Change Key Policy (CHGKEYPCY)

The Change Key Policy (CHGKEYPCY) command allows you to specify the policy settings for the Symmetric Key Management System.

For details and recommended settings, see Configuring Key Policy Settings in Getting Started.

NOTE: Any changes to the Key Policy settings are logged into an audit file.

The following users can use this command:

  • QSECOFR user profile (unless excluded in the Key Officer settings)
  • A user profile with *SECADM authority (unless excluded in the Key Officer settings)
  • A Key Officer that has a *YES specified for the “Maintain key policy and alerts” authority setting

How to Get There

From the Key Policy and Security Menu, choose option 1, Change Key Policy. Or, prompt (F4) the command CRYPTO/CHGKEYPCY.

Field Descriptions

MEK number of passphrase parts (MEKPRT)

Indicates the number of passphrase parts that must be entered (loaded) before a Master Encryption Key (MEK) can be generated (set).

MEK each part by unique user (MEKUNQUSR)

Indicates whether or not each MEK (Master Encryption Key) passphrase part must be entered (loaded) by a different user profile.

The possible values are:

*YES Each MEK passphrase part must be loaded by a different user profile.
*NO Each MEK passphrase part can be loaded by the same user profile.
DEK default key store name (DEKKEYSTR)

Indicates the object name and library of the default Key Store which contains the Data Encryption Keys (DEK).

key-store-name Enter the name of the default Key Store.
*NONE No default Key Store is specified.

The possible library values are:

library-name Enter the name of the library where the Key Store is located.
DEK can be randomly generated (DEKRNDGEN)

Indicates whether a Data Encryption Key (DEK) can be randomly generated with the CRTSYMKEY (Create Symmetric Key) command.

The possible values are:

*YES A DEK can be randomly generated with the CRTSYMKEY command.
*NO A DEK cannot be randomly generated with the CRTSYMKEY command.
DEK can be passphrase based (DEKPASBSD)

Indicates whether a Data Encryption Key (DEK) can be generated with a user-entered passphrase with the CRTSYMKEY (Create Symmetric Key) command.

The possible values are:

*YES A passphrase-based DEK can be generated with the CRTSYMKEY command.
*NO A passphrase-based DEK cannot be generated with the CRTSYMKEY command.
DEK can be manually entered (DEKMANENT)

Indicates whether a Data Encryption Key (DEK) value can be manually entered with the CRTSYMKEY (Create Symmetric Key) command.

The possible values are:

*YES A manually entered DEK can be specified on the CRTSYMKEY command.
*NO A manually entered DEK cannot be specified on the CRTSYMKEY command.
DEK values can be retrieved (DEKRTVVAL)

Indicates whether Data Encryption Key (DEK) values can be retrieved with the EXPSYMKEY (Export Symmetric Key) command.

The possible values are:

*YES A DEK value can be retrieved.
*NO A DEK value cannot be retrieved.
*KEK A DEK value can be retrieved only if it is encrypted with a Key Encryption Key (KEK).
DEK encrypt usage by owner (DEKENCOWN)

Indicates whether the user profile which created a Data Encryption Key (DEK) can use that DEK to encrypt data.

The possible values are:

*YES The user that created the DEK can use the DEK to encrypt data.
*NO The user that created the DEK cannot use the DEK to encrypt data.
DEK Decrypt usage by owner (DEKDECOWN)

Indicates whether the user profile which created a Data Encryption Key (DEK) can use that DEK to decrypt data.

The possible values are:

*YES The user that created the DEK can use the DEK to decrypt data.
*NO The user that created the DEK cannot use the DEK to decrypt data.
DEK can be deleted (DEKDLTALW)

Indicates whether a Data Encryption Key (DEK) can be deleted from a Key Store.

The possible values are:

*YES A DEK can be deleted from a Key Store.
*NO A DEK cannot be deleted from a Key Store.
Limit all-object authority (LMTALLOBJ)

Indicates whether to limit authority for users with *ALLOBJ special authority to Key Stores and Authorization Lists used in the Field Registry.

The possible values are:

*NO If the user has *ALLOBJ authority, then IBM's 'QSYCUSRA' API will be used to check if the user is authorized to any requested Key Store or Authorization List. Therefore users with *ALLOBJ authority will always be authorized. This is the default setting.

*YES If the user has *ALLOBJ authority, then Powertech Encryption will perform its own authority check on any requested Key Store or Authorization List. IBM's 'QSYCUSRA' API will not be used. The user profile (or group profile which it belongs) must be specifically listed as an authority entry (with at least *USE authority) on the Key Store or Authorization List.