Using the TBESAF99 Utility to Generate Security Profiles › TBESAF99 Utility › Encryption Key Protection Profile Definitions for TBESAF99

Encryption Key Protection Profile Definitions for TBESAF99

Use the encryption key control commands to define each key you want to protect. Use this control statement as input to TBESAF99 to generate control statements for your security system.

For RACF and CA Top Secret, you have the option to control each CA Tape Encryption key at the global level for all BES subsystems or at the local level for each BES subsystem. For CA ACF2 you can only define and control CA Tape Encryption keys at the local (BESn) level.

The following guidelines apply to this command:

• You can define a profile for the same key on multiple BES subsystems.
• You can define only one global profile for all BES subsystems for each key.
• Your use of key protection profiles for individual keys is optional, but if you create this type of profile, all the parameters are required.
• You must define each key that you want to protect to each BES subsystem if the results you want are different from the global definition.

This command has the following format:

BESn TYPE=key_type,

 NAME=key_name

n

Indicates the BES subsystem. To specify a global key protection profile for a specified key for all BES systems, start the command with BES and do not specify a BES subsystem.

Note: For CA ACF2, you must specify the BES subsystem number.

TYPE=key_type

Indicates the type of key to define. Options for this parameter are as follows:

KEYSYMM

Specifies a symmetric key. If you specify this option, the value for the key_name must be defined in the <SymmetricKeys> section of parmlib.

KEYCODE

Specifies a code book. If you specify this option, the value for the key_name must be defined in the <B2BCodeBooks> section of parmlib.

KEYCERT

Specifies a digital certificate for public and private key pairs. If you specify this option, the value for the key_name must be a digital certificate defined to the security system on a key ring specified in the <B2BKeyrings> section of parmlib.

NAME=key_name

Specifies the user-defined key name that you want to protect or permit. Replace any spaces in the key name with periods.

Example: Global key definition for a symmetric key

This example defines to all BES subsystems a symmetric key named AES128_KEY.

BES TYPE=KEYSYMM,NAME=AES128_KEY

Example: Local key definition for a symmetric key

This example defines to BES2 a symmetric key named 3DES128 PRODUCTION KEY.

BES2 TYPE=KEYSYMM,NAME=3DES128.PRODUCTION.KEY

Example: Local key definition for a code book

This example defines to BES2 a code book named Company A Book.

BES2 TYPE=KEYCODE,NAME=COMPANY.A.BOOK

Example: Local key definition for a digital certificate

This example defines to BES2 a digital certificate named BESCERT.

BES2 TYPE=KEYCERT,NAME=BESCERT