CA Dynam\T support for z/VSE Tape Encryption and the // KEKL JCL statement.

Document ID : KB000054848
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

Encryption capable tape drives will be added to our z/VSE system soon. Will CA Dynam T support these drives?

The z/VSE JCL statement, Key Encryption Key Label or KEKL, allows a user to associate a tape unit with one or two KEKL's. The KEKL's are passed to the control unit by the z/VSE supervisor which in turn communicates with the Encryption Key Manager or EKM, to validate the encryption keys. If the key verification is successful, the tape data will be encrypted when written to the tape. The tape unit specified in the KEKL statement must already be assigned to an encryption capable drive before the KEKL statement is processed by job control.

IBM has added four modes to indicate a file should be encrypted when written to tape. The four modes which can be specified on the ASSGN JCL statement are 03, 0B, 23 and 2B.

The format of the IBM KEKL statement:

// KEKL UNIT={cuu|SYSnnn},KEKL1='kekl1',KEM1={L|H},KEKL2='kekl2',KEM2={L|H}
// KEKL UNIT={cuu|SYSnnn},KEKL1='kekl1',KEM1={L|H}
// KEKL UNIT={cuu|SYSnnn},CLEAR

The KEM or Key Encryption Mechanism parameters indicate how the corresponding key label is encoded by the key manager and stored on the tape.

L - Encoded as specified on the label.
H - Encoded as a hash of the public key.

Notes:

If the second format of the KEKL statement is used then KEKL2 and KEM2 are set to the value of KEKL1 and KEM1 respectively.

The KEKLs are valid until EOJ at which point they are cleared. The KEKLs can be cleared at any time by specifying the KEKL statement with the CLEAR option.

If the job does not contain a KEKL statement but encryption is turned on via the mode parameter in the assign statement, the default values stored in the EKM will be used.

A tape cartridge cannot contain both encrypted and non-encrypted data. If the first file written to a tape is encrypted, all subsequent files written to that same tape will be encrypted using the same key.

Solution:

Yes, CA Dynam T for z/VSE release 7.1 SP0 supports encryption capable drives and the new IBM 'KEKL' JCL statement.

The need to pre-assign the tape drive when encrypting a tape doesn't allow for automated tape processing. In order to get around this problem, support has been added to CA Dynam/T to allow the KEKL information to be maintained in the CA Dynam catalog. CA Dynam/T passes the KEKL information to z/VSE using the z/VSE MODCTB macro interface. The MODCTB macro allows a program to query, set or clear the KEKL values for a specified CUU.

When a dataset defined with an encryption type density is opened for output CA Dynam/T finds an available encryption capable drive, makes the assignment and then passes the appropriate KEKL information to z/VSE. Defining the KEKL information in the catalog removes the need to pre-assign encryption capable drives, thereby allowing for automated tape encryption processing.

The four new CA Dynam/T densities to indicate tape encryption are 03WE, 0BWE, 23WE and 2BWE.

If a dataset is defined with KEKL information, the dataset will only be encrypted if the dataset is defined with an encryption type density. Therefore if the density specified for a dataset is a non-encryption mode the KEKL information for the dataset is ignored by CA Dynam/T.

KEKL information can be defined to the Dynam catalog either online using CUI screen CAYD-1240 or in batch using the DYNCAT DEFINE and ALTER commands.

An informational message CADT112I UPDATED KEKL UNIT=cuu KEKL1=kekl1 KEM1=kem1 is issued whenever CA Dynam/T automatically updates the KEKL information via the MODCTB macro interface.