Hal > but additional (and perhaps stronger) encryption may be available from native VTAM.
Make that "is available from native VTAM"! I waited for someone else to jump in just in case there was an answer other than the one I have, in effect, already given you in the RACF list - but nobody took the bait! In the bookshelf to which I referred before covering - in your case - the V1R11 Communications Server (CS) http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/Shelves/F1A1BKB1 you should look into the CS SNA Network Implementation Guide and search for "encryption". I believe that will provide all the answers you need. In order to whet your appetite, here is the initial section of the Appendix of most interest: <quote> APPENDIX1.5 Appendix E. Cryptographic keys If you use the VTAM data encryption facility, you need to file cryptographic keys on the cryptographic key data set at the appropriate host processors. For information about which hosts require cryptographic keys, see "Cryptography facility" in topic 5.1.5.1. This appendix describes how to file these keys for different types of cryptographic facilities for both single-domain and multiple-domain sessions. The available cryptographic services are: * z/OS Integrated Cryptographic Service Facility (ICSF) and S/390 or zSeries Cryptographic Co-Processor ICSF is a licensed program that runs under MVS and provides access to the hardware cryptographic feature for programming applications. The combination of the hardware cryptographic feature and ICSF provides secure high-speed cryptographic services. * Other PCF/CUSP or Common Cryptographic Architecture (CAA) compatible cryptographic products Note: Triple-DES 24-byte encryption requires the use of the ENCRYPTN=CCA start option and that the Common Cryptographic Architecture (CCA) product is present. Otherwise, sessions that require triple-DES 24-byte encryption will fail. CCA defines a set of cryptographic functions, external interfaces, and a set of key management rules that provide a consistent, end-to-end cryptographic architecture across different IBM platforms. The following references are used with compatible cryptographic products: PCF/CUSP Refers to any cryptographic product that is compatible with PCF/CUSP. CCA Refers to any cryptographic product that is compatible with Common Cryptographic Architecture (CCA). Notes: 1. If ICSF/MVS runs in CUSP mode, use the information for PCF/CUSP. 2. When using ICSF in PCF compatibility mode and migrating from an existing PCF cryptographic key data set (CKDS), an importer key with a key value of the PCF master key value must be included. Use the PCF master key 8 bytes twice to create the ICSF 16-byte key. Refer to the ICSF publications for additional information. Specific commands and control statements for key input may differ by product. For more information on establishing cryptographic sessions, refer to z/OS Communications Server: SNA Programming. </quote> Chris Mason On Tue, 11 Jan 2011 10:35:59 -0600, Hal Merritt <[email protected]> wrote: >We are researching implementing the Enterprise Extender feature in support of RACF RRSF. I am told that RACF encrypts its data, but additional (and perhaps stronger) encryption may be available from native VTAM. > >If this is so, then can someone point me to the IBM doc that would answer some audit concerns; specifically, what type of encryption, what strength, and how the keys are managed. > >Thanks!! ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
