|
|
|
DFSMS data classes identify data sets with similar attributes for processing as a class. This makes the data class ideal for identifying data sets you want to encrypt. CA Tape Encryption selects a data set for encryption based on the DFSMS data class to which it is assigned and the content of the description field for that data class. You can create as many data classes as you want for different types of encryption processing and for allowing different groups at your site to have their own keys. You can use the SAF Interface component of CA Tape Encryption to restrict access to encryption key resources or allow a certain group access to resources. You can define an unlimited number of data classes for this purpose. Consider the following points while planning your use of one or more data classes to control encryption processing:
Note: For information about using your security system to control tape encryption processing, see the chapter “Using Your Security System for Tape Encryption.”
Example 1: One Data Class and One Key Name Defined
In this example, only one key name, SymKey1, is defined, and every time the key is accessed, the data on the tape is encrypted with the TDES algorithm using a 128-bit key. A new key is generated every month, and the number of generations of the key is maintained at twelve.
<SymmetricKeys>
Key=SymKey1
<SymKey1>
Algorithm=3DES128 Regenerate=Monthly NumberOfGenerations=12
In this case, you need only one data class defined, for example, INHOUSE. In the description field for this data class, you must include the parameter that references the name of the key, for example, BES=(SYMKEY1). While the data class name, INHOUSE, is not defined anywhere to CA Tape Encryption, the symmetric key name in the data class description field must be defined to CA Tape Encryption in the <SymmetricKeys> section in parmlib.
Note: Any characters you enter in the ISMF panels in lowercase are converted to uppercase.
Example 2: Multiple Data Classes and Key Names Defined
In this example, multiple key names are defined for in-house tapes and for B2B tapes, and each key has different attributes.
<SymmetricKeys>
Key=SymKey1 Key=SymKey2 Key=hrkey
<SymKey1>
Algorithm=3DES128 Regenerate=Monthly NumberOfGenerations=12
<SymKey2>
Algorithm=DES64 Regenerate=Yearly NumberOfGenerations=24
<hrkey>
Algorithm=aes256 Regenerate=Monthly NumberOfGenerations=12
<B2BKeyrings> ShareRingAlias = 'Business_Partner_1' ShareRingAlias = 'Business_Partner_2' UserRingAlias = BESRing
<Business_Partner_1> Keyringname = 'Business_Partner_1_Keyring' B2BRsaKeepHours = 8
<Business_Partner_2> Keyringname = 'Business_Partner_2_Keyring' B2BRsaKeepHours = 24
<BESRing> KeyringName = 'BES_default_Keyring' B2BRsaKeepHours = 8
<B2BCodeBooks> CodeBook = Business_Partner_3 CodeBook = Business_Partner_4
<Business_Partner_3> Rebuild = monthly
<Business_Partner_4> Rebuild = yearly
In this case, because each key has distinct attributes, you need to define data classes and descriptions for each of the following symmetric keys:
Each of the following key ring names in the example must be associated with a unique data class for CA Tape Encryption to identify the different digital certificates from each business partner:
Each of the following code book names in the example must be associated with a unique data class for CA Tape Encryption to identify the appropriate code book for each non-z/OS business partner:
| Copyright © 2011 CA. All rights reserved. | Tell Technical Publications how we can improve this information |