We don't use the TKE workstation. I think Radoslaw is correct that more shops using crypto enter masters keys in TSO than purchase and use TKE. Keys are stored securely and procedures for key handling especially at DR are carefully documented but like many commercial accounts we have never considered to purchase a TKE. I really like Alan's idea of moving the TKE function to the HMC with an appropriate security role.
Best Regards, Sam Knutson, GEICO System z Team Leader mailto:[email protected] (office) 301.986.3574 (cell) 301.996.1318 "Think big, act bold, start simple, grow fast..." -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Francis van Zutphen Sent: Thursday, February 23, 2012 12:03 PM To: [email protected] Subject: What is the justification for not using Trusted Key Entry (TKE) workstation? Hello ICSF We have a particular mainframe environment which is a contained Data Server (only DB2 databases and CICS). We do not have any ATM or PIN applications; we do have websphere; we do not have direct customer/user access on this machine. The non-mainframe platforms communicate with this mainframe via services like MQ and TIBCO. We have been using TKE to securely load the Master keys only, and not operational keys. Over the years the new applications that use crypto have been installed on the other platforms. We now have a situation where we only have ONE legacy application key defined and in use in the CKDS, that is why we are now considering dismantling the optional TKE. We realise that going back to TSO panels for Master Key Administration is less secure than TKE, but find can no longer justify using TKE as the remaining application does not have a high enough CIA rating. I have two questions: 1). Are there any other customers out there that do not use TKE? 2). What is the justification for not using TKE? regards Francis ==================== This email/fax message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution of this email/fax is prohibited. If you are not the intended recipient, please destroy all paper and electronic copies of the original message. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
