|
|
|
For using ICSF, consider the following points:
If you choose to store your encryption keys in the CKDS, ICSF must be running in Special Secure Mode to allow the extraction of clear keys from the ICSF CKDS. You must set the following option in the ICSF parameter library as follows:
SSM = YES
Note: When running with SecureKeysOnly=Y in the StartupOptions section, disable Special Secure Mode by specifying SSM=NO to ensure that keys are always handled in a secure fashion. Because SSM=NO, CA Tape Encryption will never gain access to the clear key values that are stored in the CKDS.
When running SSM=NO, CA Tape Encryption cannot support the migration of keys to and from the CKDS and the BES database for disaster recovery. Therefore, in addition to following the guidelines for disaster recovery of the BES database, you must also follow the IBM guidelines for disaster recovery of the CKDS. When running with SSM=NO, any attempt to use hardware or software facilities that require clear keys, such as CPACF, with keys stored in the CKDS will fail.
CA recommends that you run SSM=YES when running with SecureKeysOnly=K in the StartupOptions where individual keys have been defined as SecureKeysOnly=Y key entries. CA Tape Encryption provides only partial support for secure keys when running with some keys being secured and others not being secured.
CHECKAUTH(NO)
This setting indicates that ICSF will not perform a security check for the following:
Note: The CHECKAUTH parameter does not apply to unauthorized programs.
The ICSF documentation indicates that this setting results in a significant performance improvement for authorized callers.
| Copyright © 2011 CA. All rights reserved. | Tell Technical Publications how we can improve this information |