How Digital Certificates Are Located

Using Digital Certificates › Digital Certificates and Key Rings › How Digital Certificates Are Located

How Digital Certificates Are Located

The following points summarize how CA Tape Encryption locates digital certificates:

Locating a certificate is controlled by the KeyRingSearchOrder parameter in parmlib.
If the value of KeyRingSearchOrder is set to BESKeyRingsFirst, the following occurs:
- CA Tape Encryption looks for the certificate on the shared key ring or rings first, as defined by the attributes in a ShareRingAlias section in parmlib and the DFSMS data class RSA(ringname_alias) parameter.
- If the certificate is not found, CA Tape Encryption determines whether the user running the tape job has a key ring. The user's key ring is defined by the attributes in the UserRingAlias section in parmlib. If a user's key ring name exists, CA Tape Encryption looks for the certificate on that key ring.
- If certificates are preloaded, the search is an in-memory search of a table of certificates loaded during initialization.
- If certificates are not preloaded, the key rings are read until the certificate is found or there are no more key rings to search.
If the value of KeyRingSearchOrder is set to UserKeyRingFirst, the following occurs:
- CA Tape Encryption determines whether the user running the tape job has a key ring that is of the same name as defined by the attributes in the UserRingAlias section in the CA Tape Encryption parmlib.
- If the certificate is not found on the user key ring, or the user does not have a key ring with a name as specified in the CA Tape Encryption parmlib, or no user key ring is defined to the parmlib, the certificate is located on the shared key rings as defined by the attributes in the existing ShareRingAlias sections in parmlib and the DFSMS data class RSA(ringname_alias) parameter, if you are using DFSMS. If you are using your security system to control tape encryption processing, the key ring attributes are stored in the key protection profiles in your security system.
The method of locating certificates is as follows:
- When creating a B2B tape, the certificate label comes from the BES=(RSA(ringname_alias):certificate_label,algorithm) string in the DFSMS data class description field or in the key protection profiles of the security system.
- When reading a B2B tape, the certificate label comes from information stored on the tape in the CA Tape Encryption standard user labels.
- Only the label for the digital certificate must be the same on both the system that creates the encrypted tape and the remote system of the business partner that reads the tape. The key rings are described in parmlib, which provides CA Tape Encryption with the information it needs to locate certificates.

Tell Technical Publications how we can improve this information