Change Key Officer (CHGKEYOFR)

The Change Key Officer (CHGKEYOFR) command allows an authorized user to change a Key Officer within the Symmetric Key Management System.

The following users can use this command:

  • QSECOFR user profile (unless excluded in the Key Officer settings)
  • A user profile with *SECADM authority (unless excluded in the Key Officer settings)
  • A Key Officer that has a *YES specified for the “Maintain key officers” authority setting

When a Key Officer is changed the following will occur:

  • If the User Profile is changed to be authorized to at least one option then the User Profile is added to the PCRADMIN Authorization List with *USE Authority.
  • If the User Profile is changed to not be authorized to at least one option then the User Profile is removed from the PCRADMIN Authorization List.
  • If the User is changed to maintain any of the following: Key Policy, Key Officers, Load MEK Parts or Load MEK, then the User Profile is added to the CRVL001 object with *CHANGE Authority.
  • If the User is changed to not maintain any of the following: Key Policy, Key Officers, Load MEK Parts or Load MEK, then the User Profile is removed from the CRVL001 object.

The user profile running this command must have authority to run the ADDAUTLE command or RMVAUTLE command depending on how the entry is changed.

How to Get There

From the Key Policy and Security Menu, choose option 12, Change Key Officer. Or, prompt (F4) the command CRYPTO/CHGKEYOFR.

Field Descriptions

Key officer user profile (USRPRF)

Specify the Key Officer's user profile on the System i.

Maintain key policy and alerts (MNTPCYALR)

Indicate if the Key Officer can change the key policy settings and can add, change or delete Alerts.

The possible values are:

*YES The Key Officer can change the key policy settings and can add, change or delete Alerts.
*NO The Key Officer cannot change the key policy settings and cannot add, change or delete Alerts.
Maintain key officers (MNTKEYOFR)

Indicate if the Key Officer can add, change and remove other Key Officers.

The possible values are:

*YES The Key Officer can add, change, and remove other Key Officers.
*NO The Key Officer cannot add, change, and remove other Key Officers.
Load MEK passphrase parts (LODMEKPRT)

Indicate if the Key Officer can specify passphrase parts for a Master Encryption Key (MEK).

The possible values are:

*YES The Key Officer can specify passphrase parts for a MEK.
*NO The Key Officer cannot specify passphrase parts for a MEK.
Set and clear MEKs (MNTMEK)

Indicate if the Key Officer can set (generate) or clear a Master Encryption Key (MEK).

The possible values are:

*YES The Key Officer can set or clear a MEK.
*NO The Key Officer cannot set or clear a MEK.
Maintain key stores (MNTKEYSTR)

Indicate if the Key Officer can create Key Stores or translate Key Stores to other Master Encryption Keys (MEKs).

The possible values are:

*YES The Key Officer can maintain Key Stores.
*NO The Key Officer cannot maintain Key Stores.
Maintain DEKs (MNTDEK)

Indicate if the Key Officer can create, copy or delete Data Encryption Keys (DEKs)

The possible values are:

*YES The Key Officer can maintain DEKs.
*NO The Key Officer cannot maintain DEKs.
Maintain Field Enc. Registry (MNTFLDENC)

Indicate if the Key Officer can maintain the Field Encryption Registry.

The possible values are:

*YES The Key Officer can maintain the Field Encryption Registry.
*NO The Key Officer cannot maintain the Field Encryption Registry.
Maintain IFS Enc. Registry (MNTIFSENC)

Indicate if the Key Officer can maintain the IFS Encryption Registry and other automatic IFS Encryption settings. Reserved for future use.

The possible values are:

*YES The Key Officer can maintain the IFS Encryption Registry and other automatic IFS Encryption settings.
*NO The Key Officer cannot maintain the IFS Encryption Registry and other automatic IFS Encryption settings.