ENCRYPT Keyword—Encryption Level

Keywords › ENCRYPT Keyword—Encryption Level

ENCRYPT Keyword—Encryption Level

Valid on z/OS.

Use the ENCRYPT keyword to enable or disable levels of encryption. The levels supported are:

ENCRYPT

Configuration ENCTYPE

des-cbs-crc
des-cbc-md4
des-cbc-md5

DESD

Configuration ENCTYPE double DES.

DES3

Configuration ENCTYPE:

des3-cbc-sha1
des-cbc-crc

AES128

Configuration ENCTYPE:

aes128-cts-hmac-sha1-96

AES256

Configuration ENCTYPE:

aes256-cts-hmac-sha1-96

Corresponding to each level of encryption in the security environment, there must be a corresponding level in the Kerberos configuration file. See the IBM documentation on the Security Server Network Authentication Service to assure that your configuration file corresponds to your security encryption specification.

The encryption levels of mutually defined systems in a TCP/IP network must specify equal encryption levels for handshake:

LOCAL REALM A KERBPASS: X	LOCAL REALM B KERBPASS: Y
FOREIGN REALM B KERBPASS: Y	FOREIGN REALM A KERBPASS: X

For z/OS 1.9 and above, KERBLVL is ignored, all levels are supported.

When used with REALM, this keyword has the following format:

TSS ADD(SDT) REALM(KERBDFLT|foreign_realm) 
             REALMNAME(realmname)
             ENCRYPT('[DES|NODES]
                      [DES3|NODES3]
                      [DESD|NODESD] 
                      [AES128|NOAES128]
                      [AES256|NOAES256]')
             KERBPASS(password)
             CHKADDRS

Note: The CHKADDRS keyword is used only with KERBDFLT realm record, not foreign realms.

When used with Kerberos, this keyword has the following format:

TSS ADD(acid) KERBNAME(kerbname)
              ENCRYPT('[DES|NODES])
                     [DES3|NODES3]
                     [DESD|NODESD] 
                     [AES128|NOAES128]
                     [AES256|NOAES256]')

ENCRYPT

DES 56 bit encryption
DESD double DES encryption
DES3 168 bit encryption
AES128 AES 128 bit encryption
AES256 AES 256 bit encryption

Default: DES DES3 DESD AES128 AES256

The keyword is used with:

The commands ADDTO and REPLACE
The SDT Record and on the definition of Kerberos Principal Users
MISC3(SDT) authority to ADDTO or REMOVE records or REPLACE fields in the SDT
MISC8(LISTSDT) authority to list realms in the SDT

Examples: ENCRYPT keyword

This example enables the encryption levels DES and DES3 in the local REALM:

TSS ADD(SDT) REALM(KERBDFLT) 
             REALMNAME(HYPOTHETICAL.CA.COM)
             KERBPASS(THET1CAL)
             ENCRYPT('NODESD')
             CHKADDRS

This example limits the encryption for a particular user to DES encryption only:

TSS ADD(KRBPEON) KERBNAME(KRBPEON)
                 ENCRYPT('NODESD NODES3')

This example defines a local realm with an explicit encryption level:

TSS ADD(SDT) REALM(KERBDFLT) 
             REALMNAME('BOTTOMFEEDER.CARP.COM')
             ENCRYPT('DES DES3 NODESD')
             KERBPASS(GZORNPLT)
             CHKADDRS

This example defines ACID TESTER with a lesser encryption level:

TSS ADD(TESTER) KERBNAME(TESTER)
                ENCRYPT('DES NODES3 NODESD')