Deploying Your Product

This chapter describes the tasks needed to deploy [set the DSI variable value for your book] in your environment.

Note: Skip this chapter if you use CA MSM to deploy [set the DSI variable value for your book].

This section contains the following topics:

Verify Basic Functionality

Verify Basic Functionality

When CA Tape Encryption is operational the BES primary and mirror databases are secure.

To verify that CA Tape Encryption is operational

1. To start the BES address space, enter the command:

   S BES.stepname
   

   stepname

   Defines the subsystem name.

   Values: BES1 to BES8

   The BES address space starts and dynamically updates the stepname value into the subsystem name table and uses it as its subsystem name.

2. To start CA Tape Encryption, enter the command:

   BESn D S 
   

   n

   Specifies the BES address space. This must be the same number used in step 1.

   The output of the command shows the following:

   • That both CA Tape Encryption and ICSF have been properly installed and activated on your system.
   • That the proper maintenance for CA 1 and CA TLMS has been applied to your system to support CA Tape Encryption.
   • The first time the BES primary database is used, a message is displayed indicating that a new database is being initialized.
3. Enter a cryptographic pass phrase of up to 64 characters.

   The integrity of the BES primary database and the BES mirror database is secured.

Important! Keep a record of the pass phrase stored securely and with restricted access. The pass phrase is required when starting a disaster recovery system or when upgrading to a different central processing unit.

For the CA 1, CA TLMS, and Third Party Tape Management System Options, you can verify the basic functionality of CA Tape Encryption by running job BESIVP in the CTAPJCL data set. The BESIVP job runs IEBGENER in the following three steps to verify encryption and decryption processing:

• Step GENER1 executes program IEBGENER to read a member of the parmlib data set and write it to tape in encrypted format.
• Step GENER2 adds another parmlib member to the tape file created in step GENER1, using MOD processing. The additional data is encrypted using the same encryption algorithm.
• Step LIST reads the tape file created in the first two steps and automatically decrypts it, resulting in a printout of the two PARMLIB members in clear text.

All steps must run with a condition code of 00. If CA Tape Encryption is properly installed, message BESnT0001I is issued for each step. If this message is not issued, encryption activity is not being performed, and further analysis is necessary.

The CA Vtape and CA Disk Options can be tested by setting their encryption parameters and performing backstore or a backup/archival to tape.

Refer to the comments in the BESIVP job for details on the customization required. As part of the installation procedure you set up the Symmetric Keys to be used at your site or accepted the default keys shipped with CA Tape Encryption. Prior to running BESIVP, set up a data class that references one of the Symmetric Keys defined in parmlib. The data class you set up must be specified in the first step of BESIVP.

Note: For information about creating the DFSMS data classes to control encryption processing, see the Administration Guide.

Check the ACS routines on the target system to insure that they permit the data class to be assigned by the JCL and do not override it with another data class. If you do not see the BESnT0001I message, check the job log to see that the expected data class was assigned.