The Diffie-Hellman technique allows you to create keys on two system securely, with no need to share a common key. Each system needs a private/public key pair, and the public keys are available on all systems. There are many steps but it is relatively painless.
Scenario
Two systems A and B. We want to have a data set encryption key on system A copied to system B and to create an exporter key on A, and a matching importer key on B.
The steps are
- generate private/public pairs on each system
- use these to generate the symmetric keys.
Generate a private/public key pair on each system, and send the public key to the other system.
On System A
Use the ISPF ICSF panels
- Options 5;6;6 Generate PKA keys, import or export public keys via certificate
- Enter PKDS record’s label: SYSTEMA
- Select Generate a new RSA or EC key pair record
- Select EC NIST Curve, P521.
- This should display PKDS Key Request Successful. Press enter to return.
- Select Export the PKDS record’s public key to a certificate data set
- Specify a data set name ‘COLIN.SYSTEMA’
- Specify the common name SYSTEMA
- Press enter
- This should give you PKDS Public Key Export Successful
- Send the data set ‘COLIN.SYSTEMA’ to the remote system.
On System B
- Follow the instructions above to generate PKA keys.
- Label Name SYSTEMB, and use export data set name COLIN.SYSTEMB, etc. Check it has worked.
- Next, select Create a PKDS public key record from an input certificate
- Enter the name of the data set you copied across containing the public key for SYSTEMA
- Press enter. It should import the key
- F3 to return to the ICSF PDKS keys page.
- Select option 1, and press enter. Use the line command K to display the contents of the certificates. You should have the private key with sections “PRIVATE PUBLIC”, and the public key should have section “PUBLIC”
- Send the data set ‘COLIN.SYSTEMB’ to the first system.
On System A
- Read in the data set
- Options 5;6;6 Generate PKA keys, import or export public keys via certificate
- Enter PKDS record label SYSTEMB
- Select Create a PKDS public key record from an input certificate
- Enter the name of the data set COLIN.SYSTEMB.
- When this has worked, display the contents of the PKDS as described above.
You now have a private/public key on each system, and each system has a copy of the other’s public key.
Generate a symmetric key on each system
Now you have the private/public key on each system, and the public key of the other system, you can create a key.
ICSF does not provide a function for this. See Generate a secure shared key on multiple systems using Diffie-Hellman in Github.
- On SYSTEMA you need the name of the private/public pair SYSTEMA, and the name of the public certificate SYSTEMB.
- You need a phrase which provides a seed to the encryption. This does not need to be kept confidential, but you may still wish to protect it.
Generate a CIPHER for data set encryption
//RUN EXEC PGM=GENDH,REGION=0M,PARMDD=MYPARMS
//MYPARMS DD *
-ptype INTERNAL,AES,CIPHER,XPRTCPAC,ANY-MODE
-key AESDHDSCIPHER
-private AAA
-public BBB
-replace Y
-party cOlinSeed
-debug 0
/*
//STEPLIB DD DISP=SHR,DSN=COLIN.LOAD
//SYSPRINT DD SYSOUT=*,DCB=(LRECL=200)
//CEEDUMP DD SYSOUT=*,DCB=(LRECL=200)
//SYSOUT DD SYSOUT=*
//SYSERR DD SYSOUT=*
On the other system change AAA and BBB, and run the JCL.
Create an exporter key on SYSTEMA
//RUN EXEC PGM=GENDH,REGION=0M,PARMDD=MYPARMS
//MYPARMS DD *
-ptype INTERNAL,AES,EXPORTER
-key AESDHKEK
-private AAA
-public BBB
-replace Y
-party cOlinSeed2
-debug 0
/*
//STEPLIB DD DISP=SHR,DSN=COLIN.LOAD
//SYSPRINT DD SYSOUT=*,DCB=(LRECL=200)
//CEEDUMP DD SYSOUT=*,DCB=(LRECL=200)
//SYSOUT DD SYSOUT=*
//SYSERR DD SYSOUT=*
Create a matching importer key on SYSTEMB
//RUN EXEC PGM=GENDH,REGION=0M,PARMDD=MYPARMS
//MYPARMS DD *
-ptype INTERNAL,AES,IMPORTER
-key AESDHKEK
-private BBB
-public AAA
-replace Y
-party cOlinSeed2
-debug 0
/*
//STEPLIB DD DISP=SHR,DSN=COLIN.LOAD
//SYSPRINT DD SYSOUT=*,DCB=(LRECL=200)
//CEEDUMP DD SYSOUT=*,DCB=(LRECL=200)
//SYSOUT DD SYSOUT=*
//SYSERR DD SYSOUT=*
You can now use exporter key AESDHKEK on system A, and importer KEK AESDHKEK on system B.
ColinPaice 