|
|
|
Use the COMPROMISE command to indicate that a symmetric key or code book has been compromised and that you should stop using the key or code book to encrypt data. This command marks the active instance of the specified key or codebook in the database as compromised and deactivates it. The next pre-generated key is promoted to active status. For code books, the book is immediately rebuilt. For symmetric keys, a new key is generated to keep the number of key generations at the level specified by the NumberOfGenerations attribute. The compromised key or code book is retained for decrypting any data that was already encrypted with this key or code book.
This command has the following format:
BESn COMPROMISE=keyname|codebook|,ALL
Indicates the BES task number.
Specifies the keyname of the active instance of the compromised key. When you use this value without the ,ALL option, only the currently active version of the key is flagged as compromised.
Note: Application keys managed by the Option for Application Management for external applications have the fixed key names APIDESKEY and APIAESKEY.
Specifies the code book name of the active code book that is considered to be compromised. The ,ALL option is ignored if this option is specified.
(Optional) Specifies all the versions of the key indicated by the keyname value. This option flags as compromised all the keys referred to by the specified keyname. Any pre-generated keys that were reserved for future use are deleted. A new set of keys is generated to replace them, including a new current key.
Note: You should back up the mirror database immediately and send a copy to your disaster recovery site to ensure that you have all of your keys in the event of a disaster.
Limits: If you are using your security system to control access to CA Tape Encryption commands, all forms of this command can be controlled by a command protection profile.
Example: COMPROMISE=keyname command
This example flags as compromised the currently active symmetric key named HRKEY in the BES2 task. A new version of the key will be generated for future encryption requests that specify this keyname. The compromised key is retained for decrypting data that was encrypted using this key.
BES2 COMPROMISE=HRKEY
Example: COMPROMISE=keyname,ALL command
This example flags as compromised all versions of the symmetric key named HRKEY in the BES2 task. All instances of the named key are marked as compromised. If the number of keys specified in the NumberOfGenerations attribute is n, then n + 1 new instances of the key are automatically generated.
BES2 COMPROMISE=HRKEY,ALL
Example: COMPROMISE=codebook command
This example flags as compromised the code book named Business_Partner_3.
BES2 COMPROMISE=Business_Partner_3
| Copyright © 2011 CA. All rights reserved. | Tell Technical Publications how we can improve this information |