|
|
$USERDATA
$USERDATA is a CA ACF2 64 character text string used to store information with the rule set. CA Tape Encryption uses the $USERDATA parameter to store certain control options and the data set encryption parameter.
3DES128
3DES128 specifies the Triple DES algorithm using a 128-bit key. See Date Encryption Standard (DES).
3DES192
3DES192 specifies the Triple DES algorithm using a 192-bit key. See Date Encryption Standard (DES).
CA Tape Encryption
CA Tape Encryption is a software-based encryption appliance that provides a convenient and secure method for automating the encryption and decryption of confidential data on tape volumes in the z/OS operating environment.
CA Encryption Key Manager
CA Encryption Key Manager is a separately licensed software-based appliance that performs full cycle management of cryptographic keys for:
CA Tape Encryption objects
CA Tape Encryption objects are included in the Tape Resource Management folder that is visible when the z/OS Object Tree is opened in the CA Vantage GMI.
ACS (automatic class selection)
See automatic class selection (ACS) routine.
active key
The active key is the symmetric key that is active for a CA Tape Encryption key name. Only one symmetric key is in the active state at any given time.
Advanced Encryption Standard (AES)
Advanced Encryption Standard (AES) is a FIPS-standard algorithm used by U.S. federal government agencies, commercial, and private organizations to electronically encrypt and decrypt sensitive data. CA Tape Encryption supports AES keys of 128 bits, 192 bits, and 256 bits. For more information about using AES with CA Tape Encryption, see the Configuration Guide.
AES128
AES128 specifies the AES algorithm using a 128-bit key. See Advanced Encryption Standard (AES).
AES192
AES192 specifies the AES algorithm using a 192-bit key. See Advanced Encryption Standard (AES).
AES256
AES256 specifies the AES algorithm using a 256-bit key. See Advanced Encryption Standard (AES).
APPLDATA
APPLDATA is a 255 character text string that is used to supply additional information to resources defined within the CA@BES class. CA Tape Encryption uses the APPLDATA parameter to store certain control options and the data set encryption parameter. APPLDATA is defined on the RDEFINE statement using RACF or the PERMIT statement using CA Top Secret.
ASEO table
The ASEO table is an internal table used to locate the subaddress spaces of CA Tape Encryption.
asymmetric cryptography
Asymmetric cryptography uses the public key/private key pair cryptographic technique to encrypt and decrypt information in a secure manner. It is asymmetric because the public key, the key used to encrypt the data, is different from the private key, the key used to decrypt the data. The sender encrypts the data using the public key and the recipient uses the private key to decrypt the information. For CA Tape Encryption, this technique is used for sending B2B tapes to business partners.
automated key management
Automated key management is the process of managing cryptographic keys automatically so that keys are replaced at a user-scheduled time with no intervention, new keys are generated automatically, and keys that are no longer needed are retired automatically.
automatic class selection (ACS) routine
An automatic class selection (ACS) routine is a set of procedural statements used to generate a DFSMS class name or storage group. ACS routines are used to assign tapes to a DFSMS data class for encryption purposes for CA Tape Encryption.
automatic failover
Automatic failover is a technique for one system to automatically assume the work of another system that has failed for whatever reason. For CA Tape Encryption, a specified BES subsystem can be eligible to assume BES services for a BES subsystem with similar attributes that has failed on the same LPAR or that is not active.
B2B (business-to-business)
B2B stands for business-to-business. CA Tape Encryption lets you send secure encrypted tapes from one organization to another organization.
B2B key ring
A B2B key ring in CA Tape Encryption is a key ring assigned to a BES started task, and contains digital certificates. CA Tape Encryption uses shared key rings and user key rings.
B2B keys
B2B keys are cryptographic keys generated for tapes intended for CA Tape Encryption business partners. The purpose of a B2B key is to provide for secure encryption when sending tapes from one organization to another organization.
B2B tapes
B2B tapes are tapes generated by CA Tape Encryption that contain data encrypted by a B2B key.
B2BBOOKS
B2BBOOKS is a sample parmlib member that contains code book options for the B2BCodeBooks section that specify the names of the code books to be defined to the BES database. B2BCodeBooks The B2BCodeBooks section in the B2BBOOKS parmlib member is used to specify code book options for CA Tape Encryption.
B2BRINGS
B2BRINGS is an attribute in the B2B key ring options used to specify the alias names for key rings defined to your security system for encryption purposes for use with CA Tape Encryption.
BES
BES is the default name for the CA Tape Encryption subsystem.
BES database pass phrase(s)
BES supports single or dual database pass phrases. Pass phrases are similar to passwords, they are entered in the form of a meaningful alphanumeric phrases, which are used to securely encrypt sensitive data in the BES database. Keep pass phrases secure.
BES Key Index
The BES Key Index is a unique key identifier created by CA Tape Encryption for every instance of a symmetric key. It is essentially a unique number assigned by the BES task, and it allows the tracking of key use by tape data set for every tape created using CA Tape Encryption.
BES mirror database (BESMDB)
The BES mirror database (BESMDB) is a VSAM linear dataset that is a mirror copy of the BES primary database. The encryption keys are maintained in the BES primary and mirror databases. The mirror database can be used to recover the primary database.
BES primary database (BESPDB)
The BES primary database (BESPDB) is a VSAM linear dataset where the encryption keys are maintained for CA Tape Encryption.
BES started task
The BES started task is the address space assigned to CA Tape Encryption, defined to the z/OS operating system.
BES subsystem ID
The BES subsystem ID is the system identifier for each CA Tape Encryption started task, indicated as BESn, where n = 1-8. There can be up to 8 BES subsystems on each LPAR.
BESBOOK
BESBOOK is a member in the CTAPJCL data set that exports code books from an active BES database to a sequential data set suitable for transmission to non-z/OS B2B business partners.
BESCLS
BESCLS is a member in the CTAPJCL data set that can be used to execute the IBM utility IXCMIAPU to define a log stream. See IXCMIAPU.
BESDBBAK
BESDBBAK is a member in the CTAPJCL data set that creates a tape backup copy of the BES mirror database.
BESDBRST
BESDBRST is a member in the CTAPJCL data set that restores the BES primary database from a backed-up copy of the BES mirror database.
BESDCLST
BESDCLST is a member in the CTAPJCL data set that lists the DFSMS data classes that have valid BES information in the data class description field.
BESDTAIL
BESDTAIL is a member in the CTAPJCL data set that produces a disk file of the last 1,000 encryption and decryption detail records in the BES data space.
BESEARL
BESEARL is a CA Tape Encryption procedure used to create batch reports about encryption and decryption activity.
BESEREP
BESEREP is a member in the CTAPJCL data set that copies the active SYS1.LOGREC data set to a disk data set and reports the contents.
BESEXT
BESEXT is an internal CA Tape Encryption program that manages BES control block allocation.
BESGTFPM
BESGTFPM is a member in the CTAPJCL data set that contains the IBM Generalized Trace Facility (GTF) parameters used as input for the BESGTF procedure, which is distributed in the CTAPPROC library. This program is used to trace specific tape unit activity.
BESICSF
BESICSF is a member in the CTAPJCL data set that inspects your z/OS system and reports details on ICSF, cryptographic coprocessors, and CA Tape Encryption tape interface and service modules in storage.
BESIVP
BESIVP is a member in the CTAPJCL data set that performs verification of a successful CA Tape Encryption installation.
BESJIPC2
BESJIPC2 is a member in the CTAPJCL data set that formats log entries from the BES log data space (in storage) and saves them to a DASD data set.
BESJIPCS
BESJIPCS is a member in the CTAPJCL data set that formats selected log entries from a DASD log stream and saves them to a DASD data set.
BESLOGR
BESLOGR is a member in the CTAPJCL data set that copies selected entries from a DASD log stream to a sequential file. Send the output file from this job to Technical Support for problem analysis when requested.
BESMDB (BES mirror database)
See BES mirror database.
BESPALC
BESPALC is a member in the CTAPJCL data set that deletes and redefines a single database for CA Tape Encryption. The database is either the BES primary database or the BES mirror database.
BESPARMS
BESPARMS is a sample parmlib member directory that contains a directory or index to the remaining parmlib members and sections used by CA Tape Encryption.
BESPCMDS
BESPCMDS is a sample parmlib member that contains operator console commands processed by CA Tape Encryption before starting the actual shutdown process.
BESPCOPY
BESPCOPY is a member in the CTAPJCL data set used for copying the BES mirror database to the BES primary database when the BES primary database is corrupted or unusable.
BESPDB (BES primary database)
See BES primary database.
BESPRTTP
BESPRTTP is a member in the CTAPJCL data set that prints the contents of the header labels, a portion of the data, and the trailer labels of a tape file encrypted by CA Tape Encryption.
BESPVAL
BESPVAL is a member in the CTAPJCL data set that validates the input parameters of a BES started task. This job is useful for checking new parameters without having to use the started task as the validation mechanism.
BESSCMDS
BESSCMDS is a sample parmlib member that contains operator console commands processed by CA Tape Encryption before starting the actual shutdown process.
BESSHOW
BESSHOW is a member in the CTAPJCL data set that produces a list of the BES system parameters, symmetric key labels, and RSA key labels.
BrightStor Encryption Subsystem (BES) database
See BES primary database (BESPDB).
BTE09PRC
BTE09PRC is a member in the CTAPJCL data set that copies members from the CTAPPROC library to the system procedure library that you specify.
BTE10DDB
BTE10DDB is a member in the CTAPJCL data set that allocates both the BES primary database and the BES mirror database.
BTE_HOME
BTE_HOME is a Java-related environment variable used with the Multiplatform Decryption Utility.
business partner
Business partner, for CA Tape Encryption, refers to a recipient of an encrypted tape who is outside of the organization that created the tape, for example, another company. The organization that creates the encrypted tape and the business partner agree to use CA Tape Encryption for transferring sensitive data between the two organizations.
business-to-business (B2B) tapes
Business-to-business (B2B) tapes are sent outside the organization, for example to another company or business partner. The data on a B2B tape is encrypted using a randomly generated symmetric key.
CA ACF2
CA ACF2 is a CA external security system for mainframe systems.
CA LMP
The CA License Management Program (CA LMP) provides a standardized and automated approach to the tracking of licensed software. It uses common realtime enforcement software to validate the user's configuration. CA LMP reports on activities related to the license, usage and financials of CA products.
CA Top Secret
CA Top Secret is a CA external security system for mainframe systems.
CA Vantage Graphical Management Interface (GMI)
CA VantageGraphical Management Interface (GMI) is the GUI that allows you to view and manage information about storage management product activity, including CA Tape Encryption. It consists of the Windows Client GUI, which interfaces with a z/OS server component to allow access to basic z/OS server functions.
CA@BES
CA@BES is a general resource security class for use with CA Tape Encryption in z/OS environments. This class lets you use security profiles defined in your external security system to manage tape encryption, control access to key and code book data, and control access to CA Tape Encryption commands.
CAI.SAMPJCL
The CAI.SAMPJCL file on the CA Tape Encryption distribution tape contains the JCL needed to install CA Tape Encryption.
CTAPPROC library
The CTAPPROC library is a partitioned data set where all of the CA Tape Encryption procedures (PROCS) are installed.
CAIRIM
CAI Resource Initialization Manager (CAIRIM) is the common driver for a collection of dynamic initialization routines that eliminate the need for user SVCs, SMF exits, subsystems, and other installation requirements commonly encountered when installing systems software. These routines are grouped under the CA dynamic service code, S910.
CTAPJCL
CTAPJCL is the data set in which jobs and utilities for CA Tape Encryption are distributed.
certification authority
A certification authority, or certificate authority, also known as a trusted third-party, is a provider of digital certificates for use with public key/private key cryptography.
CKDS (Cryptographic Key Data Set)
See Cryptographic Key Data Set (CKDS)
clear
Clear, in cryptography, indicates that no encryption is performed. The CLEAR option for an encryption algorithm in CA Tape Encryption is used for testing purposes.
clear key
A clear key is a key that has not been encrypted. Keys in CA Tape Encryption are never kept in the clear. They are always encrypted using another key.
code book
A code book is a file that contains a number of possible codes that CA Tape Encryption might use to form a unique symmetric key. The key is used to encrypt data files on B2B tapes for business partners who need to decrypt and read your data in a non-z/OS environment, such as Windows or Linux. CA Tape Encryption can build one or more electronic code books, which are stored in the BES database.
CodeBook attribute
The CodeBook attribute or option in the B2BCodeBooks section in parmlib identifies a customizable section name for a specific code book for CA Tape Encryption. Each CodeBook defined in the B2BCodeBooks section must be further described in its own CodeBook section.
Command Protection Profiles
Command Protection Profiles are a set of entities defined to the OPERCMDS resource class that specifies a list of protected CA Tape Encryption system commands. Command protection profiles are prefixed by either ―BES‖ or ―BESn‖ and can be 39 characters in length.
Compression
Compression is the process of reducing the size that data occupies on electronic media.
Compression algorithm
A compression algorithm is a finite set of rules used to collect and assign values to the characters found in a string of data so that the data takes less space.
Compression overhead
Compression overhead is the processing required to compress data as it is transferred from the application to the data set or storage media.
compromised key
A compromised key is a key that is no longer secure. The concept of a compromised key is documented in the FIPS 140-2 standard as one of a number of possible key states. Marking a key as compromised provides a special indication that the key may have been exposed outside the intended security community.
CP Assist for Cryptographic Functions (CPACF)
The IBM CP Assist for Cryptographic Functions (CPACF) feature is a standard component incorporated into all IBM System z central processors. On z890, z990, and z9 processors this feature is exploited by CA Tape Encryption to perform hardware-based one-way hashing and cryptography on supported algorithms.
Crypto Express2
The IBM Crypto Express2 Coprocessor is an optional FIPS 140-2 certified IBM PCI cryptographic coprocessor card for the z890, z990, or z9 platforms.
cryptographic coprocessor
A cryptographic coprocessor is a separate processor, in a combined hardware and software facility, designed for cryptographic functions. Because cryptographic functions can be processor-intensive, a cryptographic coprocessor can perform cryptographic tasks that would otherwise need to be performed by the central processor.
cryptographic facility
See cryptographic coprocessor.
cryptographic hardware
Cryptographic hardware provides various cryptographic services. Some cryptographic hardware is used by CA Tape Encryption to improve performance or to satisfy ICSF requirements.
Cryptographic Key Data Set (CKDS)
The Cryptographic Key Data Set (CKDS) is a specialized data set that ICSF uses to store cryptographic keys. For CA Tape Encryption tapes encrypted for in-house use, symmetric keys can be stored in the ICSF CKDS.
CSA utilization
Common Service Area (CSA) utilization, in z/OS, refers to the amount of common area address space that can be addressed. The BESn CSA command can be used to display CA Tape Encryption CSA utilization.
data class
See DFSMS data class.
Data Encryption Standard (DES)
Data Encryption Standard (DES) is a standard cryptographic algorithm for symmetric cryptography that can be applied in different encryption strengths. CA Tape Encryption supports algorithms for DES64, 3DES128, and 3DES192. For more information about the DES algorithm and CA Tape Encryption, see the Configuration Guide.
Data Facility Storage Management Subsystem (DFSMS)
Data Facility Storage Management Subsystem (DFSMS) is an IBM operating environment used to help manage storage operations. CA Tape Encryption can use DFSMS data classes to identify which tape files to encrypt.
Data Set Selection Profile
Data Set Selection Profile is a set of entities defined to the CA@BES resource class that can select tape data sets for encryption processing. Data set selection profiles are comprised of two components; the data set name and the encryption parameter. Each profile is prefixed with ―DSN‖ and can be a maximum of 49 characters in length.
deactivated key
A deactivated key is one that is no longer needed for encryption. Keys are deactivated during the regeneration process or because the key has been compromised and is no longer secure.
decryptfile
Decryptfile is a utility for decrypting a data file that is used with the Multiplatform Decryption Utility (MDU) command line interface.
decryption
Decryption is the cryptographic process of deciphering encrypted data.
DES (Data Encryption Standard)
See Data Encryption Standard.
DES64
DES64 specifies the DES algorithm using a 64-bit key. See Data Encryption Standard (DES).
DFSMS (Data Facility Storage Management Subsystem)
See Data Facility Storage Management Subsystem (DFSMS).
DFSMS data class
A DFSMS data class is a list of attributes that the z/OS system uses when creating a data set. CA Tape Encryption can use DFSMS data classes to identify which tape files to encrypt. A data class may be assigned by coding the DATACLAS JCL parameter or the data class may be assigned dynamically by the DFSMS ACS routines.
digital certificate
A digital certificate is an electronic method for verifying the identity of the sender of electronic information. For use with PKI encryption techniques, it can contain the public key of the owner of the certificate. Digital certificates are issued by and verified by certification authorities. The B2B encryption feature of CA Tape Encryption lets you share encrypted tapes between one organization and another using digital certificates.
Discrete Profiles
Discrete Profiles is a resource profile that provides security system protection for a single resource.
distributed business partner
A distributed business partner is a CA Tape Encryption business partner running a distributed system such as Windows, Linux, or UNIX, who needs to process tapes that were encrypted by CA Tape Encryption on the mainframe.
dynamic options
Dynamic options are options in the DynamicOptions attributes section of parmlib used to specify the behavior of CA Tape Encryption when it is active.
EARL Service
The Easy Access Report Language (EARL) Service is a subset of CA Earl, a user-friendly report definition facility with the power of a comprehensive programming system.
electronic code book
See code book.
encryption
Encryption is the process of obscuring the meaning of a message or data using an enciphering mechanism or key so that the data can only be read, that is, decrypted, by a recipient of the data who possesses a corresponding key.
Encryption Parameter
Encryption Parameter is a component of the data set selection profile that specifies the CA Tape Encryption subsystem and encryption key to be used when the data set is encrypted. The encryption parameter is defined within CA@BES and is defined on the APPLDATA field of the RDEFINE command for RACF, the PERMIT command for CA Top Secret, or the $USERDATA field on the CA ACF2 key set.
failover
Failover is a technique for one system to automatically assume the work of another system that has failed for whatever reason. For CA Tape Encryption, a specified BES subsystem can be eligible to assume BES services for a BES subsystem with similar attributes that has failed on the same LPAR or that is not active.
Federal Information Processing Standards (FIPS 140-2)
Federal Information Processing Standards (FIPS 140-2) is a set of standards published by the U.S. National Institute of Standards and Technology (NIST) that provides specifications for the standard use of cryptographic techniques for federal agencies to use for electronic cryptographic purposes. These standards are widely used by business and non-government organizations.
FIPS (Federal Information Processing Standards)
Publicly announced standards developed by the United States Federal government for use by all non-military government agencies and by government contractors.
FIPS compliance
FIPS compliance refers to cryptographic techniques that adhere to FIPS standards.
FIPS mode
FIPS mode is an option in CA Tape Encryption for specifying the use of encryption algorithms that meet FIPS 140-2 requirements. In this mode, algorithms that do not meet these requirements cannot be used.
Fully-qualified Profiles
Fully-qualified Profiles is a resource profile that provides security system protection or data set selection for a resource whose name is an exact match of the resource definition.
Generic Profiles
Generic Profile is a resource profile that provides security system protection for one or more resources.
GLOBAL Security Parameter
GLOBAL Security Parameter is a SAF Interface processing parameter or definition that will be used by all CA Tape Encryption subsystems running on the LPAR. Global security parameters are entities defined to the CA@BES or OPERCMDS resource classes and are defined by using the prefix BES without an associated subsystem identifier. Contrast with local security parameter.
GMI (Graphical Management Interface)
See Graphical Management Interface (GMI) and CA Vantage Graphical Management Interface (GMI).
Graphical Management Interface (GMI)
See CA Vantage Graphical Management Interface (GMI).
Huffman
Huffman refers to a compression algorithm that uses tables to replace each character by a variable-length bit string. The characters expected to occur most often are assigned the shortest bit lengths.
IBM Security Server RACF
IBM Security Server RACF is an external security system for mainframe systems.
ICSF (Integrated Cryptographic Service Facility)
See Integrated Cryptographic Service Facility (ICSF).
importcb
importcb is a utility for importing a code book using the Multiplatform Decryption Utility (MDU) command line interface.
in-house keys
In-house keys are symmetric keys used to encrypt data on tapes for internal use and for disaster recovery purposes. In-house keys are used for in-house tapes in CA Tape Encryption.
in-house tapes
In-house tapes are internal tapes for use inside an organization. This category includes tapes for disaster recovery sites. This type of tape is encrypted using a symmetric key. The encryption key must be available when the tape is created and when the tape is read.
Integrated Cryptographic Service Facility (ICSF)
The IBM Integrated Cryptographic Service Facility (ICSF) provides cryptographic hardware and software services for z/Series platforms. CA Tape Encryption exploits ICSF to create and manage cryptographic keys, and to provide selected algorithms for interfacing with cryptographic hardware.
Interactive Problem Control System (IPCS)
Interactive Problem Control System (IPCS) is an IBM component of z/OS used for problem management. CA Tape Encryption provides an IPCS VERBX exit to use during problem determination.
IXCMIAPU
The IBM IXCMIAPU Administrative Data Utility program is used to define logstreams for the External Logger. CA Tape Encryption uses IXCMIAPU to create a DASD-only log stream of CA Tape Encryption log entries.
Java Cryptography Extension (JCE)
The Java Cryptography Extension (JCE) provides extensions for cryptographic functions in the Sun Java runtime environment (JRE). The CA Tape Encryption Multiplatform Decryption Utility (MDU) Java client exploits the capabilities of the JCE for managing AES algorithms.
Java runtime environment (JRE)
The Sun Java runtime environment (JRE) allows users to run Java applications.
JCE (Java Cryptography Extension)
See Java Cryptography Extension.
JRE (Java runtime environment)
See Java runtime environment (JRE).
key generation
Key generation is the process of creating cryptographic keys.
key index
See BES Key Index.
Key Protection Profiles
Key Protection Profiles are a set of entities defined to the CA@BES resource class that specifies a list of protected encryption or decryption keys. Key protection profiles are 120 characters in length and are prefixed by either ―BES.keytype‖ or ―BESn.keytype‖. Key types are: KEYCERT digital certificates, KEYCODE code books and KEYSYMM symmetric keys.
key removal
Key removal is the process of removing keys from the key repository that are no longer needed to decrypt data.
key repository
The key repository is where keys for encryption and decryption are stored. CA Tape Encryption can store keys in the ICSF CKDS and the BES database.
key ring
A key ring is a collection of digital certificates. On a mainframe system, key rings belong to specific users. The certificates on one user's key ring are not accessible to any other user. By allowing the CA Tape Encryption started task to access key rings, the program can refer to them when needed.
Keyhash
Keyhash is an option in the StartupOptions parmlib member that specifies the hashing algorithm to use for the key verification hash for symmetric keys.
LOCAL Security Parameter
LOCAL Security Parameter is a SAF Interface processing parameter or definition that will be used by a single CA Tape Encryption subsystem. Local security parameters are entities defined to the CA@BES or OPERCMDS resource classes and are defined by specifying the BESn prefix; the n is a BES subsystem number (1-8). Contrast with global security parameter.
master BES pass phrase(s)
BES supports single or dual pass phrases. The master BES pass phrases are the cryptographic pass phrases used to securely encrypt sensitive data in the BES database.
MD5
MD5 specifies the use of the MD5 hash algorithm. The MD5 algorithm is implemented through software built into CA Tape Encryption for compatibility purposes. MD5 should not be used unless SHA-1 or SHA-256 are not available (for example, the database is shared with an older release of CA Tape Encryption where SHA-1 and SHA-256 require hardware which is not available).
MDU (Multiplatform Decryption Utility)
See Multiplatform Decryption Utility (MDU).
MDUGUI MDUGUI is the name of the file used to specify environment variables for starting the Multiplatform Decryption Utility (MDU). On Windows the file is MDUGUI.bat. On Linux and UNIX the file is MDUGUI.sh.
MOD processing
MOD processing is used with CA Tape Encryption to read back a tape you just created or add data to an encrypted tape.
Multiplatform Decryption Utility (MDU)
The Multiplatform Decryption Utility (MDU) is a Java-based program that enables Windows, Linux and UNIX users to decrypt files that were encrypted with CA Tape Encryption. It allows businesses running CA Tape Encryption on a z/OS system to share their encrypted data with business partners who are running non-z/OS systems.
one-way-hash
A one-way hash is a hashing function such as MD5 or SHA-1 that creates a unique binary string based on a portion of the encoded information, and is used to verify that the information has not been tampered with.
OPERCMDS
OPERCMDS is a general resource security class for use with CA Tape Encryption and other system software that is used to control who can issue operator commands (for example, CA Tape Encryption, JES, or MVS system commands).
parmlib
Parmlib is the parameter library where attributes are stored for running a product on z/OS.
pass phrase
A pass phrase is like a password, but longer. It is a phrase of alphanumeric characters, and is converted into a machine-readable cryptographic key to protect unauthorized access to data. CA Tape Encryption uses single or dual pass phrases to protect the BES database. Typically a pass phrase is a meaningful phrase that is kept secret, and only made available to authorized users.
passkey
A passkey is a phrase used to encrypt an exported code book for CA Tape Encryption. Encrypting the code book allows you to safely exchange it with your non-z/OS business partners.
PCI (Peripheral Component Interconnect)
See Peripheral Component Interconnect (PCI).
PCI cryptographic coprocessor
See cryptographic coprocessor.
PCIXCC
PCIXCC is a specialized IBM coprocessor used to provide cryptographic services for z890 and z990.
Peripheral Component Interconnect (PCI)
Peripheral Component Interconnect (PCI) refers to peripheral components that can be added to a computer. Originally referred to local I/O bus connectors, but now widely used to refer to many add-on components.
PERMIT Security
PERMIT Security is a SAF Interface scope processing parameter that specifies all users of CA Tape Encryption have implicit access to all resources. The PERMIT security scope parameter can be defined at either the LOCAL or GLOBAL level.
PKA (public key algorithm)
See public key algorithm (PKA).
PKI (public key infrastructure)
A set of hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke digital certificates.
PROTECT Security
PROTECT Security is a SAF Interface scope processing parameter that specifies all CA Tape Encryption resources are protected by default and the security administrator must grant explicit permission to access the resource. The PROTECT security scope parameter can be defined at either the LOCAL or GLOBAL level.
public key
A public key is the portion of a public key/private key pair that is made available by the owner of the key pair, typically through a digital certificate, for others to use to encrypt information to send to the owner of the key.
public key algorithm (PKA)
Public key algorithm (PKA) refers to the use of asymmetric key pairs for encrypting and decrypting data.
public key encryption
Public key encryption involves the use of public key/private key pairs to send and receive data across networks.
public key infrastructure (PKI)
Public key infrastructure (PKI) refers to the infrastructure that lets users securely transfer information across networks using public key/private key cryptographic techniques, including the issuing and use of digital certificates by certification authorities.
public key/private key pair
Public key/private key pair refers to the pair of cryptographic keys used for securely sending and receiving confidential information. The owner of the public key makes the public key available to any party that wants to send encrypted information to the owner. Anyone wishing to send encrypted information to the owner of the public key uses the public key to encrypt the information. The encrypted information can only be decrypted by using the corresponding private key. The owner of the secret private key of the public key/private key pair uses the private key to decrypt the information. The public key and private key are mathematically related, which allows the information encrypted by the public key to be decrypted only by the private key.
RACF
See IBM Security Server RACF.
regeneration
Regeneration is the process in CA Tape Encryption of generating symmetric keys in advance based on the interval specified by the Regenerate attribute in parmlib. A new key is generated, and unneeded keys are deactivated during the regeneration process.
Retired key
A retired key is an instance of a key that in the normal course of its use is no longer needed for reading encrypted tapes and can be destroyed.
RIMLIB
RIMLIB was a related installation material library file on CA installation tapes. It is replaced by the CAI.SAMPJCL file. See CAI.SAMPJCL.
RingAlias options
RingAlias options in the DynamicOptions section of parmlib for CA Tape Encryption specify parameters for the key ring alias names specified in the B2BKeyrings section.
RSA algorithm
The RSA algorithm is a widely-used algorithm for public/private key cryptography, exploited by CA Tape Encryption for creating B2B tapes. RSA stands for Rivest, Shamir, and Adleman, the inventors of this algorithm.
SAF
See System Authorization Facility.
SAF Interface
SAF Interface is a set of programs that allow CA Tape Encryption to use the services of CA ACF2, CA Top Secret or IBM Security Server RACF to secure system resources (for example, system commands, encryption keys, and so on) and a method of selecting data sets for encryption.
scratched
Scratched refers to tapes that contain data that is no longer needed. The tape is considered a scratch tape that can be overwritten.
secure key processing
Secure key processing is a method in CA Tape Encryption that lets you store and manage your cryptographic keys so that they never appear in clear form, using the ICSF CKDS. It is specified using the SecureKeysOnly option, and can be specified for all keys or only for specific keys.
SecureKeysOnly
The SecureKeysOnly option in CA Tape Encryption lets you generate new keys using the secure key services of ICSF. This option can be used in the StartupOptions section of parmlib to secure keys globally, or in specific symmetric key definitions in the symmetric key attribute section in parmlib to secure keys individually. With this option in effect, new keys are always stored in the ICSF CKDS.
security profiles
Security profiles let you manage tape encryption processing through your external security system: CA ACF2, CA Top Secret, or IBM Security Server RACF.
security system
A security system such as CA ACF2, CA Top Secret, or IBM Security Server RACF, provides security services for mainframe computer systems. These external security systems can be used by CA Tape Encryption to coordinate the use of digital certificates and to provide protection of resources.
SHA-1
SHA-1 specifies the use of Secure Hash Algorithm-1.
SHA-256
SHA-256 specifies the use of Secure Hash Algorithm-256.
Shared Key Rings
Shared key rings are owned by the CA Tape Encryption address space and are shared by all users and tape jobs.
ShareRingAlias
The ShareRingAlias attribute in the RingAlias section of the B2BRings member in parmlib for CA Tape Encryption assigns a set of attributes defined by a customizable section name to a key ring. The assigned value must be a section name defined in the same parmlib member. You can have as many ShareRingAlias names as necessary. The key ring referenced by the ShareRingAlias must be owned by the BES address space that will perform B2B encryption.
single-use symmetric key
A single-use symmetric key is used to encrypt B2B tapes, which means that each encrypted tape file is encrypted with a different symmetric key.
SMF (system management facilities)
SMF (system management facilities) is an IBM z/OS system monitoring program.
SMS (Storage Management Subsystem)
See Data Facility Storage Management Subsystem (DFSMS).
SMS data class
See DFSMS data class.
special secure mode (SSM)
Special secure mode (SSM) is an ICSF parameter that controls the ability of your system to permit or prohibit the use of clear keys.
StartupOptions
StartupOptions are CA Tape Encryption options in the STARTUP member of parmlib that are loaded at initialization.
StatsSMFRecordSubtype
StatsSMFRecordSubtype specifies the subtype number of the CA Tape Encryption data structure that is placed in the SMF record when SMF records for encryption and decryption are created.
StatsSMFRecordType
StatsSMFRecordType specifies a unique record type number that identifies CA Tape Encryption SMF records.
Storage Management Subsystem (SMS)
See Data Facility Storage Management Subsystem (DFSMS).
Sun Java Cryptography Extension (JCE)
See Java Cryptography Extension (JCE).
Sun java runtime environment (JRE)
See Java runtime environment (JRE).
SYMKEYS
SYMKEYS is a CA Tape Encryption parmlib member that contains symmetric key options in the SymmetricKeys attributes section used to specify the types of keys that CA Tape Encryption employs to encrypt tapes.
symmetric cryptography
Symmetric cryptography is a cryptographic technique that uses the same key to encrypt and decrypt the data, hence symmetric. The sender encrypts the data with the same key that the recipient uses to decrypt the data. CA Tape Encryption uses symmetric cryptography for in-house tapes.
System Authorization Facility (SAF)
System Authorization Facility (SAF) is an interface defined by MVS that enables programs to use a common system authorization service to control access to resources. SAF requests are processed by CA ACF2, CA Top Secret, or RACF, or directly by SAF itself.
Tape Exit Points (TEP)
Tape exit points are user exits to tape OPEN, CLOSE, and EOV routines. CA Tape Encryption dynamically intercepts the exit point and passes control to TBETEP. TBETEP examines operating system control blocks to determine if a tape file should be encrypted or decrypted.
TBEBOOK
The TBEBOOK export utility is used in a z/OS environment to export code books and related information for use by business partners running a supported non-z/OS environment.
TBECMD
TBECMD is a CA Tape Encryption command processor subtask that processes all the BESn commands issued by the operator.
TBEKMINI
TBEKMINI is the BES Key Management Initialization module.
TBEKMMIG
TBEKMMIG is an internal BES key service routine.
TBEKMUTL
TBEKMUTL is a key management utility for CA Tape Encryption, used to process an extract file of information about symmetric keys from the tape management system. This extract file identifies specific instances of symmetric keys that are no longer in use so that the keys can be marked for deletion.
TBEMIGRT
TBEMIGRT is a CA Tape Encryption utility for managing symmetric keys when you prepare for or perform disaster recovery. Use it to run jobs to copy or move keys from an ICSF CKDS database to the CA Tape Encryption database and back.
TBERPT01
TBERPT01 is a job that creates an EARL summary report of the number of files encrypted and decrypted each month for the last 12 months.
TBERPT02
TBERPT02 is a job that creates an EARL report on the last 1000 encryption or decryption actions for a BES subsystem.
TBESAF00
TBESAF00 is a set of programs that provides the interface between CA Tape Encryption and your z/OS external security manager.
TBESAF99
TBESAF99 is a batch utility program that generates commands for CA Tape Encryption security profiles that can be imported into your external security system.
TBESHOW
TBESHOW is the main program in CA Tape Encryption that collects and displays system information.
TBETEP
TBETEP is a CA Tape Encryption program that takes control for CA Tape Encryption when tape files are opened for read or write processing. See also Tape Exit Points
TDES (Triple Data Encryption Standard)
See Triple Data Encryption Standard (TDES).
TEP
See Tape Exit Points
Triple Data Encryption Standard (TDES)
Triple Data Encryption Standard (TDES) is an encryption algorithm using a 128-bit key or a 192-bit key. Triple refers to using the DES algorithm three times to encrypt the data for added security.
Triple DES
See Triple Data Encryption Standard (TDES).
user key ring
A user key ring identifies a key ring that is owned by the user or tape job and is therefore not shared by other users or tape jobs.
UserRingAlias
UserRingAlias is an option in the B2BKeyRings section of the B2BRINGS parmlib member that is used to assign a set of attributes defined by a customizable section name to the key ring that is owned by the user.
Utility Protection Profiles
Utility Protection Profiles are a set of entities defined to the CA@BES resource class that specifies which CA Tape Encryption utility programs are protected and which users can run the utility. Utility protection profiles are prefixed by either ―BES.UTILITY‖ or ―BESn.UTILITY‖ and can be 120 characters in length.
Windows Client GUI
The Windows Client GUI is the component of the CA Vantage GMI installed on a PC.
X.509
X.509 is a commonly-used standards format for PKI, which includes digital certificate formats.
z/OS server
The z/OS server portion of the CA Vantage GMI performs the data retrieval and actions that you request from the GMI Windows Client GUI. It does this for the objects provided by CA Tape Encryption and for other basic storage management objects.
z/OS server objects
z/OS server objects in the CA Vantage GMI provide information about basic storage objects on a z/OS server, including CA Tape Encryption.
z9
z9 refers to IBM z9 Business Class (BC) and z9 Enterprise Class (EC) systems.
z9 Crypto Express2 coprocessor
See Crypto Express2.
| Copyright © 2011 CA. All rights reserved. | Tell Technical Publications how we can improve this information |