|
|
|
Encryption Key protection profiles control access to encryption keys, keying data, and code book names used during encryption and decryption processing. This type of profile protects the use of symmetric keys for in-house encryption, public and private keys for B2B encryption, and code book names. These profiles are stored in the CA@BES resource class. The following types of key protection profiles are used:
Key protection profiles determine the following user permissions:
All encryption keys are unsecured resources by default for external security managers except CA ACF2. In effect, the default implies a PERMIT command for all commands for all BES subsystems.
When running CA ACF2 or when running in PROTECT mode, user access must be granted to a particular encryption key, you must define the key to the security system, and issue an associated PERMIT command to IBM Security Server RACF, CA Top Secret, or specify “ALLOW” on the CA ACF2 UID(userid) rule set.
If you need to protect only a small number of encryption keys, you should specify a security scope of PERMIT. Then all you have to define are specific resources you want to protect. This type of environment could be used on a test subsystem or on a test LPAR. Another consideration is the definition of a blanket generic encryption key profile.
Consequently, a security scope of PROTECT would explicitly protect all encryption keys and allow the security administrator to decide which users should have access to specific encryption keys. This type of configuration is used for production environments where you want to restrict the use of the CA Tape Encryption commands.
| Copyright © 2011 CA. All rights reserved. | Tell Technical Publications how we can improve this information |