I think this is still valid //KGUP EXEC PGM=CSFKGUP //CSFCKDS DD DISP=SHR,DSN=CSF.CPU3.CSFCKDS //CSFDIAG DD SYSOUT=*,DCB=(RECFM=FBA,LRECL=133,BLKSIZE=13300) //CSFKEYS DD SYSOUT=*,DCB=(RECFM=FB,LRECL=208,BLKSIZE=3328) //CSFSTMNT DD SYSOUT=*,DCB=(RECFM=FB,LRECL=80,BLKSIZE=3200) //CSFIN DD * ADD LABEL(xxxxxx) TYPE(EXPORTER) CLEAR <<---- your control cards may be different //* //REFRESH EXEC PGM=CSFEUTIL,PARM='CSF.CPU3.CSFCKDS,REFRESH'
On Fri, 23 Oct 2020 14:33:36 -0300, Isabel <[email protected]> wrote: >I add the label the CKDS, with the KGUP utility (in a sandbox), the user >who submit the job, needs permission to the profile in the csfkeys class. >My problem is with the syntax of the "add" command to add this register in >the ckds. > >Thanks again! > >On Fri, Oct 23, 2020 at 1:45 PM Farley, Peter x23353 < >[email protected]> wrote: > >> OK, I can see permission being needed to save the key from the other side >> into the CKDS (one does not want to let just anyone update CKDS), but does >> the program / userid that just wants to USE the saved key also need >> permission just to compute a hash with that key? >> >> That's the part I would see as a roadblock to implementation. >> >> Peter >> >> -----Original Message----- >> From: IBM Mainframe Discussion List <[email protected]> On Behalf >> Of Isabel >> Sent: Friday, October 23, 2020 12:37 PM >> To: [email protected] >> Subject: Re: CSNBHMG - ICSF >> >> Peter, >> >> We are given a key from the other side to do the hash, and this key is >> that we want to preserve >> >> Thank you >> >> On Fri, Oct 23, 2020 at 1:33 PM Farley, Peter x23353 < >> [email protected]> wrote: >> >> > PMFJI here and perhaps I misunderstand the requirement, but requiring >> > ESF permission to compute a hash makes no sense to me, even from the >> > POV of a paranoid liability attorney. >> > >> > What possible technical justification is there (other than "the >> > lawyers said we needed it") is there for such a requirement? What >> > possible harm can a program computing a hash do that requires ESF >> permission? >> > >> > Unless this is computing a hash using a protected key rather than a >> > clear key? I can sort of see permission needed to create or update a >> > protected key in the CKDS, but why would permission be needed to just >> use it? >> > >> > Peter >> > >> > -----Original Message----- >> > From: IBM Mainframe Discussion List <[email protected]> On >> > Behalf Of Pierre Fichaud >> > Sent: Friday, October 23, 2020 12:17 PM >> > To: [email protected] >> > Subject: Re: CSNBHMG - ICSF >> > >> > Hi, >> > CSNB* calls are DES >> > CSND* calls are AES. >> > If you are using CSNBHMG you need the DES master key to be set. >> > And the label used in the call needs to be in the CKDS. >> > And you need permissions defined in RACF. >> > Regards, Pierre. >> -- >> >> This message and any attachments are intended only for the use of the >> addressee and may contain information that is privileged and confidential. >> If the reader of the message is not the intended recipient or an authorized >> representative of the intended recipient, you are hereby notified that any >> dissemination of this communication is strictly prohibited. If you have >> received this communication in error, please notify us immediately by >> e-mail and delete the message and any attachments from your system. >> >> >> ---------------------------------------------------------------------- >> For IBM-MAIN subscribe / signoff / archive access instructions, >> send email to [email protected] with the message: INFO IBM-MAIN >> > >---------------------------------------------------------------------- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
