Considerations for Running the TBEKMUTL Utility

Deactivating Keys › TBEKMUTL Utility › Considerations for Running the TBEKMUTL Utility

Considerations for Running the TBEKMUTL Utility

When you run the TBEKMUTL utility, consider the following points:

If the CA Tape Encryption utilities are protected by the external security manager, you must be permitted to the BESnUTILITY.TBEKMUTL CA@BES resource.
Use PARM='BES=BESn' to specify the BES task whose keys you want to mark for deletion.
- If you run with a separate BES database for two or more production BES systems, which is not recommended, you must run the TBEKMUTL utility for each subsystem.
- You do not need to run TBEKMUTL against failover BES systems because the BES database is shared with the primary BES system.
Replace the data set your.extract.dsn, shown in the sample TBEKMUTL, with the name of the CA Earl extract from your CA 1 or CA TLMS system.
Note: For information about how to create this extract file if you are running another tape management system that supports CA Tape Encryption, see the vendor's documentation.
Use the SYSPRINT DD statement to write a summary report about the processing performed by the utility.
You can produce a TBEKMUTL report without moving any keys in the following ways:
- If the AutomaticallyRemoveKeys attribute in the dynamic options section in parmlib is set to No (or defaulted to No), the keys are reported on but they are not moved to the deletion queue.
- Run the utility with the SIMULATE option, for example, PARM='BES=BES6,SIMULATE'.
If you began using CA Tape Encryption or CA Tape Encryption Key Manager before your TMS was upgraded to track BESKEYs, specify the NOTBEFORE option for TBEKMUTL. This prevents TBEKMUTL from deleting keys which were used before your TMS was tracking them. Run the utility with the NOTBEFORE option, for example:
```
PARM='BES=BES6,NOTBEFORE=2009/123'
```

Tell Technical Publications how we can improve this information