All DES, AES, and HMAC keys (except for master keys) can be stored in the CKDS.
You can use KGUP to enter keys into the CKDS.
You can program applications to use the CKDS key record create service to create new entries in the CKDS and use the CKDS key record write service to enter key tokens into the CKDS.
DES operational key support is available for all CCA Cryptographic coprocessors. AES operational key support is available for CCA Cryptographic coprocessors that are a CEX2C and later. You can load key parts for all operational keys into key part registers on the card. To load the accumulated key into the CKDS, you must use the ICSF Operational Key Load panel or KGUP. For more information, refer to the z/OS Cryptographic Services ICSF TKE Workstation User's Guide.
The Enterprise Key Management Foundation (EKMF) provides online key management to ICSF as well as to IBM cryptographic products on other platforms. EKMF offers centralized key management for CCA symmetric and asymmetric keys and for certificates. EKMF automates the key management process and exchanges and replaces keys and certificates on demand. Also, to assure continuous operation, EKMF maintains backup copies of all critical keys.
For additional information, contact the Crypto Competence Center at ccc@dk.ibm.com or at: https://www-304.ibm.com/jct05001c/dk/security/cccc/.
The table in Table 1 shows which keys can be entered by each of these methods.
Key Type |
KGUP |
Dynamic |
TKE | EKMF |
---|---|---|---|---|
Data-encrypting (DES DATA) | X | X | X | |
Data-encrypting (AES and DES CIPHER) | X | X | X | X |
Cipher text translation | X | X | X | X |
HMAC | X | X | ||
MAC (AES and DES) | X | X | X | X |
PIN (AES and DES) | X | X | X | X |
Transport keys (AES and DES) | X | X | X | X |
Key-generating (AES and DES) | X | X | X | X |