OK, I can see permission being needed to save the key from the other side into the CKDS (one does not want to let just anyone update CKDS), but does the program / userid that just wants to USE the saved key also need permission just to compute a hash with that key?
That's the part I would see as a roadblock to implementation. Peter -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Isabel Sent: Friday, October 23, 2020 12:37 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: CSNBHMG - ICSF Peter, We are given a key from the other side to do the hash, and this key is that we want to preserve Thank you On Fri, Oct 23, 2020 at 1:33 PM Farley, Peter x23353 < 0000031df298a9da-dmarc-requ...@listserv.ua.edu> wrote: > PMFJI here and perhaps I misunderstand the requirement, but requiring > ESF permission to compute a hash makes no sense to me, even from the > POV of a paranoid liability attorney. > > What possible technical justification is there (other than "the > lawyers said we needed it") is there for such a requirement? What > possible harm can a program computing a hash do that requires ESF permission? > > Unless this is computing a hash using a protected key rather than a > clear key? I can sort of see permission needed to create or update a > protected key in the CKDS, but why would permission be needed to just use it? > > Peter > > -----Original Message----- > From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On > Behalf Of Pierre Fichaud > Sent: Friday, October 23, 2020 12:17 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: CSNBHMG - ICSF > > Hi, > CSNB* calls are DES > CSND* calls are AES. > If you are using CSNBHMG you need the DES master key to be set. > And the label used in the call needs to be in the CKDS. > And you need permissions defined in RACF. > Regards, Pierre. -- This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
