Rules Facility Guide › Chapter 6: Password Encryption Facility › Installing PEF › Installing Triple DES Password Encryption

Installing Triple DES Password Encryption

In addition to FORWARD and REVERSE, CA VM:Secure also supports triple DES encryption. The capability for triple DES one-way password encryption is handled by the PENCRYPT DES3 command. It converts plain text passwords, or reversible encrypted passwords to triple DES encrypted passwords. Reversible encrypted passwords are automatically converted to plain text and then to triple DES without you having to do a decryption step.

Note: For more information about the PENCRYPT utility, see the chapter "Utility Reference" in the Reference Guide.

If you are new to encryption, we recommend that you first implement PEF with reversible encryption to make sure your processes work. Then you can implement triple DES. Triple DES is just like forward encryption. The passwords cannot be unencrypted.

Note:

• Forward encrypted passwords are not easily converted to triple DES, because Forward encryption is a one way process. Technical Support may be able to assist you in changing every forward encrypted password on your VM system as a step to converting to triple DES encryption.
• Implementation of triple DES generally requires two system IPLs. The first is required after you define the triple DES algorithm key. The second IPL is required to switch to an encrypting CP Nucleus.

To implement triple DES password encryption

1. Generate a CP nucleus with DES3KEY in VMXRPI CONFIG:
   1. Log on to VMANAGER, edit VMXRPI CONFIG, and add a DES3KEY record.
   2. Execute the VMXCPG exec.
   3. Send the CP TEXT files generated by VMXCPG to MAINT.
   4. Rebuild the nucleus.

   Note: For more information about generating a CP nucleus, see Step 6: Configuring and Generating the VM:Secure CP Component. For more information about DES3KEY records, see DES3KEY Record.

   If you wish to use a predefined encryption key that is built into the CA VM:Secure product, rather than defining your own key, you can skip this step and the step 2.

2. IPL your system with the nucleus created in Step 1 and initialize CA VM: Secure.
3. Log on to VMANAGER, edit VMXRPI CONFIG, and add an ENCRYPT DES3 record.

   Note: For more information about the ENCRYPT record, see ENCRYPT Record.

4. Build a new CP nucleus. Put it in place to be picked up when you IPL after encrypting your passwords with the PENCRYPT DES3 command.
5. Log on to VMANAGER and run the PENCRYPT DES3 command to encrypt the VMSECURE 1B0 and the online directory.
6. IPL the system with the new CP nucleus created in Step 4.

   Your system is now running with PEF with triple DES encryption.