Deactivating Keys › How Tape Management Systems Track Key Usage

How Tape Management Systems Track Key Usage

CA Tape Encryption works with your tape management system to track key usage. The tape system volume or secondary file record is updated with a BES Key Index (a numeric ID) that maps to a CA Tape Encryption key instance in the CA Tape Encryption database. The following points outline how key usage is tracked:

• To ensure that keys are not retained beyond their useful life cycle, every symmetric key is associated with a unique key index identifier called the BES Key Index.
• This identifier is stored in the following places:
  • The User Header Label (UHL) of the encrypted tape
  • The User Trailer Label (UTL) of the encrypted tape
  • The BES database
  • The database of the tape management system
• All symmetric keys are tracked, including the temporary symmetric keys used for encrypting B2B tapes.

  Note: All B2B temporary symmetric keys use a single BES Key Index, 65521 (hexadecimal FFF1).

• A system procedure (PROC) is distributed with CA Tape Encryption that you must schedule to be run.
  • This procedure does the following:
    • Creates an extract file of the BES Key Indexes in use and a detailed report about the tapes encrypted by CA Tape Encryption.
    • Executes program TBEKMUTL to process the extract file and put keys that are no longer needed in a deletion queue.
  • CA 1 users must configure and schedule procedure BESKMNT1 distributed in the PROCLIB data set.
  • CA TLMS users must configure and schedule procedure BESKMNTT distributed in the PROCLIB data set.
  • DFSMSrmm users must configure and schedule procedure BESKMNTR distributed in the PROCLIB data set.

  Note: For information about other OEM tape management systems that provide support for CA Tape Encryption, see the vendor's documentation.

• The tape management system returns a list of all keys that are still in use on active tape volumes.
• If the tape has been scratched and the encrypted file or files have been physically overwritten (reused), the key is no longer needed.
  • CA Tape Encryption places the key in a queue to be removed after the grace period.
  • When you use the ICSF CKDS as a key repository, the removal routine removes the key from both the BES database and the ICSF CKDS database.

Important! CA does not support sharing the BES database across systems that do not share the same tape catalog.