Using CA Tape Encryption in Your z/OS Environment › Analysis and Preparation for Tape Encryption
Analysis and Preparation for Tape Encryption
Before you perform tape encryption, you need to analyze your environment and perform some preliminary preparation. In the first part of the process, you perform the following tasks:
- Analyze the data produced in your environment to determine which data that is written to tape requires encryption.
- Determine whether the tape will be used in-house or sent to a business partner.
- Determine an encryption algorithm or algorithms to use.
- Edit parmlib to specify key names, the algorithm to use, the number of generations, and other parameters.
If you are using DFSMS, other tasks and considerations for the system programmer include the following:
- Update the DFSMS Automatic Class Selection (ACS) routines to assign tapes to a DFSMS data class for encryption purposes.
- Specify an assigned encryption data class in your JCL using the DATACLAS= parameter, if desired.
- Update the ACS routines to ensure that they do not override the JCL DATACLAS parameter if your site chooses to allow programmers to request encryption through the use of this parameter.
- Specify a data class in the JCL or assign one by the DFSMS ACS routines to request encryption when you create a tape.
- Specify different data classes for different encryption purposes.
If you are using your security system to manage tape encryption, other tasks and considerations for the system programmer include the following:
- Define the CA@BES security resource class to your security system.
- Update the data set profiles of the data sets you want to encrypt. This also specifies the type of encryption key to use for encrypting the data set.
- Specify protection profiles for commands, keys, and utilities.
Note: The Multiplatform Decryption Utility (MDU), which your non-z/OS business partners use to decrypt data encrypted by CA Tape Encryption, only supports the decryption of standard fixed or fixed-blocked datasets.
