Eleanor, thanks for your help.
I thought I had created a proper KEK. Here is how I did it. Perhaps someone can see the flaw in my efforts and share that/them with me?
BKTB call with EXPORTER key type. Rule array with DES, INTERNAL, KEYLN16, KEY & KEY-PART.
Then a BKPI call with Rule array FIRST, KEYBUF16, USECONFG, passing the TOKEN from the TB call above. And the first part of the key.
A second BKPI call passing all the above except replacing FIRST with LAST. And then the last part of the key.
Finally a BKGN call using OPEX as key form, KEYLN16 as key length, IMPORTER as key type 1 and EXPORTER as key type 2. And then passing the Key ID from the second BKPI call above in as the KEK TYPE ID 2 value.
I think I've got everything right. Does anyone see something I got wrong?
Feedback would be very much appreciated.
------------------------------
Mark Vollmer
Developer, but does everything.
CV Systems, LLC
------------------------------
Original Message:
Sent: Fri September 23, 2022 05:19 PM
From: Eleanor Chan
Subject: Key Generate parms question
Hi Mark -
8/39 indicates that a key_identifier is the wrong key type.
For key form OPEX, an EXPORTER key-encrypting key must be passed in the KEK_identifier_2 field.
------------------------------
Eleanor Chan
Original Message:
Sent: Fri September 23, 2022 03:31 PM
From: Mark Vollmer
Subject: Key Generate parms question
Got the token build successful. The import key part first & last are also successful. (RC 0/0)
Now I try to gen a new key with the new ID value. (BKGN)
OPEX
IMPORTER/EXPORTER
KEK Identifier 2 using the new ID value from the prior import part call.
I get a 8/39 return - control vector violation
I have no idea what that means. I believe control vectors are generally internal to ICSF. Anyone know what should I be looking at to solve this error?
I've not used any CV related rule array values in any of my calls.
Perhaps this is a RACF permission problem?
------------------------------
Mark Vollmer
Developer, but does everything.
CV Systems, LLC
Original Message:
Sent: Fri September 23, 2022 10:53 AM
From: Bob Petti
Subject: Key Generate parms question
Yep - call CSNBKTB making sure you include the rule KEY-PART. The output skeleton can then be used as the key_identifier parm for your first call with KPI.
------------------------------
Bob Petti
Original Message:
Sent: Fri September 23, 2022 10:32 AM
From: Mark Vollmer
Subject: Key Generate parms question
From the looks of the Import Part Key API...
- I'd need to use token build first.
- And I'd need to do this again with the same key to create an importer key that corresponds to this one if I want to import any exporter keys I create with this KEK.
Am I on the right track now?
------------------------------
Mark Vollmer
Developer, but does everything.
CV Systems, LLC
Original Message:
Sent: Fri September 23, 2022 08:34 AM
From: Bob Petti
Subject: Key Generate parms question
Well yes - there has to be a beginning somewhere - lol.
It normally would have happened some time ago where a user or a set of users would enter key parts into a service like CSNBKPI to create that first key. Users on two systems would enter the same key parts - one creating an exporter key, one creating an importer key - and then they could begin to exchange other keys. Key exchange of course requires both sides of the exchange have peer keys - an importer and an exporter - that have the same clear key value. That is why they are generated in pairs - and that is why one of the pairs is made external so that it can be shipped to another system where the other side of the key exchange will happen. An importer key by itself - with a random value - doesn't have much use without an exporter key with the same clear key value that can be used to create an external token that can be imported by your importer key. I'm not sure what you plan to do with the IM key you want KGN to generate, but if all you want to do is create one IM key, I would suggest using CSNBPKI instead of KGN.
------------------------------
Bob Petti
Original Message:
Sent: Thu September 22, 2022 02:23 PM
From: Mark Vollmer
Subject: Key Generate parms question
Bob,
This would seem to be the chicken and the egg problem. I need a KEK to create the KEK (key 2). How do people do this?
------------------------------
Mark Vollmer
Developer, but does everything.
CV Systems, LLC
Original Message:
Sent: Wed September 21, 2022 07:35 AM
From: Bob Petti
Subject: Key Generate parms question
Hi Mark. Certain key types are required to be created in pairs - and the IMPORTER/EXPORTER key types are such keys. When calling CSNBKGN for those key types, you would specify a key form of "OPEX" (key 1 is "operational" and key 2 is "exportable") for example, with "key1" being an IMPORTER key type and key2 being an "EXPORTER" key type. You would need to specify a valid internal key encrypting key for KEK_Key_Identifier_2 parameter. This would result in an internal IMPORTER key (enciphered under the coprocessor master key) and an external EXPORTER key that is encrypted using your supplied key encrypting key and can be sent to another system where it can be imported and thus you can exchange keys with that system. The only way I know to create a single standalone keytype that is normally created in pairs is to use a service like CSNBSKM, but you would have to supply the key value vs having the coprocessor generate one for you (you can call CSNBRNGL to get random bytes of data for the key value). Hope this helps.
------------------------------
Bob Petti
Original Message:
Sent: Mon September 19, 2022 06:00 PM
From: Mark Vollmer
Subject: Key Generate parms question
I'm trying to create a brand new internal DES key type IM using CSNBKGN.
One of the parameters is KEK_key_identifier_1. And according to the documentation, I need to provide a token or label for a KEK.
For some reason I'm thinking I want the call to create a new key of type IM encrypted under the master key and stored internally CKDS with a label.
I am under the impression, that I can give that new key a name using the generated key identifier 1 field.
What do I need the KEK identifier for? Wouldn't the system just encrypt under the master key?
What have I missed?
------------------------------
Mark Vollmer
Developer, but does everything.
CV Systems, LLC
------------------------------