Is aes000....1 an alias associated with the tape drive, key group, key alias list, or range of key aliases? And, yes, the 414553000....1 is ASCII for aes000....1. This is associated with the data key and serves as the Data Key identifier which is written to tape with the encrypted data. In this manner the key value should be retrieved from the key store. Of course the DKi must be identifible to the keystore. So, if the keystore is on z/OS the DKi needs to be in EBCDIC to be located within the keystore. At least this is my guess as to what is happening.
Marilyn ATS zSeries Crypto & Security Certified I/T Specialist (301) 240-2624 8/372 Washington Systems Center "WSC: Genesis of the IBM Data Encryption for IMS and DB2 and the IBM Encryption Facility" FAX: (301) 240-2590 8/372 Internet: allm...@us.ibm.com "Lester, Bob" <bles...@oppenheimerfunds.com> Sent by: IBM Mainframe Discussion List <IBM-MAIN@bama.ua.edu> 01/28/2009 06:23 PM Please respond to IBM Mainframe Discussion List <IBM-MAIN@bama.ua.edu> To IBM-MAIN@bama.ua.edu cc Subject EKM on Z/os & Drive on iSeries Hi All, I've got a bit of a problem with EKM. We're z/OS 1.9, using EKM with Java 1.4.2 (sr10). We're using a JCEKS keystore Library (TS3100 w/ LTO4 drives) is attached to an iSeries 520 with V5R3. iSeries SysAdmin can write tapes, but can't read them. Upon viewing the audit.log I see what appears to be some translation happening with the symmetric keys that were set up for these devices. Given: zoscompatibility=true, and symmetricKeySet = AES01-0F. When the tape is written, it seems to be assinged a key in this format: (some zeros removed for clarity): aes000....1 When the tape is read, the key is in the format (as reported by EKM): 414553000....1 Isn't that ascii? The read fails because it can't fine the above key in the keystore. I have a PMR open with IBM, but figured I'd check here as well. Any ideas? Thanks! BobL ------------------------------------------------------------------------------ This e-mail transmission may contain information that is proprietary, privileged and/or confidential and is intended exclusively for the person(s) to whom it is addressed. Any use, copying, retention or disclosure by any person other than the intended recipient or the intended recipient's designees is strictly prohibited. If you are not the intended recipient or their designee, please notify the sender immediately by return e-mail and delete all copies. OppenheimerFunds may, at its sole discretion, monitor, review, retain and/or disclose the content of all email communications. ============================================================================== ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html