|
|
|
Use the dynamic options in the DynamicOptions attributes section to specify the behavior of CA Tape Encryption when it is active.
While active, the CA Tape Encryption subsystem can dynamically reload the DynamicOptions attributes by using the following operator command:
BESn REFRESH=OPTION
where n is the number of the subsystem.
The following dynamic options attributes are available:
Specifies whether specific instances of keys are eligible to be removed permanently from the CKDS or BES key repository after being identified by the TBEKMUTL utility as no longer used by any tape data set. For information abut this utility, see the chapter “Interfacing to Tape Management Systems.”
Indicates that any key instance identified as no longer used by any tape data set is eligible to be removed from the key repository 90 days after the last use of the key. To use this option, TMSUpdate must be set to Y, and your tape management system must support the CA Tape Encryption API.
(Default) Indicates that keys are not removed.
Specifies the enablement of the CA Encryption Key Manager Option for Application Management. This feature requires an LMP key.
Valid Values: Y and N
Default: N
Specifies the enablement of the licensed Key Manager Option feature. A Common Services LMP key must be installed prior to enabling this feature.
Valid Values: Y and N
Default: N
Specifies global options for applying compression to files that will be encrypted. The following valid values are available for this option:
Note: Values beginning with S are software compression methods. Values beginning with H are hardware-assisted compression methods. If you specify any of the values from S0 through S6 or H1 through H5 in the dynamic options, compression is turned on for all symmetric keys. Because of this, when you specify one of these compression methods, it overrides the Compression= attributes specified in the symmetric key options.
Specifies that the S0 compression method is applied. If this option is specified, it turns on compression for all symmetric keys. This value overrides the Compression= attributes specified in the symmetric key options.
(Default) Specifies that no compression is applied. If this option is specified, it overrides any Compression= attributes specified in the symmetric key options.
Indicates that compression is applied based on the Compression= attributes specified for individual keys in the symmetric key options.
Specifies a standard Run Length Encoding (RLE) algorithm primarily used for files that contain redundant alphanumeric data such as blanks, zeros, and asterisks. This is a high-speed software method equivalent to the CA-Compress method SUPEREXP.
Specifies a standard Huffman algorithm primarily used for files that contain alphanumeric uppercase data.
Specifies a standard Huffman algorithm primarily used for files that contain alphanumeric uppercase and lowercase data.
Specifies a standard Huffman algorithm primarily used for files that contain packed decimal data.
Specifies a standard Huffman algorithm primarily used for files that contain alphanumeric, 45 percent packed decimal data.
Specifies a standard Huffman algorithm primarily used for files that contain uppercase and lowercase, 35 percent packed decimal data.
Specifies a standard Huffman algorithm primarily used for files that contain alphanumeric, 20 percent packed decimal, binary data.
Specifies an adaptive Ziv-Lempel algorithm commonly referred to as LZ78. This method is effective in compressing data that is considered fairly "uncompressible" using other methods. Consider using the S8 method instead of S7 if the data can is even somewhat compressible by the S0 method.
Specifies an adaptive Ziv-Lempel algorithm commonly referred to as LZ78, but the data is first compressed using the S0 method (RLE) to reduce the amount of data that must be processed by LZ78. For most data, S8 will use less CPU time than S7.
Specifies hardware compression algorithm number one.
Note: All hardware compression algorithms are based on the IBM Hardware Compression facility and use a Ziv-Lempel algorithm. These algorithms do not yield consistent results when compressing data that conforms to a specific data profile. To determine which compression algorithm works best with your data, use the TBECMPCA utility.
Specifies hardware compression algorithm number two.
Specifies hardware compression algorithm number three.
Specifies hardware compression algorithm number four.
Specifies hardware compression algorithm number five.
Note: The Compression= attribute specified in the dynamic options is applied globally and overrides any Compression= attribute in the symmetric key options.
Specifies the first four characters that form the dynamic console name.
If LPAR is coded, the SMF ID of the LPAR running this BES is used.
Valid Values: 1 to 4 characters
Default: LPAR
Specifies the host name to use with the SMTP HELO command. CA recommends using the default, 'JESNODE'. JESNODE causes BES to substitute the JES2 Node Name for this operand.
Valid Values: 1 to 8 characters
Default: JESNODE
Specifies the JES2 writer used when sending an email from BES. CA recommends setting to SMTP.
Valid Values: 1 to 8 characters
Default: SMTP
Specifies the sysout class used for sending an email through the JES2 interface.
Valid Values: A thru Z and 0 thru 9
Default: B
Specifies the format of the email BES will send.
The email format will be in plain text with no HTML formatting.
(Default) The email will contain HTML formatting.
(Optional) Adds custom text before the standard notification text in the outgoing email message. There can be up to 20 occurrences of this parameter.
The text should be enclosed in single quotes. If not enclosed in single quotes the operand stops on the first blank.
Range: 1 to 60 characters
Default: 'Null'
Indicates the action to take if the tape specified for encryption cannot be encrypted because of a key management failure.
(Default) Specifies that the job abends.
Specifies that the job continues.
Indicates whether the automatic failover feature is active.
Indicates that the automatic failover feature is active. This BES subsystem will be eligible to assume BES services for a BES subsystem with similar attributes that has failed on the same LPAR or that is not active.
(Default) Indicates that the automatic failover features are not in effect. Automatic failover features are not in effect.
Specifies where the digital certificates generated by the Key Manager Option are stored.
(Default) Digital certificates generated by the Key Manager Option are stored in the Security System's data base.
Digital certificates generated by the Key Manager Option are stored in the ICSF PKDS.
Important! Specifying PKDS prohibits Key Manager Option from storing a backup copy of the digital certificate in the BES database. This makes automated synchronization impossible. Certificates stored in the PKDS cannot be exported using the TBECKMUT utility.
This specification disables Key Manager Option from generating and managing digital certificates.
Specifies the name of the IBM EKM started task. If NONE is specified, no refresh directives will be issued from this BES to the IBM EKM started task.
Limits: 1 to 8 characters
Default: None
Specifies the search order to use when searching for a B2B digital certificate label name coded in the DFSMS data class description field used for B2B tape processing or when reading a B2B tape. This parameter applies only to B2B tape processing. It is required only if you expect your security system to manage digital certificates that have the same label name but are stored on different key rings.
(Default) Indicates that key rings specified on the ShareRingAlias of your B2BRings parmlib member are searched first for the appropriate digital certificate.
Indicates that key rings specified on the UserRingAlias of your B2BRings parmlib member are searched first for the appropriate digital certificate.
Determines the level of events captured for logging.
Indicates that no events are logged. Do not specify 0 (zero) unless directed to do so by CA Technical Support.
(DefauIt) Indicates that basic events are logged, such as messages and console commands. This option logs basic events but does not provide enough detail to fully debug potential product failures.
Indicates that I/O activity, exceptions, and some service calls are logged. This level provides enough information to debug potential failures.
Indicates that full encryption and decryption activities are logged. Do not specify this level of logging unless directed to do so by Technical Support.
Controls whether CA Tape Encryption uses the external logger to keep a history of log events.
(Default) Indicates that a log stream does not exist so a copy will not be performed. If you specify this option, only a few minutes of log events are maintained in a data space by the BES started task. The Logger will overwrite the previously generated data in the log data space.
Indicates that a log stream exists as defined in the SAMPJCL member BESCLS. As each block in the log data space is filled, a call is made to the System Logger to write the block to the defined log stream. If errors are detected, the System Logger and CA Tape Encryption will issue messages and this attribute will be changed internally to a value of NONE.
Note: CA recommends that you define an external log stream before you deploy CA Tape Encryption in a production environment. The only valid log stream name is one that was created using the IBM IXCMIAPU utility. The BESn Display Log console command can be used to determine the status of the logger.
Specifies the minimum acceptable compression rate, expressed as a percentage of the original file. The percentage rate equals the percentage of bytes removed from the original file by compression.
Indicates the percentage of bytes to remove from the file by compression.
Range: 0 to 99
Default: 50
Note: When the Compression= attribute in the dynamic options is set to a value of "K" indicating that compression information is coded at the key level, the MinimumCompressionRate= attribute in the dynamic options is ignored. Each key with a Compression= attribute specified will be checked for a MinimumCompressionRate= attribute. If a MinimumCompressionRate= attribute is not found, the default value of 50 will be used.
Specifies the percentage of work to be made eligible for the zIIP processor. Startup member attribute zIIPExploitation= must be set to Y to cause this attribute to take effect. If PercentRunOnzIIP= is nonzero but zIIPExploitation=N is specified an error message will be issued but CA Tape Encryption will continue to initialize and run without zIIP processing activated.
Specifies that no work is to be directed to the zIIP processor. It is valid to specify PercentRunOnzIIP=0 and zIIPExploitation=Y at the same time. In this case, CA Tape Encryption will issue warning message BESnI0009W but will go on to build and maintain the internal resources required to use the zIIP processor, however no work will be made zIIP eligible until a nonzero value is specified and the dynamic options are refreshed using the “BESn REFRESH=OPTIONS” command.
Specifies the percentage of work that is to be made eligible for the zIIP processor.
Range: 1 to 100
Default: N
Specifies the number of minutes before idle buffers are eligible to be freed. The buffer reduction process runs every two minutes. After the specified number of minutes has elapsed, buffers that have been idle for that length of time are freed.
Disables the process of making idle buffers eligible to be freed. Do not specify 0 (zero) unless directed to do so by CA Technical Support.
Indicates the number of minutes after which idle buffers are eligible to be freed.
Range: 1 to 60
Default: 2
Indicates whether to update your tape management system with the BES Key Index, which allows the tracking of key use by tape data set for every tape created using CA Tape Encryption. TMSUpdate is an interface to all tape systems that provide support for CA Tape Encryption. It requires vendors to implement support for the CA Tape Encryption API. CA 1, CA TLMS, and DFSMSrmm include maintenance to support this interface. Consult with your tape management system customer support representative to verify if they have implemented support for CA Tape Encryption.
(Default) Indicates that the tape management system will be supplied with the BES Key Index when an encrypted tape is created.
Indicates that the tape management system will not be supplied with the BES Key Index when an encrypted tape is created.
| Copyright © 2011 CA. All rights reserved. | Tell Technical Publications how we can improve this information |