Defining Keys in Parmlib › Keys for Business Partners › How Keys Are Retained for Modifying Tapes

How Keys Are Retained for Modifying Tapes

CA Tape Encryption retains the key used to encrypt a tape for a specified period of time. For keys created with digital certificates, the time for retaining keys is based on the B2BRsaKeepHours attribute, as defined in parmlib. For keys created with code books, the keys are not individually retained in the BES database. The code books themselves are retained for 90 days from the time that the code book is rebuilt, as governed by the REBUILD attribute in parmlib. This allows users to perform any required MOD processing after the tape has been created. The following points describe this process:

• When a B2B tape is written, a new randomly-generated symmetric key encrypts the data on the tape.
• For symmetric keys based on digital certificates, the key is stored in the CA Tape Encryption database temporarily so that the user or application can add to the tape or modify it if necessary.
  • Use the B2BRsaKeepHours attribute to specify the retention period for storing these keys.
  • If you specify a B2BRsaKeepHours value of zero, the symmetric key is immediately disposed of. Because of this, after the tape file is created, you cannot modify or read the file if the private key is not available.
• For symmetric keys created using the code book method, the key is available for as long as the code book remains in the BES database.
  • Code books are rebuilt from scratch at intervals defined by the REBUILD attribute in parmlib.
  • When a code book is rebuilt, the old version of the code book is retained in the BES database for 90 days.
  • All current and old versions of a code book are available for the purpose of reading or modifying tapes for as long as the required version of the code book remains in the BES database.
• For keys created using digital certificates, you can modify the last file on an encrypted tape or add new data during the retention period.
• The temporary key is removed after the period of time defined by the B2BrsaKeepHours attribute has elapsed.
• You cannot make any further modifications to the encrypted tape after the temporary key is removed, unless you possess the private key, or after the code book has been removed.
• For keys created using digital certificates, if you want to read a tape after the key is removed from the CA Tape Encryption database, you must decrypt the encrypted key stored in the tape label and use it to decrypt the data on the tape. You can run this process only on the system where the private key is available.
• For keys created using the code book, it is not possible to read a tape on z/OS after the code book has been removed.