Defining Keys in Parmlib › Keys for Business Partners › How B2B Keys Work with Digital Certificates

How B2B Keys Work with Digital Certificates

Use B2B keys to securely transfer encrypted tapes from one organization to another. The following points outline this process:

• Obtain the digital certificate of the business partner before creating a tape. Your security system software stores the digital certificate for use as needed.
• Use DFSMS to define one or more data classes for encrypting B2B tapes, or use the CA@BES class with your security system.
• Specify the attributes for B2B key rings in the <B2BKeyrings> section of parmlib.
• During tape OPEN for output processing, CA Tape Encryption encounters a tape file that is classified by its data class as a B2B tape requiring encryption.
• The ShareRingAlias and Keyringname attributes specify the key ring name that contains the digital certificate for the particular business partner.
• CA Tape Encryption interfaces with the security system to access the digital certificate that contains the public key of the business partner.
• A symmetric key is randomly-generated and is used in the following manner:
  • Used to encrypt the data on the tape.
  • Retained in the BES database for a specified and limited period of time so that the tape can be added to or read if necessary.
  • Only for use with this particular tape. It is not reused.
• The public key is used to encrypt the symmetric key.
• Information is stored in header labels on the tape to identify it as being encrypted by CA Tape Encryption.
• The encrypted symmetric key is stored in a header label on the tape.
• When the application writes data to the tape, CA Tape Encryption intercepts the data and encrypts it using the symmetric key.
• The encrypted tape is sent to the business partner.
• To read the encrypted tape, the business partner must have the freely-distributed version of CA Tape Encryption or one of the CA Tape Encryption options installed on their system.
• When CA Tape Encryption encounters an encrypted tape, the program does the following:
  • Interfaces with the security system to verify that the user is authorized to read the tape.
  • Accesses the private key portion of the digital certificate that was used to encrypt the symmetric key.
  • Uses the private key to decrypt the symmetric key.
  • Uses the symmetric key to decrypt the data on the tape so that the business partner can read it.