Defining System Options in ParmlibSample Parmlib Members › B2B Key Ring Options

Previous Topic: Dynamic Options

Next Topic: RingAlias Options

B2B Key Ring Options

Use the B2B key ring options in the B2BKeyrings attributes section to specify the alias names for key rings defined to your security system for encryption purposes.

The B2B key rings named in this section are used in the RingAlias section to specify detailed attributes for the associated key rings.

Note: For information about the attributes for each key ring, see RingAlias Options.

Each time a tape data set is created using a DFSMS data class for CA Tape Encryption and a description containing BES keywords that request a digital certificate if using DFSMS, or using security protection profiles in your security system, the key rings specified in the B2BRINGS member are searched for the first occurrence of the digital certificate label name. The only user IDs that your security system queries are the BES started task user ID and the user ID associated with the user requesting encryption. The search order is defined by the KeyRingSearchOrder attribute in the dynamic options. When the digital certificate is found, the RSA public key stored in the digital certificate is extracted. (RSA stands for Rivest, Shamir, and Adleman, the inventors of this algorithm.) A unique symmetric key is generated to encrypt the tape data. The public key is used to encrypt the symmetric key, which is then stored on the tape in the tape labels. Only the specific tape data set is encrypted with this RSA key. The key is temporarily stored in the BES primary database and BES mirror database, based on the value of the B2BRSAKeepHours attribute for the key ring that holds the digital certificate.

ShareRingAlias='definedkeysection'

Assigns a set of attributes defined by a customizable section name to a key ring. The assigned value must be a section name defined in the same parmlib member. You can have as many ShareRingAlias names as necessary. The key ring referenced by the ShareRingAlias must be owned by the BES address space that will perform B2B encryption.

definedkeysection

Specifies a customizable section name to use for assigning attributes to a key ring. Use the underscore character instead of a space, and enclose the operand in single quotes.

Limits: 32 alphanumeric characters

Default: None

UserRingAlias='definedkeysection'

Assigns a set of attributes defined by a customizable section name to the key ring that is owned by the user. The assigned value must be a section name defined in the same parmlib member.

definedkeysection

Specifies a customizable section name to use for assigning attributes to the key ring that is owned by the user. Use the underscore character instead of a space, and enclose the operand in single quotes.

Limits: 32 alphanumeric characters

Default: None

Note: You can specify only one UserRingAlias.

Example: B2BKeyrings section

This example shows the B2BKeyrings section with three key ring sections specified, and the associated RingAlias sections.

<B2BKeyrings>

ShareRingAlias = 'Business_Partner_1'
ShareRingAlias = 'Business_Partner_2'
UserRingAlias = 'BES_Owned_Keyring'

<Business_Partner_1>
.
.
.

<Business_Partner_2>
.
.
.

<BES_Owned_Keyring>
.
.
.