Configuration Properties

The Security Key Lifecycle Manager for z/OS can take advantage of the z/OS® hardware cryptography provided by z/OS ICSF. The feature can be used to improve the security characteristics of the data encryption key generated by the Security Key Lifecycle Manager for z/OS. The following configuration properties, requireHardwareProtectionForSymmetricKeys and zOSCompatibility, can be considered when running the Security Key Lifecycle Manager for z/OS on the z/OS platform.

The requireHardwareProtectionForSymmetricKeys and zOSCompatibility configuration properties implement enhanced symmetric key handling in support of a Security Key Lifecycle Manager for z/OS. This ensures that tape data encryption keys can be generated, wrapped, and rewrapped. These actions are done under multiple RSA keys utilizing z/OS ICSF services and residing in hardware-protected locations. The Security Key Lifecycle Manager for z/OS can be configured with these properties. When configured, keys that are sent or received from the tape drive and used to encrypt data do not appear in an unencrypted form in z/OS host storage. z/OS ICSF services and zSeries® hardware cryptography can be used to secure the RSA key management of symmetric keys. They are handled in a manner that would prevent these keys from appearing in an unencrypted form in host storage.

The requireHardwareProtectionForSymmetricKeys flag dictates that symmetric keys that are generated using ICSF must be protected by the ICSF Master Key. This way the symmetric key will never show up in the system memory in the clear. This flag only affects the TS1120, TS1130, TS1140 and DS8000 devices when using a JCECCAKS and JCERACFCCAKS keystore. LTO devices are not affected since the keys are pre-generated.

Note: If you use the requireHardwareProtectionForSymmetricKeys flag for generating keys for LTO drives, these keys cannot be exported using the keytool -exportseckey option. The tapes written with these keys can only be read by the Security Key Lifecycle Manager for z/OS that served the key for write operations or by an Security Key Lifecycle Manager for z/OS that shares the same keystore. For information about Integrated Cryptographic Services Facility and how to do exports of protected keys, see http://publib.boulder.ibm.com/infocenter/zos/v1r11/topic/com.ibm.zos.r11.csfb400/pt2a.htm#pt2a for the callable service called Data Key Export (CSNBDKX).

The zOSCompatibility flag is used to identify the crypto capabilities of the z/OS system being used. This flag is typically used when hardware cryptography is being used on z/OS, ICSF. At one point, ICSF did not support the AES algorithm that Security Key Lifecycle Manager for z/OS uses and this flag was a work around for that issue. However, ICSF does support AES now, so this flag does not need to be used anymore.

Note: If you need to have the zOSCompatibility flag turned on one system, make sure that you have it turned on all systems that are serving keys to the same devices.

Note: If this flag is turned on and the ICSF that you are currently using now supports AES, then you can turn this flag off. This will not affect previously encrypted cartridges. Any new cartridges will require use of an AES key. Therefore, the default keygroup for LTO devices must contain AES keys and not DESede keys.

The Security Key Lifecycle Manager for z/OS, when configured with the zOSCompatibility property set to true, uses the configured JCE cryptographic provider. This configuration causes a 168- bit DESede key to be generated in lieu of a 256 - bit AES key. This key, wrapped using an RSA key which is protected by hardware cryptographic services, is then provided to the tape drive device. The tape drive device continues to use 256 - bit AES-GCM encryption. This procedure is done using the 168- bit key. That key is used to build a 256 - bit AES key that is then used for data encryption and decryption performed within the device. When the Security Key Lifecycle Manager for z/OS is running and requireHardwareProtectionForSymmetricKeys is set to true, this key is always encrypted in z/OS host storage. The following tables provide additional information about these Security Key Lifecycle Manager for z/OS configuration properties.

requireHardwareProtectionForSymmetricKeys configuration property

Table 1. requireHardwareProtectionForSymmetricKeys property
Value	Applies to	Description and usage
true \| false	Writing and reading tapes on the z/OS platform only when using a Security Key Lifecycle Manager for z/OS started with any of the jcecca provider-based keystores.	If `true`, the data encryption key used with the JCECCAKS keystore protected by z/OS cryptographic hardware. Data encryption key generated for encryption and decryption only appears in host storage. It appears in an encrypted form that is protected by a hardware resident master key. This option only affects z/OS JCECCA provider keystore types that are supported as stated in this publication. It has no affect on other keystore types.