Defining Security Protection Profiles in CA ACF2Encryption Key Protection Profiles for CA ACF2 › Defining System Specific Encryption Key Protection Profiles for CA ACF2

Previous Topic: Define CA ACF2 Pseudo-Global Encryption Key Definitions

Next Topic: Utility Protection Profiles for CA ACF2

Defining System Specific Encryption Key Protection Profiles for CA ACF2

This command has the following format:

$KEY(BESn.key_type.key_name) TYPE(BES)
$OWNER(ownerid)
  UID(userid) ALLOW
  UID(userid) PREVENT
$KEY

Specifies the definition of a CA ACF2 key set.

BES

Specifies this is a CA Tape Encryption resource. This is always BES.

n

Indicates the local BES subsystem number (1-8). You should create this rule set for each BES subsystem as necessary.

key_type

Indicates the type of key to define. Options for this parameter are as follows:

KEYCODE

Specifies a code book. If you specify this option, the value for the key_name must be defined in the <B2BCodeBooks> section of parmlib.

KEYCERT

Specifies a digital certificate key pair. If you specify this option, the value for the key_name must be a digital certificate defined to the security system on a key ring specified in the <B2BKeyrings> section of parmlib.

KEYSYMM

Specifies a symmetric key. If you specify this option, the value for the key_name must be defined in the <SymmetricKeys> section of parmlib.

key_name

Specifies the name of the key.

TYPE(BES)

Specifies that this statement is a CA Tape Encryption resource. This should always be BES.

OWNER(ownerid)

Specifies the owner of the rule. You can specify up to 24 characters in the $OWNER control statement. CA ACF2 provides the $OWNER statement in case you want to track ownership of a rule.

UID(userid) ALLOW

Allows the specified userid access to the encryption key.

UID(userid) PREVENT

Explicitly prevents the userid from gaining access and being able to use the encryption key.

Example: CA ACF2 key set definition for digital certificates

$KEY(BES1.KEYCERT.ACFCERT) TYPE(BES)
$OWNER(BES)
  UID(SH***********GARY)  ALLOW
  UID(SH***********BILLY) ALLOW

Example: CA ACF2 key set definition for code books

Note: You need to define a unique key set for each individual BESn subsystem.

$KEY(BES1.KEYCODE.ACFCODE) TYPE(BES)
$OWNER(BES)
  UID(SH***********JOHN)  ALLOW
  UID(SH***********BILLY) ALLOW

$KEY(BES2.KEYCODE.ACFCODE) TYPE(BES)
$OWNER(BES)
  UID(SH***********SECADMIN)  ALLOW
  UID(SH***********ACHXMIT) ALLOW

Example: CA ACF2 key set definition for symmetric keys

Note: You need to define a unique key set for each individual BESn subsystem.

$KEY(BES1.KEYSYMM.ACFSYMM) TYPE(BES)
$OWNER(BES)
  UID(SYS-)  ALLOW