How CA Tape Encryption Works with ICSF

Using CA Tape Encryption in Your z/OS Environment › How CA Tape Encryption Works with ICSF

How CA Tape Encryption Works with ICSF

If you have enabled IBM Integrated Cryptographic Service Facility (ICSF) then CA Tape Encryption exploits it to create and manage cryptographic keys, and to provide selected algorithms for interfacing with cryptographic hardware. Consider the following process for working with ICSF:

Running ICSF is optional.
ICSF must be running when selecting SecureKeysOnly.
ICSF is not required for AES algorithms; however for optimal performance we recommend you install it.
When CA Tape Encryption encounters a file that requires encryption, it does one of the following:
- If the IBM CP Assist for Cryptographic Functions (CPACF) is enabled and supports the algorithm, then it invokes CPACF instructions on z890, z990, and z9 platforms.
- If CPACF is not enabled or does not support the algorithm and the IBM Integrated Cryptographic Service Facility (ICSF) is enabled then it calls on the cryptographic services of ICSF.
- For AES algorithms, if CPACF is not enabled or does not support the algorithm (on z890, z990, and z9 platforms) and if ICSF is not enabled, then it uses its own AES algorithm.
If you have enabled ICSF note that it is used only for the AES192 and AES256 algorithms on the z9 platform. (AES128 is supported by CPACF on the z9 platform.)
ICSF may be exploited to generate keys for encrypting data before the data is written to tape, depending on the type of key and how the key will be used, for example, with SecureKeysOnly.
For tapes encrypted for in-house use, keys can be stored in the ICSF Cryptographic Key Data Set (CKDS) or the CA Encryption Subsystem (BES) database. If the CKDS is selected to store the keys, ICSF must be running on the system.
For tapes encrypted for business partners, a randomly generated symmetric key is stored temporarily in the BES database.
Note: For more information about sending tapes to business partners, see How B2B Encryption Works.
When a tape is read, CA Tape Encryption uses a key label stored in the CA Tape Encryption database to reference the key stored in the ICSF CKDS or BES database, which is then used to decrypt the data on the tape.
Note: For more information about managing and transporting keys for in-house tapes, see In-House Keys in the chapter “Defining Keys in Parmlib.”

Tell Technical Publications how we can improve this information