By default, passwords and password phrases are encrypted using the Triple-DES 3 encryption method. The Advanced Encryption Standard (AES), which is a FIPS approved cryptographic algorithm, can also be used for encrypting passwords and password phrases. In r14 and above, AES encryption is used when a security file is initialized with TSSMAINT and the AESENCRYPT parameter was specified.
The PWENC control option controls the use of ICSF. If you use ICSF on an AES security file, that will hit the fips 140-2 compliance requirement. (The AES key length uses 128 bit encryption.)
To convert a security file from Triple-DES encryption to AES encryption:
1. Run TSSMAINT to initialize a new security file and to specify the AESENCRYPT option.
2. Run TSSXTEND to copy the old security file to the new security file.
** You also have to create a new VSAM file :-)
3. Specify 1 of the following in the TSS parameter file:
a) PWENC(AES) if you want software to be used for the encryption.
*This is the recommended setting by CA Top Secret.
b) PWENC(ICSF) if you want ICSF hardware to be used for encryption.
4. Do a temporary shutdown and restart of TSS (S TSS,,,REINIT) pointing to the new security and backup files.
You can CPF between AES and DES systems without problems.
You will need to make sure RO52867 and RO51145 is applied for Top Secret r15.0.