Steve,
There is a difference between a key LABEL and a key ALIAS. Your console
suggests that the latter is not defined to VM:
> set tape 704 rekey EKMCERT030911A
> HCPSTA9968E Key alias not found: EKMCERT030911A
The LABEL is what is defined to the key store, and is what shows up in the
output for Q TAPE DETAILS (and its cousins). An ALIAS is a z/VM construct
that combines a label and and encoding mechanism to be used on the label,
into a single operand that can be used by the different command parsers.
If you were to issue a command SET KEYALIAS TEST01 KEYLABEL
EKMCERT030911A, and then SET TAPE 704 REKEY TEST01, you'd probably be just
fine. (That is, the use of ...0911B as an encryption key for that volume
would be removed.)
The encoding mechanism is just a "hint" to determine how to decrypt the
tape, it doesn't provide any mechanism to actually decrypt the actual
data. A "label" encoding mechanism means the key labels need to be
identical between the writer and reader, while a "hash" uses the common
public key and thus provides some flexibility between sites. (That is,
one site labeling their key "MyKey" and another calling it
"EricsPublicKey" in their respective key stores.)
Regards,
Eric
Eric Farman
z/VM I/O Development
IBM Endicott, NY
From:
Steve Mondy <steve.mo...@opensolutions.com>
To:
IBMVM@LISTSERV.UARK.EDU
Date:
04/05/2011 11:26 AM
Subject:
Re: Encryption Rekey on TS1120 (3592-E05)
Sent by:
The IBM z/VM Operating System <IBMVM@LISTSERV.UARK.EDU>
Alan,
Try again. Did not work, same results.
Steve
-----Original Message-----
From: The IBM z/VM Operating System [mailto:IBMVM@LISTSERV.UARK.EDU] On
Behalf Of Alan Altmark
Sent: Tuesday, April 05, 2011 10:15 AM
To: IBMVM@LISTSERV.UARK.EDU
Subject: Re: Encryption Rekey on TS1120 (3592-E05)
On Tuesday, 04/05/2011 at 10:56 EDT, Steve Mondy
<steve.mo...@opensolutions.com> wrote:
> set tape 704 rekey EKMCERT030911A
> HCPSTA9968E Key alias not found: EKMCERT030911A
> Ready(09968); T=0.01/0.01 10:38:35
>
> q ta details 704
> TAPE 0704 SEQUENCE NUMBER 12311 LIBPORT 2 ENCRYPTION CAPABLE
> ACTIVE KEY LABEL(S):
> (L) ekmcert031010a
> (L) ekmcert031010b
> ATTACHED KEY LABEL(S): DEFAULT
> INACTIVE KEY LABEL(S): DEFAULT
> Ready; T=0.01/0.01 10:48:08
I see mixed vs. upper case. If you're going to store the keys with
mixed-case labels, then you probably need to issue the command in an EXEC:
newkey = "ekmcert030911a"
address command "CP SET TAPE 704 REKEY" newkey
Just a guess.
Alan Altmark
z/VM and Linux on System z Consultant
IBM System Lab Services and Training
ibm.com/systems/services/labservices
office: 607.429.3323
mobile; 607.321.7556
alan_altm...@us.ibm.com
IBM Endicott
________________________________
NOTICE:
This e-mail is intended solely for the use of the individual to whom it is
addressed and may contain information that is privileged, confidential or
otherwise exempt from disclosure. If the reader of this e-mail is not the
intended recipient or the employee or agent responsible for delivering the
message to the intended recipient, you are hereby notified that any
dissemination, distribution, or copying of this communication is strictly
prohibited. If you have received this communication in error, please
immediately notify us by replying to the original message at the listed
email address. Thank You.
