You can configure CA View to encrypt report data and report index data, both in the database and on tape. The IBM Integrated Cryptographic Service Facility (ICSF) product provides storage and access to the encryption keys.
Protecting your data is of utmost importance. The Payment Credit Industry (PCI) has defined standards for protection of credit card information. One of the most important factors in this compliance is the ability to provide optimum security, that is, data at rest must be encrypted through strong encryption.
Strong encryption is based on a published encryption algorithm that uses an encryption key. Some encryption algorithms require a single encryption key for encrypting and decrypting data. Others require both a public key and a private key.
A single encryption key is typically used for data at rest and a private/public key for transmission of data. The encryption key is stored externally from the data and can be secured in a database or by a key management product.
The separation of the encryption key and the data is vital to help ensure that the data by itself is unrecognizable to unauthorized individuals.
You can configure CA View to encrypt report data and report index data, both in the database and on tape. This support provides storage and access of the encryption keys with the IBM Integrated Cryptographic Service Facility (ICSF) product.
CA View uses the Advanced Encryption Standard (AES) algorithm. Depending on the supporting hardware, this algorithm uses either a 128-bit key or a 256-bit key to encrypt data. ICSF secure keys are also supported. ICSF secure keys are 256-bit AES keys that are encrypted with the AES master key which is known only to ICSF and the Cryptographic hardware.
Create, Access, and Maintain Encryption Keys Using ICSF Services
The IBM Integrated Cryptographic Service Facility provides services to create, access, and maintain encryption keys. These services are provided through a Cryptographic Service Facility task that must be started on each system that utilizes the service.
For information about the steps to install, initialize, and customize the startup task and ICSF data sets, see the IBM z/OS Integrated Cryptographic Service Facility System Programmers Guide.
The Advanced Encryption Standard (AES) keys are stored in clear or secure form in the ICSF CKDS data set and a key label is attached to each key. For the output management products, these key labels begin with CAOMPROD. A special ICSF key label that is named CAOMCKDS.LABEL is also created for each unique ICSF configuration.
Ensure that you make regular backups of the ICSF CKDS data sets. If information in the ICSF CKDS data set is lost or destroyed, data that is encrypted with these keys is unusable.
To activate ICSF encryption for a CA View database, see the ENCRYPT initialization parameter.
When encryption is enabled, part of the initialization process is to create the required number of encryption keys for the entire year. When a new year begins, new keys are automatically created for that year when the first report is archived. The number of keys to be created depends on the value of nnn in the ENCRYPT initialization parameter. A value of 1 generates 365 unique keys for the year and a new key is used each day. A value of 365 generates just one key and the same key is used for the whole year. A SARICF01 message identifies the creation of new keys. After you receive this message, perform a backup of the ICSF CKDS data set to help make certain that you have a backup copy of the new keys.
External Security Authorization
External security authorization to all ICSF keys that start with CAOMPROD must be granted to the following users and tasks:
- CA View started task
- CA View FSS started task(s)
- All CA View online users in all online interfaces
- All batch jobs that perform CA View utility functions, for example, SARBCH, SARDBASE, SARRSP, SARTCP, SARTDR
- CA Deliver started task if network collected reports are written directly to the CA View database.
- All CA Deliver pre-spool jobs that write reports directly to the CA View database
The use of secure keys also requires CSFKEYS external secure authorization with SYMCPACFWRAP and SYMCPACFRET permissions. If the required permissions are not granted, the following message is issued:
SARICF06 Job/User CSFKEYS profile does not permit access to ICSF CAOMPROD keys - Service=CSNBKRR2
The CA View started task and CA View FSS started tasks terminate. CA Deliver pre-spool and post-spool jobs receive SARPAM30 messages to retry, or terminate. Before you resubmit any jobs, ensure that you provide the required authorization or change the ENCRYPT initialization parameter setting.
The following sample commands authorize access to ICSF secure keys for all users.
The SYMCPACFWRAP and SYMCPACFRET specifications are not required for ICSF clear keys.
Sample RACF command:
RDEFINE CSFKEYS CAOMPROD.* UACC(NONE) ICSF(SYMCPACFWRAP(YES) SYMCPACFRET(YES)) PERMIT CAOMPROD.* ID(*) ACC(READ) CLASS(CSFKEYS) SETR RACLIST(CSFKEYS) REFRESH
Sample ACF2 command:
SET PROFILE(CSFKEY) DIV(ICSF) INSERT CAOMPROD RESOURCE(CAOMPROD) SYMCRET SYMCWRAP F ACF2,OMVS(CSFKEYS) SET RESOURCE(SAF) COMPILE * STORE $KEY(CAOMPROD) TYPE(SAF) - UID(-) ALLOW F ACF2,REBUILD(SAF)
Sample Top Secret command:
TSS PER(ALL) CSFKEYS(CAOMPROD) SYMCPACFWRAP(YES) + SYMCPACFRET(YES) CRITERIA(SMS(DSENCRYPTION))
Different Configurations Residing on Different Systems
Different ICSF configurations can reside on different systems. If you can access a specific CA View database on one system, you might have to copy encryption keys from one ICSF configuration to another to provide access to reports. In this situation, copy only the keys that start with CAOMPROD from one ICSF configuration to another.
Do not under any circumstances copy the CAOMCKDS.LABEL key label, as this label is unique for each ICSF configuration. Copying the key label can create duplicated key labels on different ICSF configurations with different encryption keys. Duplicated key labels might render certain reports unusable.
A similar condition can occur at a disaster recovery site. Ensure that you delete the CAOMCKDS.LABEL at the DR site before you perform output management activities.
If the ICSF CKDS data set is shared among multiple z/OS systems, specify the ICSF SYSPLEXCKDS(YES,FAIL(xxxx)) parameter in the ICSF installation options data set. This parameter allows newly created keys to be shared with other systems running ICSF. Without this parameter, the ICSF in-memory copy of the CKDS might be out of sync between the systems. If keys that were used to encrypt reports are replaced with keys from another system, the reports that were encrypted with the original keys can no longer be decrypted.
Encryption Using New and Existing Database and Tape Data
If a new database is created and encryption is enabled, all report and report index data on the CA View database and backup tapes are encrypted based on the value of the ENCRYPT initialization parameter. The ENCRYPT initialization parameter can be switched from one setting to another at any time. The new setting is used only for newly archived reports, reports that are reloaded from tape to database disk, new reports that are backed up to tape, and newly created consolidation tapes. Existing reports on the database and on tape are maintained in their current encrypted or unencrypted state. Use the following procedure to encrypt the entire database based on the new encryption setting.
Follow these steps:
- Set the ENCRYPT initialization parameter to the targeted setting.
- Copy or unload/load the database to a new database with the SARDBASE utility to encrypt all reports in the new database.
- Encrypt existing backup tapes by consolidating the tapes with the SARPAC utility.
Changing the Initialization Parameter ENCRYPT Setting
You might want to change the initialization parameter setting in the following scenarios:
- To designate a new key management serviceIf the ENCRYPT initialization parameter setting is being changed to designate a new key management service.These reports are accessible as long as the appropriate tasks are running on the system. To convert all the data over to the new key management scheme, perform the procedures that are described in the previous section "Encryption Using New and Existing Database and Tape Data".
- Existing report and report index data in the database and on tape will retain their original key reference.
- Data that is encrypted with ICSF can coexist in the same database with non-encrypted data.
- To stop encrypting data in the database and on tapeIf you no longer want to encrypt data in the database and on tape, the ENCRYPT initialization parameter can be set to NO with the SARINIT program as follows:ENCRYPT=NONewly archived data and newly created backup tapes are no longer encrypted.Existing report and report index data in the database and on tape retain their original key reference and are accessible as long as the appropriate tasks are running on the system.To completely remove encrypted data from the database and tape, perform the procedures that are described in the previous section "Encryption with New and Existing Database and Tape Data".
The CA View started task and FSS collections must be recycled to pick up a new ENCRYPT initialization parameter setting. The CA Deliver started task need not be restarted.
Supported Cryptographic Hardware
Two cryptographic hardware choices are available for use on various systems:
- Cryptographic Coprocessor Facility (CCF)CCF is a standard component on z900 and a no-cost option for z800. On z800 and z900 systems, ICSF requires CCF.
- CP Assist for Cryptographic Functions (CPACF)CPACF is a standard component on z9 and z10 and a no-cost option for z890 and z990.
CA View does not require the use of the Cryptographic Express2 coprocessor (CEX2C). To run ICSF without a CEX2C co-processor, you need ICSF release FMID HCR7751or higher.
If you are running an older release of ICSF, you must purchase a CEX2C co-processor, because previous releases of ICSF require that hardware to initialize the CKDS data set.
IEBGENER cannot be used to print a report from a backup tape because data is now stored in encrypted format.
Encryption and Decryption Software Considerations
Use of z/OS software encryption and decryption increases the CPU time that is consumed by the job or started task.
Our tests have shown that encryption using the Crypto Assist Facility (CPACF) has the least amount of overhead. We experienced an increase of 1/10 of a CPU second for every million lines that are archived or browsed.