|
|
|
Before commencing this step, determine if the BES database will be encrypted with a single pass phrase or dual pass phrases.
A request for the pass phrase is issued whenever CA Tape Encryption is started on a CPU other than the one that the first install was performed on. For example, if you start CA Tape Encryption at a disaster recovery site with a copy of the home site database or after upgrading your CPU, the request is issued. If the correct pass phrase is not entered, CA Tape Encryption does not start up and you will not be able to read or write any encrypted tapes.
Some experts consider a single pass phrase a security exposure. Anyone who knows the pass phrase can gain access to your encryption information or could change the current pass phrase. CA Tape Encryption allows the use of two pass phrases entered by separate individuals. These pass phrases are combined, hashed and saved in the database for future reference like the single pass phrase.
With dual pass phrases and proper physical security, no individual is able to gain access to your encryption information or change the current pass phrase.
To define system options
Specify the name of the BES primary database to reflect the data set name created in Define the CA Tape Encryption Primary and Mirror Databases.
Specify the name of the BES mirror database to reflect the data set name created in Define the CA Tape Encryption Primary and Mirror Databases.
Specify a value that corresponds to the type of license purchased for CA Tape Encryption.
Specify if single or dual pass phrase control is used on the data in the BES database. The options are:
1
(Default) Single pass phrase. A database encrypted with a single pass phrase can be converted to use dual pass phrases. Single phrase control is compatible with previous releases.
2
Dual pass phrases. A database encrypted with a dual pass phrases cannot be converted to use a single pass phrase.
All of the BES address spaces that share the database must be at the same maintenance level.
If you plan to use dual pass phrase control, set PassPhraseID1 and PassPhraseID2 to identify the individuals who will maintain a written copy of the pass phrases, such as “Storage Administrator” and “Security Administrator”.
The remaining parameters have defaults that work in most customer environments.
For information on the dual pass phrases and other parameters, see the Configuration Guide.
Note: Unless otherwise noted, references to “parmlib” refer to the CA Tape Encryption parameter library.
Optionally, you can define system protection and data set selection profiles to the CA@BES resource class. Entities within CA@BES are used by the CA Tape Encryption SAF Interface to protect system commands, encryption keys, and utilities. The SAF Interface can be used in place of DFSMS or with DFSMS to select data sets for encryption.
For information about using these security system features, see the Administration Guide.
| Copyright © 2010 CA. All rights reserved. | Tell Technical Publications how we can improve this information |