Converting The CA Top Secret Security File From Triple DES Encryption To AES Encryption With Least Business Impact

Document ID : KB000017632
Last Modified Date : 14/02/2018
Show Technical Document Details


We are considering converting our Encryption method from DES3 to AES.

I've browsed over the procedures for this conversion From the Installation Guide:

Convert Triple-DES Encryption to AES Encryption

To convert a security file from Triple-DES encryption to AES encryption:

  • Run TSSMAINT to initialize a new security file and to specify the AESENCRYPT option.

  • Run TSSXTEND to copy the old security file to the new security file.

Note: AES encryption is a non-shared environment option.

I understand that I would also need to change the PWENC Control Option to AES (currently set at DES3).

I'm wondering what the Business Impact, if any, on the system would be for this type of effort?


To have the least impact:

  1. Format the security file ahead of time using VSAMDEF3, TSSMAIND and TSSMAINS. The new security file would have to be equal to or larger than your current security file. Run a TSSFAR SFSSTATS job to determine what to specify for your input parms for TSSMAIND which will help you calculate how much space you will need. Then you would run TSSMAINS to actually format the security file.

    If you need the dataset name and volume to be the same, then you cannot format the security file ahead of time since CA Top Secret will be active and using the security file with the same dataset name and volume.

  2. You would run TSSXTEND and use the backup security files as input. You never want to copy the primary security if it is actively being used by CA Top Secret. Before running the TSSXTEND, issue a TSS MODIFY BACKUP command to trigger an immediate backup, so you will have the latest snapshot of the security file at the time of the backup.

  3. When you are ready to bring up CA Top Secret with AES encryption, update your CA Top Secret started task to point to the new security file and update the CA Top Secret parameter file to activate AES encryption.

  4. Do a temporary shutdown of CA Top Secret and restart CA Top Secret.

These steps will cause the least business impact, since CA Top Secret is running while you prepare it for AES encryption.