Add Key Officer (ADDKEYOFR)

The Add Key Officer (ADDKEYOFR) command allows an authorized user to add a new Key Officer into the Symmetric Key Management System.

See Adding Key Officers in Getting Started.

NOTE: Any maintenance to the Key Officers is logged into an audit file.

The following users can use this command:

  • QSECOFR user profile (unless excluded in the Key Officer settings)
  • A user profile with *SECADM authority (unless excluded in the Key Officer settings)
  • A Key Officer that has a *YES specified for the “Maintain key officers” authority setting

When a Key Officer is added the following occurs:

  • If the User Profile is authorized to at least one option then the User Profile is added to the PCRADMIN Authorization List with *USE Authority.
  • If the User is set to maintain any of the following: Key Policy, Key Officers, Load MEK Parts or Load MEK, then the User Profile is added to the CRVL001 object with *CHANGE Authority. The user profile running this command must have authority to run the ADDAUTLE command. The user profile running this command must have authority to run the GRTOBJAUT command.

How to Get There

From the Key Policy and Security Menu, choose option 11, Add Key Officer. Or, prompt (F4) the command CRYPTO/ADDKEYOFR.

Field Descriptions

Key officer user profile (USRPRF)

Specify an existing user profile on the System i.

Maintain key policy and alerts (MNTPCYALR)

Indicate if the Key Officer can change the key policy settings and can add, change or delete Alerts.

The possible values are:

*YES The Key Officer can change the key policy settings and can add, change or delete Alerts.
*NO The Key Officer cannot change the key policy settings and cannot add, change or delete Alerts.
Maintain key officers (MNTKEYOFR)

Indicate if the Key Officer can add, change and remove other Key Officers.

The possible values are:

*YES The Key Officer can add, change, and remove other Key Officers.
*NO The Key Officer cannot add, change, and remove other Key Officers.
Load MEK passphrase parts (LODMEKPRT)

Indicate if the Key Officer can specify passphrase parts for a Master Encryption Key (MEK).

The possible values are:

*YES The Key Officer can specify passphrase parts for a MEK.
*NO The Key Officer cannot specify passphrase parts for a MEK.
Set and clear MEKs (MNTMEK)

Indicate if the Key Officer can set (generate) or clear a Master Encryption Key (MEK).

The possible values are:

*YES The Key Officer can set or clear a MEK.
*NO The Key Officer cannot set or clear a MEK.
Maintain key stores (MNTKEYSTR)

Indicate if the Key Officer can create Key Stores or translate Key Stores to other Master Encryption Keys (MEKs).

The possible values are:

*YES The Key Officer can maintain Key Stores.
*NO The Key Officer cannot maintain Key Stores.
Maintain DEKs (MNTDEK)

Indicate if the Key Officer can create, copy or delete Data Encryption Keys (DEKs)

The possible values are:

*YES The Key Officer can maintain DEKs.
*NO The Key Officer cannot maintain DEKs.
Maintain Field Enc. Registry (MNTFLDENC)

Indicate if the Key Officer can maintain the Field Encryption Registry.

The possible values are:

*YES The Key Officer can maintain the Field Encryption Registry.
*NO The Key Officer cannot maintain the Field Encryption Registry.
Maintain IFS Enc. Registry (MNTIFSENC)

Indicate if the Key Officer can maintain the IFS Encryption Registry and other automatic IFS Encryption settings. Reserved for future use.

The possible values are:

*YES The Key Officer can maintain the IFS Encryption Registry and other automatic IFS Encryption settings.
*NO The Key Officer cannot maintain the IFS Encryption Registry and other automatic IFS Encryption settings.