|
|
|
Use the startup options in the StartupOptions attributes section to specify the behavior of CA Tape Encryption when it is started.
Consider the following when using these options:
The following startup options are available:
Determines if the B2B digital certificates stored in the key rings specified in the B2BRings parmlib member are loaded once at BES startup and retained in storage.
(Default) Indicates that the digital certificates stored in the key rings specified in the B2BRings parmlib member are loaded once at system startup and kept in storage for the duration of the BES address space. This option provides the best performance because your security product is queried only once. However, updates to digital certificates are only retrieved during the next startup, or as a result of issuing the REFRESH=KEYRINGS command.
Indicates that the digital certificates stored in the key rings specified in the B2BRings parmlib member are not kept in storage. Each time a digital certificate is required by an application to encrypt or decrypt a B2B tape, the digital certificate is loaded from the security database. The digital certificate is reloaded for every B2B tape data set that requires it.
Specifies the encryption algorithm to use when encrypting every symmetric key saved in the BES database. This encryption value is used to protect the keys stored in the BES database, and is distinct from the algorithm used to encrypt the data on a tape.
(Default) Specifies the AES algorithm using a 128-bit key.
Specifies the Triple DES algorithm using a 192-bit key.
Note: The CA Tape Encryption parmlib values that identify specific cryptographic algorithms are limited to those that are built into CA Tape Encryption as software implementations when running CA Tape Encryption on a z/OS platform without ICSF and without CPACF. If you are running CA Tape Encryption on a z/OS platform without ICSF and without CPACF then BESDBEncryptionAlgorithm must be set to AES128.
Determines if the name of the BES mirror database is allocated by JCL or dynamically allocated by CA Tape Encryption. Any value specified other than JCL is assumed to be the data set name of the mirror copy of the BES database and will be dynamically allocated.
(Default) Indicates that the BESMDB DD in the JCL procedure allocates the mirror BES database.
The data set name of the BES mirror database. Indicates that dynamic allocation is used to allocate the BES mirror database. If the BESMDB DD is coded in the BES JCL procedure, it must point to the same data set name coded for the attribute. An inconsistency will generate a critical error aborting the subsystem initialization. If the BES primary data set name is coded for this attribute, CA recommends that you comment out or delete the BESMDB DD in the BES JCL procedure.
If installing in multiple environments with separate primary and mirror databases, use a different name for the primary and mirror databases in each environment. CA Tape Encryption creates an internal database ID by hashing the data set name of the primary database. The hashed name is saved in the database and in the user header label of each encrypted tape. If the same database name is used in different sites, CA Tape Encryption may find a database with a matching internal database ID but the wrong symmetric key. This results in the message:
BESnT0304E Key not available on this system - Tape cannot be decrypted.
Determines if the name of the BES primary database is allocated by JCL or dynamically allocated by CA Tape Encryption. Any value specified other than JCL is assumed to be the data set name of the BES primary database and will be dynamically allocated.
(Default) Indicates that the BESPDB DD in the JCL procedure allocates the BES primary database.
The data set name of the BES primary database Indicates that dynamic allocation is used to allocate the BES primary database. If the BESPDB DD is coded in the BES JCL procedure, it must point to the same data set name coded for the attribute. An inconsistency will generate a critical error aborting the subsystem initialization. If the BES primary data set name is coded for this attribute, we recommend that you comment out or delete the BESPDB DD in the BES JCL procedure.
If installing in multiple environments with separate primary and mirror databases, use a different name for the primary and mirror databases in each environment. CA Tape Encryption creates an internal database ID by hashing the data set name of the primary database. The hashed name is saved in the database and in the user header label of each encrypted tape. If the same database name is used in different sites, CA Tape Encryption may find a database with a matching internal database ID but the wrong symmetric key. This results in the message:
BESnT0304E Key not available on this system - Tape cannot be decrypted.
Specifies whether to use only FIPS-compliant encryption algorithms and standards.
Specifies that FIPS compliance is enabled. Only FIPS-compliant encryption algorithms can be used for tape encryption.
(Default) Specifies that FIPS compliance is not enabled. FIPS enforcement is not in effect. The use of a cryptographic PCI card is optional. Both FIPS-compliant algorithms and non-FIPS-compliant algorithms can be used for tape encryption.
Specifies the hashing algorithm to use for the key verification hash for symmetric keys. This value must be enclosed in single quotes. Use the strongest algorithm supported by your configuration.
Important! If the Keyhash value is changed for any reason, you must re‑specify the pass phrase used to protect the database on startup after the attribute change.
Specifies the use of the MD5 hash algorithm. The MD5 algorithm is implemented through software that is built into CA Tape Encryption for compatibility purposes and should not be used unless for some reason SHA-1 or SHA-256 are not available (for example, the database is shared with an older release where SHA-1 and SHA-256 require hardware which is not present).
(Default) Specifies the use of Secure Hash Algorithm-1 (implemented through software built into CA Tape Encryption).
Specifies the use of Secure Hash Algorithm-256 (implemented through software built into CA Tape Encryption).
CA Tape Encryption tests the selected hashing algorithm and does not complete the startup or options refresh if the algorithm is not available on the running LPAR. If you share a BES database between multiple systems you must select a hashing algorithm that is available on all of these systems.
Note: All of the algorithms are supported in software.
Determines the storage location of the symmetric keys.
(Default) Stores the symmetric keys in the Integrated Cryptographic Service Facility (ICSF) Cryptographic Key Data Set (CKDS) database. If this option is specified and the CKDS is not available, the BES primary database and BES mirror database are automatically used to store the keys.
Stores the symmetric keys in the BES database.
Important! Even if you choose to save your symmetric keys in the BES database, you must start the ICSF started task on z800 and z900 platforms because ICSF provides support for accessing the CCF facility.
Specifies the monthly number of encrypted data sets licensed for CA Tape Encryption. This parameter applies only to CA Tape Encryption customers licensing any of the product options. Valid values are:
Indicates a Large licensing option. Your license does not limit the number of encrypted data sets generated at this site in a month.
(Default) Indicates a Small licensing option. Your license allows up to 300 encrypted data sets generated at this site in a month.
Indicates a Medium licensing option. Your license allows up to 1,000 encrypted data sets generated at this site in a month.
Important! It is a violation of the license agreement to specify a value for this parameter other than the actual licensed monthly maximum number of encrypted data sets.
Note: For information about monthly licensing restrictions, see the chapter “Managing Operations.”
Specifies the size in KB of the Extended Common Storage Area (ECSA) used by enhanced logging to temporarily store event log records when the log data space cannot be accessed. This area is acquired during initialization. You do not need to change the size unless records are missing from the logger files. Indicates the size of the ECSA area in KB.
Valid values: 4 to 16
Default: 8
Specifies the size in MB of the enhanced log data space used for event log records. Indicates the size of the data space used by the Internal Logger in MB
Valid values: 1 to 16
Default: 8
Specifies the four-character value for all messages issued by a CA Tape Encryption subsystem.
(Default) Indicates that this system symbol will be translated to the CA Tape Encryption subsystem number, BESn where n is 1-8, depending on which subsystem issues the message. For example, all messages issued by subsystem BES1 will start with BES1, as in BES1QQ851E. All messages issued by subsystem BES2 will start with BES2, as in BES2QQ851E.
Any four-character value or a variable that will be translated to a four-character value. If four characters are entered, for example, TEST, all messages issued by all CA Tape Encryption subsystems using this parmlib will start with TEST, as in TESTQQ851E.
Note: Do not change the default value unless another software product is using the same message prefix as CA Tape Encryption.
Specifies the number of pass phrases used to encrypt the primary and mirror databases. When set to 1, the PassPhraseID1 and PassPhraseID2 parameters are ignored. The following console message is displayed:
BES4KM597W Enter new database pass phrase
If a database has been initialized with a single pass phrase and the PassPhraseCount is subsequently set to 2, the next time that BES is started, the following message appears:
BES4KM990I Switching from pass phrase count of 1 to 2
You are then prompted for the old pass phrase and the two new dual pass phrases.
Other BES address spaces sharing this database detect the change in pass phrase and query for the new dual pass phrases. All BES address spaces sharing the same database must be at a maintenance level that supports the PassPhraseCount attribute or they will be unable to query for the dual pass phrases.
Default: 1
When PassPhraseCount is set to 2, the PassPhraseID1 and PassPhraseID2 values distinguish which pass phrase is required. With the default values of 'first' and 'second', the following console messages appear:
BES4KM597W Enter new first database pass phrase BES0KM598W Confirm first pass phrase BES4KM597W Enter new second database pass phrase BES0KM598W Confirm second pass phrase
PassPhraseID1 and PassPhraseID2 may contain any string up to 32 characters in length. For example, using 'Storage Administrator' and 'Security Administrator' produces:
BES4KM597W Enter new Storage Administrator database pass phrase BES0KM598W Confirm Storage Administrator pass phrase BES4KM597W Enter new Security Administrator database pass phrase BES0KM598W Confirm Security Administrator pass phrase
Determines the route code or codes for CA Tape Encryption to use for high priority console messages.
(Default) Indicates that a route code of 1 (master console) should be used.
A single valid route code that specifies a single route code to use for high priority console messages.
Specifies the multiple route codes to use for high priority console messages.1
Determines the route code or codes for CA Tape Encryption to use for normal priority console messages. The following valid values are available for this option:
(Default) Indicates that the ROUTCODE keyword value on the DEFAULT statement in the CONSOLxx member of SYS1.PARMLIB or SYSn.IPLPARM should be used.
A single, valid route code that specifies a single route code to use for normal priority console messages.
Specifies the multiple route codes to use for normal priority console messages.
Determines if secure keys are enforced by routing all or selected encryption and decryption processes through an optional FIPS 140-2 certified IBM PCI cryptographic coprocessor card such as the PCIXCC or Crypto Express2 on the z890, z990, or z9 platforms.
When the SecureKeysOnly attribute is set to Y in the StartupOptions section, all of the symmetric key definitions defined to parmlib must be set to an algorithm that ICSF supports for using secure keys. With this option in effect, algorithms that ICSF only supports for using clear keys cannot appear in parmlib. As of HCR7731, AES is only supported using clear keys in ICSF. Therefore, AES keys are not allowed when this option is set. The exception to this rule is that keys using the CLEAR algorithm are allowed. The CLEAR algorithm is used to test your CA Tape Encryption subsystem but does not actually perform any encryption of data, and does not involve secure keys or clear keys.
Note: These optional IBM PCI cryptographic coprocessors are not designed to handle large amounts of data and can greatly affect the run times of tape jobs when encryption or decryption is employed. For this reason, CA does not recommend forcing all encryption and decryption activities through these external PCI cryptographic co-processors.
The following valid values are available for this option:
(Default) Disallows the use of secure keys. This option improves encryption performance by routing cryptographic processing through CPACF on z890, z990, and z9 processors.
Globally enforces the use of secure keys for all cryptographic processing. When this option is specified, secure keys are always stored in the ICSF CKDS, even if BES is the value specified for the KeysDatabase attribute.
Note: IBM PCI cryptographic coprocessor cards may slow down I/O processing above the Missing Interrupt Handler (MIH) threshold for the device and MIH may begin taking corrective actions with the assumption that the device is no longer responding.
Before you enable SecureKeysOnly, you can verify that the MIH value for your virtual and physical tape drives is set at least to two minutes by executing the DISPLAY IOS,MIH console command. CA Vtape customers should also adjust the parmlib attribute MIHTimeoutValue to at least 120 seconds.
Allows selective enforcement of secure keys at the symmetric key name level in member SYMKEYS. When this option is in effect, specify SecureKeysOnly = Y for each symmetric key name definition for which you want to enforce secure keys.
Specifies the subtype number of the data structure placed in the SMF record when SMF records for encryption and decryption are created.
Note: The ellipsis indicates that more than one subtype number can be displayed.
Indicates the subtype number for a data structure to write to the SMF record.
Indicates a range of subtype numbers for a data structure to write to the SMF record.
Range: 1 through 56
Limits: CA Tape Encryption supports subtype 32 (detail record) only.
Example 1: In this example, subtype record types 1, 2, 10, 11, 12, and 13 are written to the SMF records.
StatsSMFRecordSubtype=(1,2,10-13)
Example 2: In this example subtype record type 32 is written to the SMF records.
StatsSMFRecordSubtype=(32)
Specifies a unique record type number that identifies CA Tape Encryption SMF records. Use a number that is not already in use by another software product.
Indicates the record type for CA Tape Encryption SMF records.
Range: 128 to 255 for a non-IBM vendor record type.
(Default) Indicates that no CA Tape Encryption SMF records are created.
Determines if the zIIP processor is used. This attribute should only be specified if your system supports the zIIP processor (z9 and later systems with the required level of z/OS.) A companion parameter in the Dynamic Options member is required to specify what percentage of work is to be made eligible to run on the zIIP. See the discussion of the PercentRunOnzIIP= attribute later in this chapter.
Indicates that CA Tape Encryption is to use the zIIP processor. You must also specify a value greater than 0 for the PercentRunOnzIIP attribute in the Dynamic Options member to cause work to be made eligible for the zIIP.
(Default) Indicates that CA Tape Encryption will not use the zIIP processor.
| Copyright © 2011 CA. All rights reserved. | Tell Technical Publications how we can improve this information |