Using Your Security System › The z/OS External Security Manager › How CA Tape Encryption Works with Your External Security Manager
How CA Tape Encryption Works with Your External Security Manager
CA Tape Encryption works with your external security manager to manage the encryption process, as the following points outline:
- Security profiles can be created with the TBESAF99 utility, which generates control statements that can be imported into your security system at a later time. Administrators who are familiar with control statements for managing their security system can write their own control statements. After generating the security control statements, the security administrator must further edit and refine these statements before updating the security system.
- For a reference list of CA@BES profile definition formats, see the appendix “SAF Interface Parameter Reference List.”
CA Tape Encryption exploits the IBM System Access Facility (SAF) through a series of internal RACROUTE macro calls, native CA Top Secret programmable interfaces, or native CA ACF2 programmable interfaces, to transfer data and security requests between the CA Tape Encryption subsystem and your security system.
- The CA@BES resource class is used with your security system to manage and control tape encryption processing and resources. It is the repository for all of your security parameters and processing options.
- All of the processing parameters required for selecting data sets for encryption must be defined to the CA@BES resource class.
- All security processing control parameters, such as scope protection level, or resource protection level, must be defined to the CA@BES resource class.
- All CA Tape Encryption system console command security definitions must be defined to and reside in the existing OPERCMDS resource class.
- User-defined processing parameter libraries and overriding SYSIN processing options are NOT supported for this feature. This provides protection against malicious or unauthorized use of CA Tape Encryption.
- The SAF Interface is a completely integrated and closed system with no exit points or facilities to allow a third party to intercept processing. This assumes you do not have any CA ACF2, CA Top Secret, or IBM RACF system exits that intercept calls to resource classes or change the return code from the external security manager.
- CA Tape Encryption extracts the information from the security system to determine the following:
- Whether a data set is a candidate for encryption.
- Whether the user has authority to execute specific CA Tape Encryption system commands.
- Whether the user submitting the job has access to an encryption or decryption key.
- Whether the user or CA Vantage GMI has access to the CA Tape Encryption TBEKMUTL and TBESHOW utilities
- CA Tape Encryption will first query the SAF Interface to determine if the tape data set should be encrypted using security-based data set selection profiles. If not found or the BES.DEFAULT profile has not been defined, CA Tape Encryption reverts to DFSMS Data Class Description to determine encryption eligibility.
- References made to the definition and maintenance of “APPLDATA” and the “encryption profile” should be translated to the terminology used by your security system as follows:
- CA ACF2 - the APPLDATA is defined within the $USERDATA field on the rule set statement. This field can be 64 characters in length.
- CA Top Secret - the APPLDATA is defined on the APPLDATA parameter of the PERMIT statement. This field can be 255 characters in length. However, CA@BES limits this to 120 characters.
- IBM Security Server RACF - the APPLDATA is defined on the APPLDATA parameter within the RDEFINE command. This field can be 255 characters in length. However, CA@BES limits this to 120 characters.
- When security selection occurs, the encryption parameter is verified for valid parameters. If the associated data set selection profile encryption parameter is missing or is invalid, selection will revert back to DFSMS to determine whether the tape data set is a candidate for encryption.
