Jeffrey D. Smith wrote:
-----Original Message-----
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Alan Altmark
/snip/
So, why did IBM update ICSF to support clear keys in the CKDS and
its address space? Because IBM is marketing its own CPACF solution
that requires clear keys. As long as the clear keys are kept in
protected storage, it's not a big issue with most sites.
Jeffrey, I'm not sure of your point. I was saying that before John McKown
starting including KM and KMC instructions in his program he should
consider the affects of having the keys in cleartext in the application
address space. If that's ok, with all that implies, fine. If that's not
ok, then he should get ICSF functioning again and call the CPACF-based
encryption routines. TDES and AES are available.
The ICSF book has a section on how to use CPACF with ICSF.
He can, of course, look at alternative solutions to ICSF if he's not
interested in ICSF.
/snip/
When ICSF uses CPACF instructions, it is using clear keys in "application
storage". In order for ICSF to use CPACF instruction, the keys must be
clear. The keys are not stored encrypted in the CKDS or within the ICSF
address space; the keys are always clear.
The client program must choose:
(1) Use the operational key token (which exposes the clear key in the
client space), or
(2) use the CKDS label for the clear key (which adds overhead for
locating the clear key in the ICSF application storage).
There's no advantage for using ICSF with CPACF over using a home-grown
solution.
I dare to disagree. ICSF's CKDS is ready to use key container. The keys
are encrypted using master key. This is the advantage - you don't have
to worry about it. You can control and audit key usage using RACF. The
person who use key may be unable to read the key from storage (different
set of authorities).
Last but not least: it comes almost free - ICSF is built in z/OS price,
ICSF overhead is quite irrelevant.
"One more last but not least": It could be easier to call ICSF services
than to use CPACF instructions directly.
A key management *system* is much more complex than what ICSF offers.
Please enlight us:
1. What is key management system.
2. Why do we need KMS, especially for clear key operations.
--
Radoslaw Skorupka
Lodz, Poland
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
