Customization › Data Encryption › Encryption Keys › Encryption Keys Considerations and Warnings
Encryption Keys Considerations and Warnings
Note the following:
- When you are using the encryption feature, it is important that you take regular backups of your ICSF Key Store Data set (CKDS).
Important! Loss or corruption of your CKDS can result in a complete data loss of all encrypted reports.
- If you have configured a CA Spool MAS/EMAS complex and are sharing spool datasets between multiple LPARs or computers, you must share the SAME CKDS data set on all LPARs or computers.
Using multiple CKDS data sets for a CA Spool MAS/EMAS complex can result in a partial data loss where reports are readable on some computers and not readable on others.
- If you want to use encryption and you are not running a Sysplex Environment (where the CKDS data set is shared across the Plex), do not configure a CA Spool MAS/EMAS complex.
- If you are sharing the ICSF CKDS dataset between multiple z/OS systems, the ICFS SYSPLEXCKDS(YES,FAIL(xxx)) parameter MUST be specified in the ICFS installation options data set. This allows newly created keys to be shared with other running ICFS systems. Without this parameter, the ICSF in-memory copy of the CKDS will be out of sync between the systems and result in reports being encrypted with one key and later incorrectly decrypted with another key. When this occurs, the original keys are replaced with keys from another system. Reports using the original keys can no longer be decrypted.
- When the encryption feature is enabled, all report data are encrypted on both disk and tape. This includes the CA Spool ESFSPTP backup /restore unloaded disk and tape datasets.
Important! CA Spool does not keep a local copy of the encryption key; it stores a clear 256-bit encryption key in the ICSF Key store (CKDS). CA Spool only accesses the CKDS through the ICSF services – it does not require any security permissions to access this data set. We recommend that you use your external security package to prevent unauthorized browsing of the CKDS data set.
We recommend that all EMAS/MAS members use the same set of initialization parameters.
CA Spool uses ICFS as a key store.
Copyright © 2015 CA Technologies.
All rights reserved.
|
|