For anyone not aware of why we don't support using TKE with zPDT, I will explain. TKE will only "talk" to cards that are signed with a closely held signing key. Given that zPDT is using simulated crypto hardware, IBM isn't about to sign a software-only implementation that could be compromised by a malicious programmer. Security is a much lower concern on a system that should never be used for production, thus a much lower level of security is fine, so we created the ACPTOOL.
To be clear, I would support allowing turning on 24-byte DES MK without a TKE. The rationale for dual-control to enable it no longer applies (in my opinion). However, as I said to Radoslaw, there are security considerations to most all the rest of the ACPs. The default ON/OFF setting for each of the ACPs was carefully chosen in a balance of security and functionality. Eric Rossman --------------------------------- ICSF Security Architect z/OS Security --------------------------------- -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Lennie Bradshaw Sent: Friday, July 4, 2025 10:19 AM To: [email protected] Subject: [EXTERNAL] Re: ICSF ACP and TKE There are indeed numerous inconsistencies. I run a zPDT and on there is a utility (i.e. a Linux command ACPTOOL) to allow the changing of some Control Points without a TKE. I have used this to set the CP to allow 24-bit protection of DES master keys. It has been stated that there is no support for a TKE on zPDT - and there never will be. I would support having a method other than TKE for some of these functions on real Z machines. I suggest you raise an IBM idea for this. https://www.ibm.com/support/pages/welcome-ibm-ideas-portal Regards Lennie ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
