Customization › Data Encryption › Terminology

Terminology

AES

Advanced Encryption Standard

Asymmetric key

A different key is used for encryption and decryption. Also known as a public key and a private key.

CKDS

ICSF Cryptographic Key Data Set is the storage vehicle for symmetric keys

CPACF

Central Processor Assist for Cryptographic Functions

DSS

Data Security Standard

IBM CPACF and ICSF services

ICSF

Integrated Cryptographic Service Facility

MSM

CA Mainframe Software Manager

PAX

UNIX file system archive file

PCI

Payment Card Industry

PCI compliance

Meeting the standards that were created to help organizations that process card payments by preventing credit card fraud through increased controls around data and its exposure to compromise

Symmetric Key

Same key is used for both decryption and encryption

Enable AES Encryption of Reports

You can now enable AES encryption of reports stored in CA View, CA Dispatch, CA Bundl, or in CA Spool.

To set up encryption in CA Spool

1. Determine the IBM hardware that is in use.
2. Review the encryption information.

   z9 hardware from IBM supports only 128-bit AES; however, the z10 hardware supports 256-bit AES.

   Also, note the following conditions:

   • If z9 and a hardware assist board are present, encrypt/decrypt using 128 bits and the CPACF instruction set (hardware).
   • If z9 and no hardware assist board is present, ICSF is named (software encrypt/decrypt) using 256-bit AES.
   • If z10 or z196 and a hardware assist board are present, encrypt/decrypt using 256 bits and the CPACF instruction set (hardware).
   • If z10 or z196 and no hardware assist board is present, ICSF is named (software encrypt/decrypt) using 256-bit AES.

   Notes:

   • For CPACF, the assembly language instruction used (hardware encrypt/decrypt) is KM with a parameter list specifying encrypt or decrypt, among other things.
   • For ICSF, software AES encrypt/decrypt the functions named are CSNBSYE and CSNBSYD.
3. Set the SPOOLENC initialization parameter and restart CA Spool.
4. (Optional) Update the ESFSPTP backup-restore utility encryption parameter.

   Set your encryption preference in the EXEC statement. This parameter specifies whether an ESFSPTP backup data set must be AES encrypted or not.

   ENCRYPT=YES | nnn | NO
   

   • YES—Backup data set is encrypted with encryption key interval 365.

     Encrypt=yes - encryption is enabled and a new key is created for every 365 days (once a year).

   • nnn—Backup data set is encrypted with specified encryption key interval 1 – 365 days.

     For example, ENCRYPT=30 requires a new key for every 30 days. Any non-zero number less than 366 is supported.

   • NO —Encryption is not enabled. The backup data set is not encrypted if ESFSPTP is executed from an APF authorized library and the userid of the requestor has read access to SAFTYPE 12, 13 and 14.

   Note: If ENCRYPT is not specified, encryption defaults to the SPOOLENC= parameter value for the specified SUBSYS= CA Spool subsystem.

CA Spool Health Checker Interface

CA Spool is now integrated with the IBM Health Checker for z/OS through the CA Health Checker Common Service, and automatically checks for the following potential problems:

SPOOL_SPACE_PCT@jobname

Monitors space in the CA Spool data sets to ensure that sufficient spool space is available to allow for more spool files.

SPOOL_FILE_QUEUE_PCT@jobname

Monitors file queue elements in use, to ensure that sufficient free file queue elements are available to allow for more spool files.

SPOOL_TCP_ACT@jobname

Monitors number of concurrent active TCP/IP subtasks to warn if the maximum of 128 subtasks is being reached.

SPOOL_TRANSFRM_ACT@jobname

Monitors number of concurrent active Transformer subtasks to warn if the maximum number of Transformer subtasks is being reached.

SPOOL_CKPT_ACT@jobname

Warns if the CA Spool system has not updated the checkpoint within the CKPTIME= specified time interval.

Warns if the CA Spool EMAS/MAS complex member has not been able to get access to the checkpoint within the WARNTIM= specified time interval.

SPOOL_OPT_ENCRYPT@STCname

Warns that CA Spool has detected a setting of SPOOLENC=YES, but encryption hardware is not installed on this computer.

CA Spool can encrypt and decrypt reports without encryption hardware, but emulating encryption hardware is CPU intensive, and it is more efficient to run all archiving and browsing tasks for encrypted databases on a computer that supports hardware encryption.

The product owner for all CA Spool health checks is CA_SPOOL.

Evaluating the conditions reported by these health checks helps ensure proper product performance.