Yes you have to initialize the keys in each LPAR but using CUT & PASTE in your TN3270 emulator provided you have the keys laid out neatly in your document you are working from this only take a few minutes on each. We have never purchased the TKE due to the added cost and have 10 LPARs to update on an upcoming z196 to zEC12 migration this month and this doesn't really even amount to any significant time in our migration activities. The same process occurs at Disaster Recovery since we recover at IBM BCRS and so between CEC swaps every few years and annual DR exercise it’s a process the z/OS systems programmers are familiar with.
Best Regards, Sam Knutson, GEICO System z Team Leader mailto:[email protected] (office) 301.986.3574 (cell) 301.996.1318 GEICO Operating Principles #1 Be the low-cost provider. -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Francis van Zutphen Sent: Friday, January 11, 2013 2:31 AM To: [email protected] Subject: ICSF Master Key Management: TKE verus TSO Panels Hello ICSF System Programmers, Could you please assist/advise me on the following issue/concern. Due to the fact that we only have a couple of crypto keys to support legacy applications on our mainframe and because of cost saving exercise, we decided not to include the optional TKE workstation in our order of the new EC12 machine. This means we are reverting to ICSF TSO panels for Master Key(MK) management. We have 12 lpars connected to the Crypto Express co-processor and previously used TKE on the 1st lpar started in new hardware environment to load MK to all lpars. Now the Key Management guys are concerned that without the TKE workstation, loading new Master keys will be a prolonged process, i.e executing the new MK process x12 (on each lpar). Our Environment: · Only DES Masterkey defined · We have 3 categories of MKs : PRODUCTION, ACCEPTANCE, TEST · FMID HCR7780 and HCR77A0 in progress · Masterkey change every 2/3 years when new mainframe is installed OUTPUT OF ICSF COPROCESSOR MANAGEMENT PANELS ---------------------------------------------------------------- COPROCESSOR SERIAL NUMBER STATUS AES DES ECC RSA P11 ----------- ------------- ------ --- --- --- --- --- G00 9XXXXXX1 ACTIVE U A U U G01 9XXXXXX2 ACTIVE U A U U G02 9XXXXXX2 ACTIVE U A U U G03 9XXXXXX2 ACTIVE U A U U QUESTIONS: -------------- 1. Does ICSF TSO panels method mean that the Key Management guys will have to logon to each lpar and load the new Master keys? 2. Could we alternatively use the “pass phrase initialization utility” to reduce ICSF set-up time and then use our Change Management procedures to plan a new MK at a later date? regards Francis van Zutphen ==================== This email/fax message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution of this email/fax is prohibited. If you are not the intended recipient, please destroy all paper and electronic copies of the original message. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
