automatically transferred to the Master Key Entry panels, make sure you record the random numbers and store them in a safe place. You must have these numbers in case you ever need to reenter the master key values. If you ever need to restore a master key that has been cleared for any reason, you will need the key part values.
------------------------------
ALEX KIM
IBM Z/LinuxONE Solutions Architect
IBM Champion for Z/Blockchain
Vicom Infinity
New York NY
------------------------------