I'm not expecting anyone knows anything about this, as I think it is pre ICSF! (grin), but I thought I would ask I know the documentation is based on pre ICSF, but I cant get it to work. I raised a doc comment on https://www.ibm.com/docs/en/zos/2.4.0?topic=parameters-cryptographic but they did not seem able to fix the wording. Has anyone any experience of using this?I got stuck on you specify a key which is used to encipher the data encrypting key! ( I think it means the data is encrypted with an instance specific key. This key is then encrypted with the key you specify, and the value is stored in the header at the front of the repro data. If you specify NOSTOREDATAKEY it does not write it in the header, but writes to SYSPRINT after a successful encryption )I looked in Getting Started with z/OS Data Set Encryption and could not find an example.
For example the doc has
specifies that the source data set is to be enciphered as it is copied to the target data set.
EXTERNALKEYNAME(keyname) |INTERNALKEYNAME(keyname) |PRIVATEKEYspecifies whether you, PCF, or ICSF manages keys privately.EXTERNALKEYNAME(keyname) specifies that PCF or ICSF manages keys. This parameter also supplies the 1-to-8 character key name of the external file key what does this mean ? The CSF CKDS/PKDS? I think you have to use a short name in the CKDS/PKDS. I didnt think you could store External keys in the CKDS/PKDS that is used to encipher the data encrypting key. Is this a data key, or a cipher key or another sort of key The key is known only by the deciphering system. So how does the local end use it? Does it mean the public key? This is a key which encrypts the data encrypting key - really? - see my intrpretation above. The key name and its corresponding enciphered data encrypting key are listed in SYSPRINT only if NOSTOREDATAKEY is specified. Not if there is a problem! Are there any restrictions on what the keys can be ... eg RSA|ECC any strengths private|public|symmetric AES|DES? The doc below talks about private key - so I guess this is a PKI keyAbbreviation: EKNINTERNALKEYNAME(keyname) specifies that PCF or ICSF manages keys. This parameter also supplies the 1-to-8 character key name of the internal file key that is used to encipher the data encrypting key. So is this the PKDS/CKDS or an internal dataset The key is retained by the key-creating system. So is this saying it will create a key and save it in the key store, or it will use an existing key in a key store - and does not delete it The key name and its corresponding enciphered data encrypting key will only be listed in SYSPRINT if NOSTOREDATAKEY is specified. Do you mean the key name and its corresponding enciphered data encrypting key will only be listed in SYSPRINT ONLY if NOSTOREDATAKEY is specified.
PRIVATEKEY specifies that the key is to be managed by you. I dont understand this... how do I manage it - please give more information. Does this mean a private key stored in the PKCS/CKDS? Does it mean you useregardsColin
Eric,Thank you ... dont worry, Ive taken enough of your time ... I'll try on the IBM-MAIN forum. ( then blog about it once i have it working)regards