Change Symmetric Key (CHGSYMKEY)

The CHGSYMKEY command allows authorized users to change the attributes of an existing Data Encryption Key (Symmetric Key).

The following users can utilize the CHGSYMKEY command:

  • QSECOFR user profile (unless excluded in the Key Officer settings)
  • A user profile with *SECADM authority (unless excluded in the Key Officer settings)
  • A Key Officer that has a *YES specified for the “Maintain DEKs” authority setting

The user must have *CHANGE authority to the Validation List (*VLDL) object containing the Key Store.

 

Change Symmetric Key (CHGSYMKEY) 

Type choices, press Enter.   
                                                                                
Key label  . . . . . . . . . . .   SSNKEY              

Key store name . . . . . . . . .   PAYROLLDEK    Name, *DEFAULT    

  Library  . . . . . . . . . . .     KEYSTRLIB   Name   

Encryption allowed with key  . .   *YES          *YES, *NO

Decryption allowed with key  . .   *YES          *YES, *NO

Log encryption usage . . . . . .   *NO           *YES, *NO

Log decryption usage . . . . . .   *NO           *YES, *NO  

Key generation option  . . . . . > *REMOTE       *RANDOM, *REMOTE, *PASS...   

Screen Example:  CHGSYMKEY Command with Sample Values

How to Get There

From the Symmetric Encryption Key Menu, choose option 12.

Options

Key label (KEYLABEL)

Indicate the unique name (label) of the Key.

Key store name (KEYSTR)

Indicate the object name and library of the Key Store which contains the Symmetric Key.

key-store-name
Enter the name of the Key Store.
*DEFAULT
Use the default Key Store name specified at the Key Policy level.

The possible library values are:

library-name
Enter the name of the library where the Key Store is located.
Encryption allowed with key (ENCRYPTALW)

Indicate if this key can be used to encrypt data.

The possible values are:

*YES
This key can be used to encrypt data.
*NO
This key cannot be used to encrypt data.
Decryption allowed with key (DECRYPTALW)

Indicate if this key can be used to decrypt data.

The possible values are:

*YES
This key can be used to decrypt data.
*NO
This key cannot be used to decrypt data.
Log encryption usage (LOGENCRYPT)

Indicate if the usage of the Key for encryption purposes will be logged into the audit journal file.

The possible values are:

*YES
Usage of the key for encryption will be logged.
*NO
Usage of the key for encryption will not be logged.
Log decryption usage (LOGDECRYPT)

Indicate if the usage of the Key for decryption purposes will be logged into the audit journal file.

The possible values are:

*YES
Usage of the key for decryption will be logged.
*NO
Usage of the key for decryption will not be logged.
Key generation option (GENOPT)

Indicate the option used to generate the Symmetric Key.

The possible values are:

*RANDOM
The Key is randomly generated by Powertech Encryption. This is the preferred option.
*REMOTE
The key value is stored in an External Key Manager.
*PASS
The Key is generated based on a user-entered passphrase, iteration count and salt. Uses the PBKDF2 pseudorandom key function as detailed in RFC2898.
*MANUAL
The Key value is manually entered by the user.
External key manager (EXTKEYMGR)

Valid for GENOPT(*REMOTE).

Indicate the name of the External Key Manager that contains the remote key. The properties for the External Key Manager must be predefined using the WRKEKM command.

External key label (EXTKEYLBL)

Valid for GENOPT(*REMOTE).

Indicate the label (or name) of the remote key in the External Key Manager.

The key label is case sensitive.

External key store name (EXTKEYSTR)

Valid for GENOPT(*REMOTE).

If the remote key is in the product, then specify the name of the remote key store that contains the key.

ext-key-store-name
Specify the name of the Key Store.
*DEFAULT
Use the default Key Store name specified at the Key Policy level on the remote server.

The possible library values are:

library-name
Specify the name of the library where the Key Store is located.

 

Related Topics