Data encryption is a table-level option that allows tables to store encrypted data.
Data encryption and decryption can be done at a basic level, using the encryption method provided by the processor hardware of z10 or later. The basic method allows one unique encryption key "handle" for each Directory (CXX), or group of Directories as data is loaded. The basic option does not provide a key manager. The basic method has simple strategies for managing the one key. The key is only available if you have read access to the CXX or a data area with an encrypted table.
Note: The DBUTLTY ENCRYPT function provides a SET_BASIC_KEY_n option (see DBUTLTY Encryption). The dynamic system tables related to data encryption are the tables DIR_TABLE (see Dynamic System Tables Data Encryption Considerations).
Important: Use data encryption with care. If the "handles" for the encryption key (explained in a following section) become corrupted, the data cannot be made useable again.
Consider the following when using data encryption:
An option involved in defining a Log Area (LXX) as FORMAT 1 (see the CA Datacom/DB Database and System Administration Guide) allows you to specify that encrypted table data is logged to the Log Area (LXX) instead of to the default, clear table data. If the LXX has the data encrypted, so does the Recovery File (RXX), because the RXX is a copy of the LXX, built during a SPILL of the LXX to the RXX. With the option of having the LXX as FORMAT 1, the external key must be stored with each log record to allow the decryption for DBUTLTY functions (or READRXX routines) that require it. If this option is used, every DBUTLTY execution using the RXX must be from an authorized execution. If the option is used, every READRXX program is required to be authorized using z/OS facilities, because the decryption can only occur from an authorized program.
Note: Do not select the option of recording encrypted data on the LXX (and then the RXX) if you do not want to allow application programs with READRXX to be authorized.
Running not authorized generates an error code ‘N’ during READRXX, DBUTLTY SPLIT, RECOVERY, or REPORT AREA=RXX. The LXX flag indicating encrypted data can only be reset by an INIT or RESET of the LXX.
Important: The error code ‘N’ is for any read of an RXX, no matter whether a particular RXX contains encrypted data. Termination occurs before access to any RXX data.
Note: A table that is both encrypted and user compressed is written as encrypted, if the LXX as FORMAT 1 option is selected, overriding any use of the option to not log user compressed data in its compressed format.
Important: No table encryption is available in releases prior to CA Datacom Version 14.0. A table loaded with encryption must be done after every absolute condition has been met that ensures that you do not convert back from Version 14.0 to Version 12.0. If you choose to do so, in disregard of stated warnings, the convert CXX process marks the table as not loaded, the table as not encrypted, and removes all encryption information. Also, the CXX itself has no encryption key information converted from Version 14.0 to Version 12.0, and any encryption information is therefore lost. A conversion from Version 12.0 back to Version 14.0 has no encryption information at the table level or CXX level to be converted, because Version 12.0 has no knowledge of encryption. A data area with an encrypted table is set so that it cannot be opened by any CA Datacom versions prior to Version 14.0. Any use of the database area by a release earlier than Version 14.0 is required to start with an initialize overlaying everything in the area.
The DBUTLTY ENCRYPT function provides a SET_BASIC_KEY_1 option. For details and examples, see the CA Datacom/DB DBUTLTY Reference Guide.
DBUTLTY provides a new report that includes encryption information, including any basic encryption key information and the tables encrypted. The new report is requested with the DBUTLTY REPORT function, TYPE=K. Encryption information is not considered a secret. Having an encryption report allows you to externally secure the use of this DBUTLTY function. For details and examples, see the CA Datacom/DB DBUTLTY Reference Guide.
Table information relating to encryption is provided as part of a full CXX report without TYPE=A. For details and examples, see the CA Datacom/DB DBUTLTY Reference Guide.
The CXX encryption information is backed up with a BACKUP AREA=CXX function. The DBUTLTY BACKUP AREA=CXX function backs up the encryption information stored in the CXX. The information is restored to the CXX by either the LOAD AREA=CXX function or the CXXCLONE function when the options DBID is not specified. For details and examples, see the CA Datacom/DB DBUTLTY Reference Guide.
|
Copyright © 2015 CA Technologies.
All rights reserved.
|
|