Using CA Tape Encryption in Your z/OS Environment › How Tape Encryption Works for Tape Management Systems

How Tape Encryption Works for Tape Management Systems

This section describes how encryption processing works for CA 1, CA TLMS, DFSMSrmm, and for other OEM tape management systems for when vendors of these products introduce support for CA Tape Encryption.

CA Tape Encryption uses the description field in the DFSMS data class or the security protection profiles defined to your security system to determine whether a tape is eligible for encryption. The following list summarizes how the tape encryption process works in your z/OS environment:

1. CA Tape Encryption recognizes that a tape data set is eligible for tape encryption processing depending on how your environment is set up.
   • When using DFSMS, CA Tape Encryption recognizes an output tape file that is assigned to an encryption data class, the key name specified in the data class description field is matched to the keys defined in parmlib. The encryption algorithm defined for that key in parmlib is then selected to encrypt the tape file.
   • When using your security system to control the tape encryption process, the userdata field defined in the security rules contains information on the keys to use. The encryption algorithm defined for that key in parmlib is then selected to encrypt the tape file.

   For B2B tapes based on public key/private key pairs, the existing security system is called to provide an appropriate digital certificate.

2. The CA Encryption Subsystem, BES, calls ICSF and CPACF for key generation and encryption services.
3. The data is encrypted and written to tape.
   • Tape labels are updated with User Header Labels (UHLs) to include information about how the tape is encrypted. This automatically converts the tape from a standard label (SL) tape to an SUL tape.
   • The user header labels are dynamically removed when the tape is read and decrypted. The labels are not seen by the application.
   • The user header labels contain different information depending on whether the tape is intended for in-house or B2B tapes.

Note: All of the tape encryption processing is transparent to the user.