Different ICSF configurations can reside on different systems. If you can access a specific CA View database on one of these systems, be aware that you might have to copy encryption keys from one ICSF configuration to another to provide access to reports. In this situation, copy only the keys that start with CAOMPROD from one ICSF configuration to another.
Warning! Do not under any circumstances copy the CAOMCKDS.LABEL key label --as this label is unique for each ICSF configuration. Copying the key label can create duplicated key labels on different ICSF configurations with different encryption keys. Duplicated key labels might and render certain reports unusable.
A similar condition can occur at a disaster recovery site. We recommend that you delete the CAOMCKDS.LABEL at the DR site before you perform output management activities.
Important! If the ICSF CKDS data set is shared among multiple z/OS systems, the ICSF SYSPLEXCKDS(YES,FAIL(xxxx)) parameter must be specified in the ICSF installation options data set.
This parameter allows newly created keys to be shared with other systems running ICSF. Without this parameter, the ICSF in-memory copy of the CKDS will be out of sync between among the systems and the result is in that reports can being encrypted with one key and later incorrectly decrypted with another key. When this decryption occurs, the original keys are replaced with keys from another system. Reports using the original keys can no longer be decrypted.
If a new database is created and encryption is enabled, all report and report index data on the CA View database and backup tapes are encrypted.
If you have an existing CA View database and enable encryption, newly archived report and report index data on the CA View database and backup tapes are encrypted. Existing report data is only going to be encrypted when the report is reloaded to database disk or re-backed up to tape.
Follow these steps to fully encrypt existing data:
You may want to change the initialization parameter setting to:
If the ENCRYPT initialization parameter setting is being changed to designate a new key management service, be aware that:
These reports are accessible as long as the appropriate tasks are running on the system. If you want to convert all the data over to the new key management scheme, perform the procedures outlined in the "Encrypting Encryption Using New and Existing Database and Tape Data" earlier in this section.
If you no longer want to encrypt data in the database and on tape, the ENCRYPT initialization parameter can be set to NO with the SARINIT program as follows:
ENCRYPT=NO
Newly archived data and newly created backup tapes are no longer encrypted.
Note: Existing report and report index data in the database and on tape retain their original key reference and are accessible as long as the appropriate tasks are running on the system.
To completely remove encrypted data from the database and tape, perform the procedures outlined in "Encryption with New and Existing Database and Tape Data" earlier in this section.
Note: The CA View started task and FSS collections must be recycled to pick up a new ENCRYPT initialization parameter setting. The CA Deliver started task need not be restarted.
|
Copyright © 2015 CA Technologies.
All rights reserved.
|
|