|
|
|
While CA Tape Encryption will allow you to migrate your keys from the CKDS back into the BES database for your disaster recovery backup strategies, doing so will result in keys appearing in the clear for brief periods of time. This violates the concept of maintaining secure keys at all times. To ensure that keys never appear in clear text, your disaster recovery strategies would require procedures for backing up and recovering the CKDS in addition to backing up the BES database. You should never migrate keys from the CKDS to the BES database if your objective is strictly to maintain keys as secure keys.
Important! There are very specific disaster recovery considerations that must be taken into account to ensure the recoverability of the ICSF CKDS. Read the IBM documentation on ICSF and the CKDS carefully and take steps to ensure that your CKDS is recoverable in a disaster if you plan on using the CKDS to store your cryptographic keys.
While the CCF hardware is FIPS certified and never uses clear keys, CA Tape Encryption supports storing keys in its database rather than the CKDS, even on platforms with CCF. This means that keys that are read from the BES database are in the clear for a brief period of time while they are converted into CCF secure keys. Therefore to ensure that keys are always handled as secure keys, CCF users should also make use of the SecureKeysOnly parmlib option and should follow the recommendations for disaster recovery as mentioned in this section.
| Copyright © 2011 CA. All rights reserved. | Tell Technical Publications how we can improve this information |