Re: CSNBENC rc=8 rsn=X'271C'
On Wed, 12 Oct 2022 09:51:36 +0100, Lennie Dymoke-Bradshaw wrote: >It was Pierre's previous posts about replacing a password using ICHEINTY and >R-admin. >Maybe I have mixed up two distinct issues. Perhaps, but that earlier/ongoing thread talking about "having a RACF encrypted password" and "having used CSNBENC to get it" certainly seems like they _should_ be related :) -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: CSNBENC rc=8 rsn=X'271C'
It was Pierre's previous posts about replacing a password using ICHEINTY and R-admin. Maybe I have mixed up two distinct issues. Lennie -Original Message- From: IBM Mainframe Discussion List On Behalf Of Eric D Rossman Sent: 12 October 2022 02:56 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: CSNBENC rc=8 rsn=X'271C' What gave you the impression that this was related to KDFAES? -Original Message- From: IBM Mainframe Discussion List On Behalf Of Lennie Dymoke-Bradshaw Sent: Tuesday, October 11, 2022 6:34 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: [EXTERNAL] Re: CSNBENC rc=8 rsn=X'271C' Pierre, I think you need to understand that KDFAES is not just basic AES encryption. There are other parts of the process designed to slow down dictionary attacks. https://www.ibm.com/docs/en/zos/2.5.0?topic=des-racf-kdfaes-algorithm Lennie Dymoke-Bradshaw ‘Dance like no one is watching. Encrypt like everyone is.’ -Original Message- From: IBM Mainframe Discussion List On Behalf Of Pierre Fichaud Sent: 11 October 2022 20:32 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: CSNBENC rc=8 rsn=X'271C' I used the ICSF panels. I'll switch to CSNBSAE call. Thanks, Pierre. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: CSNBENC rc=8 rsn=X'271C'
What gave you the impression that this was related to KDFAES? -Original Message- From: IBM Mainframe Discussion List On Behalf Of Lennie Dymoke-Bradshaw Sent: Tuesday, October 11, 2022 6:34 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: [EXTERNAL] Re: CSNBENC rc=8 rsn=X'271C' Pierre, I think you need to understand that KDFAES is not just basic AES encryption. There are other parts of the process designed to slow down dictionary attacks. https://www.ibm.com/docs/en/zos/2.5.0?topic=des-racf-kdfaes-algorithm Lennie Dymoke-Bradshaw ‘Dance like no one is watching. Encrypt like everyone is.’ -Original Message- From: IBM Mainframe Discussion List On Behalf Of Pierre Fichaud Sent: 11 October 2022 20:32 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: CSNBENC rc=8 rsn=X'271C' I used the ICSF panels. I'll switch to CSNBSAE call. Thanks, Pierre. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: CSNBENC rc=8 rsn=X'271C'
Pierre, I think you need to understand that KDFAES is not just basic AES encryption. There are other parts of the process designed to slow down dictionary attacks. https://www.ibm.com/docs/en/zos/2.5.0?topic=des-racf-kdfaes-algorithm Lennie Dymoke-Bradshaw https://rsclweb.com ‘Dance like no one is watching. Encrypt like everyone is.’ -Original Message- From: IBM Mainframe Discussion List On Behalf Of Pierre Fichaud Sent: 11 October 2022 20:32 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: CSNBENC rc=8 rsn=X'271C' I used the ICSF panels. I'll switch to CSNBSAE call. Thanks, Pierre. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: CSNBENC rc=8 rsn=X'271C'
I used the ICSF panels. I'll switch to CSNBSAE call. Thanks, Pierre. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: CSNBENC rc=8 rsn=X'271C'
How did you use the ICSF panels to create the key? If you used KGUP, you will need to refresh the CKDS to see the updates. Also, once you get that sorted, the call is going to fail anyway. CSNBENC uses DES/TDES keys. It doesn't support AES keys. You will need to switch to CSNBSAE for AES key support. -Original Message- From: IBM Mainframe Discussion List On Behalf Of Pierre Fichaud Sent: Tuesday, October 11, 2022 2:15 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: [EXTERNAL] CSNBENC rc=8 rsn=X'271C' Using the ICSF panels, I created an AES DATA key (128 bits) called MY.DATA.KEY I fed this into a CSNBENC call and got rc=8 rsn=x'271C'. I'm not sure what I am doing wrong. key-identifier (or label) is MY.DATA.KEY padded with blanks to 64 bytes init-vector is XL8'00' rule array is IPS,INITIAL,TOKEN each 8-bytes and padded with blanks. Regards, Pierre. 271C (10012) A key label was supplied for a key identifier parameter. This label is the label of a key in the in-storage CKDS or PKDS. A key record with that label (and the specific type if required by the ICSF callable service) could not be found. For a retained key label, this error code is also returned if the key is not found in the CCA coprocessor specified in the PKDS record. User action: Check with your administrator if you believe that this key should be in the in-storage CKDS or the PKDS. The administrator may be able to bring it into storage. If this key cannot be in storage, use a different label. REASONCODES: TSS 01E (030) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN