Performing Recovery OperationsTBEMIGRT UtilityHow You Modify Your Configuration to Add a System With No CKDS Support › Move Keys to a BES Database for Sharing Keys

Previous Topic: How You Modify Your Configuration to Add a System With No CKDS Support

Next Topic: How You Modify Your Configuration for Key Management for CPU Upgrades

Move Keys to a BES Database for Sharing Keys

You can move keys from CKDS to a shared BES database to share keys across systems that have cryptographic coprocessors with systems at your site that do not support CKDS.

To move keys to a BES database for sharing

  1. Run TBEMIGRT with the following PARM= syntax: 
    PARM='BES=BESn,FROMCKDS,MOVE'
    n

    Indicates the subsystem of the BES database you want to share across subsystems.

    This moves the keys to the specified BES subsystem and removes them from the CKDS.

  2. Specify the following attribute in the startup options in parmlib: 
    KeysDatabase=BES

    This ensures that your symmetric keys are stored in the BES database, and allows all systems performing tape encryption and decryption to use the same keys.