Defining System Options in Parmlib › Sample Parmlib Members › Symmetric Key Options › Key Section Options

Key Section Options

Use the key section options in the key_section attributes section to specify detailed information about each key that CA Tape Encryption employs to encrypt tapes. The key_section must follow the SymmetricKeys section.

The name of the key section is defined by the value specified for the key in the SymmetricKeys section.

The following key_section attributes are available:

Algorithm=[DES64|3DES128|3DES192|AES128|AES192|AES256|CLEAR]

Specifies the type of encryption algorithm to use with this key, using Data Encryption Standard (DES), Advanced Encryption Standard (AES), Triple Data Encryption Standard (TDES), and the strength of the encryption key.

Notes:

• Actual key length is slightly smaller than the algorithm name implies because a small number of bits are used for parity checking, for example, the DES64 key is 56 bits long.
• When you select the appropriate algorithm standard for your site, use the stronger key length supported by your hardware and ICSF release, for example 3DES192 for 3DES.
• To specify any AES algorithm you must be running z/OS 1.6 or higher

DES64

(Default) Specifies the DES algorithm using a 64-bit key. This algorithm is implemented by hardware. DES64 is not FIPS-compliant.

3DES128

Specifies the Triple DES algorithm using a 128-bit key. FIPS-compliant. This algorithm is implemented by hardware.

3DES192

Specifies the Triple DES algorithm using a 192-bit key. FIPS-compliant. This algorithm is implemented by hardware.

AES128

Specifies the AES algorithm using a 128-bit key. FIPS-compliant. This algorithm is implemented by software on any hardware prior to z9. This algorithm is implemented by hardware on z9.

AES192

Specifies the AES algorithm using a 192-bit key. This algorithm is implemented by software only.

AES256

Specifies the AES algorithm using a 256-bit key. FIPS-compliant. This algorithm is implemented by software only.

CLEAR

Specifies that no encryption is performed. Used for testing purposes. When CLEAR is specified only one key entry is created, therefore the NumberOfGenerations= attribute is set to 1.

Limits: The DES and 3DES algorithms are performed by specific cryptographic hardware available on the z890, z990, and z9 processors only when the no-fee CPACF feature is enabled on the processor. Contact IBM to enable CPACF if it is needed.

On the z800 and z900 processors, equivalent functionality is included in CCF, which must be installed for ICSF to initialize. For that reason, DES and 3DES algorithms are always performed by hardware on a z800 or z900 processor.

The AES128 algorithm is performed by hardware only on the z9 processor.

Note: For information about which cryptographic hardware supports the available encryption algorithms, see Cryptographic Hardware and Algorithms Supported.

CAKMManaged=[Y|N]

Specify Y to enable digital certificate generation and management by the Key Manager Option for this symmetric key.

Note: If CAKMManaged=Y is specified, NumberOfGenerations must be omitted.

Default: N

Compression=[Y|N|Sn|Hn|]

Specifies options for applying compression to a file that will be encrypted when using a specific key definition. Values beginning with S are software compression methods. Values beginning with H are hardware-assisted compression methods.

Y

Specifies that the S0 compression method is applied.

N

(Default) Specifies that no compression is applied.

S0

Specifies a standard Run Length Encoding (RLE) algorithm primarily used for files that contain redundant alphanumeric data such as blanks, zeros, and asterisks. This is a high-speed software method equivalent to the CA-Compress method SUPEREXP.

S1

Specifies a standard Huffman algorithm primarily used for files that contain alphanumeric uppercase data.

S2

Specifies a standard Huffman algorithm primarily used for files that contain alphanumeric uppercase and lowercase data.

S3

Specifies a standard Huffman algorithm primarily used for files that contain packed decimal data.

S4

Specifies a standard Huffman algorithm primarily used for files that contain alphanumeric, 45 percent packed decimal data.

S5

Specifies a standard Huffman algorithm primarily used for files that contain uppercase and lowercase, 35 percent packed decimal data.

S6

Specifies a standard Huffman algorithm primarily used for files that contain alphanumeric, 20 percent packed decimal, binary data.

S7

Specifies an adaptive Ziv-Lempel algorithm commonly referred to as LZ78. This method is effective in compressing data that is considered fairly "uncompressible" using other methods. Consider using the S8 method instead of S7 if the data can is even somewhat compressible by the S0 method.

S8

Specifies an adaptive Ziv-Lempel algorithm commonly referred to as LZ78, but the data is first compressed using the S0 method (RLE) to reduce the amount of data that must be processed by LZ78. For most data, S8 will use less CPU time than S7.

H1

Specifies hardware compression algorithm number one.

Note: All hardware compression algorithms are based on the IBM Hardware Compression facility and use a Ziv-Lempel algorithm. These algorithms do not yield consistent results when compressing data that conforms to a specific data profile. To determine which compression algorithm works best with your data, use the TBECMPCA utility.

H2

Specifies hardware compression algorithm number two.

H3

Specifies hardware compression algorithm number three.

H4

Specifies hardware compression algorithm number four.

H5

Specifies hardware compression algorithm number five.

Default: N

Note: The Compression= attribute specified in the dynamic options is applied globally and overrides any Compression= attribute in the symmetric key options.

EMEmailAddr='[NULL|email_address]'

Specifies the email address sent an SMTP note whenever the current instance of a key is replaced with a prior generated key instance.

The operand should be enclosed in single quotes. If not enclosed in single quotes, the operand stops on the first blank encountered.

Specify up to ten email addresses per key definition by entering the EMEmailAddr= attribute up to 10 times.

This example shows two email recipients:

EMEmailAddr='tapetech@your.com'
EMEmailAddr='johnsmith@your.com'

Valid values: 1 to 50 character valid email address

Default: Null

EMLibURL='[NULL|url]'

Specifies the URL address of the automated tape library.

This operand should be enclosed in single quotes. If the operand is not enclosed in single quotes, the operand will stop on the first blank encountered.

The operand is placed into the text of the email.

Specify up to ten URL addresses per key definition by entering the EMLibURL= attribute up to ten times.

When an EMLibURL= attribute is specified, at least one EMEmailAddr= attribute must also be specified.

This example shows two URL addresses:

EMLibURL='LIBRARY1.CA.COM:1000 Lib1 comments'
EMLibURL='LIBRARY2.CA.COM:1000 Lib2 comments''Null'

Valid values: 1 to 50 character valid URL of the automated tape library.

Default: 'Null'

Deactivate=[Y|N]

Indicates whether a key is actively used for encryption or is deactivated.

Y

Specifies that all generations of this key are marked as being deactivated. Keys that were generated for future use are deleted. New keys are not regenerated. The key is deactivated and no further data encryption is possible with this key, but the key instances are retained for reading tapes that have been encrypted with this key.

N

(Default) Specifies that the key is active. It is not deactivated, so the currently active instance of the key is available for encrypting and decrypting tapes that use this key. Future generations of the key will be available as needed. For information about deactivated keys and retiring keys, see the Administration Guide.

MinimumCompressionRate=nn

Specifies the minimum acceptable compression rate, expressed as a percentage of the original file. The percentage rate equals the percentage of bytes removed from the original file by compression.

nn

Indicates the percentage of bytes to remove from the file by compression.

Range: 0 to 99

Default: 50

Note: The MinimumCompressionRate= attribute specified in the symmetric key options for a specific key overrides that setting in the dynamic options.

NumberOfGenerations=nnn

Indicates the number of pre-generated operational keys allowed for this key. Keys are generated ahead of time to facilitate disaster recovery scenarios where the most current copy of the ICSF CKDS database or BES database may not be available at the disaster recovery site.

nnn

Specifies the number of pre-generated operational keys for this key.

Range: 6 to 999

Default: 6

Regenerate=[Weekly|Monthly|Yearly|Manual]

Specifies the frequency for regenerating the symmetric key. When regeneration occurs, the previous value of the key is retained for decrypting tapes.

Weekly

Specifies that a new symmetric key is generated every Monday at 6:00 a.m. local time.

Monthly

(Default) Specifies that a new symmetric key is generated on the first Monday of every month at 6:00 a.m. local time.

Yearly

Specifies that a new symmetric key is generated on the first Monday of the year at 6:00 a.m. local time.

Manual

Specifies that a new symmetric key is applied when the REGENERATE command is issued.

Note: CA Tape Encryption checks for the need to generate new versions of keys and performs its key generation logic every Monday at 6:00 a.m. local time. If the BES address space is not active when a key is scheduled for regeneration, the key will be regenerated the next time the address space is active.

SecureKeysOnly=[Y|N]

Determines if secure keys are enforced by routing encryption and decryption activities for specific keys through an optional FIPS 140-2 certified IBM PCI cryptographic coprocessor card on a z890, z990, or z9 platform. The SecureKeysOnly attribute in the key section is only in effect if SecureKeysOnly=K is set in the Dynamic Options section.

N

(Default) Specifies that secure keys are not enforced for this key name. This option improves performance by routing all encryption/decryption processes through CPACF on z890, z990, and z9 processors.

Y

Specifies that secure keys are enforced for this key name. All encryption and decryption activities for this key are processed on a FIPS 140-2 certified PCI cryptographic coprocessor. New keys created for this key name will be stored on the ICSF CKDS.

IBM PCI cryptographic coprocessor cards may slowdown I/O processing above the Missing Interrupt Handler (MIH) threshold for the device and the MIH may begin taking corrective actions with the assumption that the device is no longer responding.

Before you enable SecureKeysOnly, you can verify that the MIH value for your virtual and physical tape drives is set at least to two minutes by executing the DISPLAY IOS,MIH console command. CA Vtape customers should also adjust the parmlib attribute MIHTimeoutValue to at least 120 seconds.

Limits: As of HCR7731, ICSF only supports the AES algorithm using clear keys. Therefore, CA Tape Encryption does not support specifying SecureKeysOnly=Y for an AES key definition. The SecureKeysOnly attribute is ignored for keys defined with the CLEAR algorithm.

Note: These optional IBM PCI cryptographic coprocessors are not designed to handle large amounts of data and can greatly affect the run times of tape jobs when encryption or decryption is employed. For this reason, CA does not recommend forcing all encryption and decryption activities through these external PCI cryptographic coprocessors.