Keywords › ENCRYPT Keyword—Encryption Level Override

ENCRYPT Keyword—Encryption Level Override

Valid on z/OS.

Use the ENCRYPT keyword to override the value of ENCRYPT for the local REALM and set the certificate encryption level available to a particular user.

For z/OS 1.8 and below:

• When Control Option KERBLVL(0) is set, only DES is supported.
• When Control Option KERBLVL(1) is set, all levels are supported.

For z/OS 1.9 and above, KERBLVL is ignored, all levels are supported.

When used with the SDT, this keyword has the format:

TSS ADDTO(SDT) REALM(KERBDFLT|foreign_realm)
               REALMNAME(realmname)
               KERBPASS(password)
               CHKADDRS
               [ENCRYPT('[DES|NODES]
                         [DES3|NODES3]
                         [DESD|NODESD]
                         [AES128|NOAES128]
                         [AES256|NOAES256]')]

Note: The CHKADDRS keyword is used only with KERBDFLT realm record, not foreign realms.

When used with an ACID, this keyword has the format:

TSS ADDTO(acid) KERBNAME(kerbname)
                [ENCRYPT('[DES|NODES][DES3|NODES3][DESD|NODESD]
                         [AES128|NOAES128][AES256|NOAES256]')]
                [MAXTKTLF(ticket—life)]

Note: When ENCRYPT has been successfully added to an ACID, it appears in the LIST command as ENCTYPE.

If ENCRYPT is not specified, ENCRYPT('DES DES3 DESD AES128 AES256') is the default. Unless the negative keyword is explicitly specified, the positive keyword is assumed.

This keyword is used with:

• The commands ADDTO, REPLACE, and REMOVE
• The ACID types User, DCA, VCA, ZCA, LSCA, and SCA
• MISC3(SDT) authority to ADDTO or REMOVE records or REPLACE fields in the SDT
• MISC8(LISTSDT) authority to list realms in the SDT
• ACID(MAINTAIN) and MISC4(KERBUSER) authority to update the KERBNAME of an ACID and its associated fields