The Security Key Lifecycle Manager for z/OS can take advantage of the z/OS® hardware cryptography provided by z/OS ICSF. The feature can be used to improve the security characteristics of the data encryption key generated by the Security Key Lifecycle Manager for z/OS. The following configuration properties, requireHardwareProtectionForSymmetricKeys and zOSCompatibility, can be considered when running the Security Key Lifecycle Manager for z/OS on the z/OS platform.
The requireHardwareProtectionForSymmetricKeys and zOSCompatibility configuration properties implement enhanced symmetric key handling in support of a Security Key Lifecycle Manager for z/OS. This ensures that tape data encryption keys can be generated, wrapped, and rewrapped. These actions are done under multiple RSA keys utilizing z/OS ICSF services and residing in hardware-protected locations. The Security Key Lifecycle Manager for z/OS can be configured with these properties. When configured, keys that are sent or received from the tape drive and used to encrypt data do not appear in an unencrypted form in z/OS host storage. z/OS ICSF services and zSeries® hardware cryptography can be used to secure the RSA key management of symmetric keys. They are handled in a manner that would prevent these keys from appearing in an unencrypted form in host storage.
The Security Key Lifecycle Manager for z/OS, when configured with the zOSCompatibility property set to true, uses the configured JCE cryptographic provider. This configuration causes a 168- bit DESede key to be generated in lieu of a 256 - bit AES key. This key, wrapped using an RSA key which is protected by hardware cryptographic services, is then provided to the tape drive device. The tape drive device continues to use 256 - bit AES-GCM encryption. This procedure is done using the 168- bit key. That key is used to build a 256 - bit AES key that is then used for data encryption and decryption performed within the device. When the Security Key Lifecycle Manager for z/OS is running and requireHardwareProtectionForSymmetricKeys is set to true, this key is always encrypted in z/OS host storage. The following tables provide additional information about these Security Key Lifecycle Manager for z/OS configuration properties.
Value | Applies to | Description and usage |
---|---|---|
true | false | Writing and reading tapes on the z/OS platform only when using a Security Key Lifecycle Manager for z/OS started with any of the jcecca provider-based keystores. | If true, the data
encryption key used with the JCECCAKS keystore protected by z/OS cryptographic hardware. Data encryption key generated for encryption and decryption only appears in host storage. It appears in an encrypted form that is protected by a hardware resident master key. This option only affects z/OS JCECCA provider keystore types that are supported as stated in this publication. It has no affect on other keystore types. |