Erik, Thanks that did it! It was the forest and the trees issue for me. Key alias is a label pointing to the key store key label.
Ed, Here is what I did and I can change the keys back and forth to any combination. SET KEYALIAS key2011a KEYLABEL ekmcert030911a SET KEYALIAS key2011b KEYLABEL ekmcert030911b SET KEYALIAS key2010a KEYLABEL ekmcert031010a SET KEYALIAS key2010b KEYLABEL ekmcert031010b Mount the encrypted tape on drive 707 and REW it, then SET TAPE 707 rekey key2011a key2011b Or to change it back to the original keys, SET TAPE 707 rekey key2010a key2010b From: The IBM z/VM Operating System [mailto:IBMVM@LISTSERV.UARK.EDU] On Behalf Of Eric R Farman Sent: Tuesday, April 05, 2011 11:01 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Encryption Rekey on TS1120 (3592-E05) Steve, There is a difference between a key LABEL and a key ALIAS. Your console suggests that the latter is not defined to VM: > set tape 704 rekey EKMCERT030911A > HCPSTA9968E Key alias not found: EKMCERT030911A The LABEL is what is defined to the key store, and is what shows up in the output for Q TAPE DETAILS (and its cousins). An ALIAS is a z/VM construct that combines a label and and encoding mechanism to be used on the label, into a single operand that can be used by the different command parsers. If you were to issue a command SET KEYALIAS TEST01 KEYLABEL EKMCERT030911A, and then SET TAPE 704 REKEY TEST01, you'd probably be just fine. (That is, the use of ...0911B as an encryption key for that volume would be removed.) The encoding mechanism is just a "hint" to determine how to decrypt the tape, it doesn't provide any mechanism to actually decrypt the actual data. A "label" encoding mechanism means the key labels need to be identical between the writer and reader, while a "hash" uses the common public key and thus provides some flexibility between sites. (That is, one site labeling their key "MyKey" and another calling it "EricsPublicKey" in their respective key stores.) Regards, Eric Eric Farman z/VM I/O Development IBM Endicott, NY From: Steve Mondy <steve.mo...@opensolutions.com> To: IBMVM@LISTSERV.UARK.EDU Date: 04/05/2011 11:26 AM Subject: Re: Encryption Rekey on TS1120 (3592-E05) Sent by: The IBM z/VM Operating System <IBMVM@LISTSERV.UARK.EDU> ________________________________ Alan, Try again. Did not work, same results. Steve -----Original Message----- From: The IBM z/VM Operating System [mailto:IBMVM@LISTSERV.UARK.EDU] On Behalf Of Alan Altmark Sent: Tuesday, April 05, 2011 10:15 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Encryption Rekey on TS1120 (3592-E05) On Tuesday, 04/05/2011 at 10:56 EDT, Steve Mondy <steve.mo...@opensolutions.com> wrote: > set tape 704 rekey EKMCERT030911A > HCPSTA9968E Key alias not found: EKMCERT030911A > Ready(09968); T=0.01/0.01 10:38:35 > > q ta details 704 > TAPE 0704 SEQUENCE NUMBER 12311 LIBPORT 2 ENCRYPTION CAPABLE > ACTIVE KEY LABEL(S): > (L) ekmcert031010a > (L) ekmcert031010b > ATTACHED KEY LABEL(S): DEFAULT > INACTIVE KEY LABEL(S): DEFAULT > Ready; T=0.01/0.01 10:48:08 I see mixed vs. upper case. If you're going to store the keys with mixed-case labels, then you probably need to issue the command in an EXEC: newkey = "ekmcert030911a" address command "CP SET TAPE 704 REKEY" newkey Just a guess. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott ________________________________ NOTICE: This e-mail is intended solely for the use of the individual to whom it is addressed and may contain information that is privileged, confidential or otherwise exempt from disclosure. If the reader of this e-mail is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify us by replying to the original message at the listed email address. Thank You. ________________________________ NOTICE: This e-mail is intended solely for the use of the individual to whom it is addressed and may contain information that is privileged, confidential or otherwise exempt from disclosure. If the reader of this e-mail is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify us by replying to the original message at the listed email address. Thank You.
