Preparing for Installation › Integration with IBM DFSMSrmm

Integration with IBM DFSMSrmm

IBM's tape management product DFSMSrmm interfaces with CA Tape Encryption to provide lifecycle management for tapes encrypted using symmetric key processing. If CA Encryption Key Manager Option for IBM is also licensed, certificates associated with IBM TS1120 or TS1130 tapes may also be tracked in DFSMSrmm.

For information about the PTFs required to enable this interface, contact IBM.

Processing Restrictions

The following restrictions apply to CA Tape Encryption processing:

• CA Tape Encryption only supports Standard Label (SL) tapes. Encryption or decryption capabilities are not provided for non-SL tapes.
• Applications using the z/OS Checkpoint Restart facility are not supported.
• CA Tape Encryption dynamically converts SL tape volumes to SUL volumes.
• The Multiplatform Decryption Utility (MDU), which your non-z/OS business partners use to decrypt data encrypted by CA Tape Encryption, only supports the decryption of standard fixed or fixed-blocked datasets.
• CA Tape Encryption updates the HDR1 record and inserts User Header Labels and User Trailer Labels with encryption processing information. Header and trailer labels are installed through a DCB exit (DCBX) that is dynamically added by CA Tape Encryption.

  Important! Any programs or utilities that dynamically modify the DCB exit list must be tested with CA Tape Encryption to ensure that there are no incompatibilities.

  Do not encrypt sort work (SORTWKnn) files. The advanced data management techniques used by various sort programs can interfere with the DCB exit processing used by CA Tape Encryption.

• Data blocks smaller than 16 bytes are not supported by CA Tape Encryption.
• The CA View Output Archival and Viewing utility SARTCP modifies the HDR1 after tape open processing by rewinding the tape and rewriting the HDR1 , resulting in the loss of data saved in the HDR1 by CA Tape Encryption. To support encryption of any output tapes that are created by the SARTCP utility, you must obtain maintenance to SARTCP. Without this maintenance, CA Tape Encryption will exclude SARTCP tapes from encryption processing.
• IBM Tivoli Storage Manager for z/OS and Compuware File-AID are not supported. These products either do not support User Labels or use BlockID positioning that makes them incompatible with CA Tape Encryption.
• CA Tape Encryption allows you to select the data sets you want to encrypt. For many mainframe applications, tape is the primary medium. A tape data set may be the first and only copy of your business critical data, as opposed to a backup of such data. If you plan to encrypt a primary data set when it is being written to tape, you should thoroughly test your application's encryption and decryption processing to ensure that there are no possible incompatibilities with CA Tape Encryption.
• DISP=OLD / DISP=SHR Restrictions. When DISP=OLD or DISP=SHR processing is used, CA Tape Encryption prevents a job from rewriting a data set in unencrypted mode. CA Tape Encryption abends a job performing RECREATE processing to prevent a previously encrypted data set from being rewritten in unencrypted format.

Note: In tape management systems this is referred to as RECREATE processing. RECREATE processing is the attempt to rewrite the same data set to the same tape volume serial number and file sequence number.

Physical tapes created by CA Vtape (Backstore and Recycle volumes) can be encrypted by CA Tape Encryption because they conform to the requirements listed in this section. They are z/OS SL tapes and they do not use User Header Labels. However, physical container volumes created by IBM and StorageTek virtual tape systems cannot be encrypted because they do not conform to these requirements.

The CA Tape Encryption SAF Interface uses published CA ACF2 and CA Top Secret APIs together with standard RACROUTE macro calls in determining resource authorization protection and data set selection. Therefore, if your environment has special security-related system exits or implements external security manager processing parameters that override or modify SAF router calls and return codes, the SAF Interface cannot be used.