Security features in an XRF environment

An XRF application program can establish cryptographic sessions and message authentication sessions with other LUs. Cryptography protects data passing over lines by permitting enciphering and deciphering of data for LU-LU sessions. Message authentication provides a message authentication code used to validate the contents of the data.

The XRF application program must reside in a host that has the IBM® Integrated Cryptographic Service Facility/MVS (ICSF/MVS) or a compatible cryptographic product installed and active.

The following references are used with compatible cryptographic products::

PCF/CUSP: Refers to any cryptographic product that is compatible with PCF/CUSP.
CCA: Refers to any product that is compatible with Common Cryptographic Architecture (CCA).

Many PCF/CUSP compatible cryptographic products must be started before starting VTAM®. They also must be started before you activate an external CDRM or CP for which CROSS statements have been defined in the cryptographic key data sets. This is not necessary for the VTAM Integrated Cryptographic Service Facility.

The XRF application program can specify that cryptography is either selective (specified by the session end) or required (session ends must support cryptography).

To enable this facility, code the following statements:

ENCR operand on the APPL definition statement for the XRF application program.
ENCR operand on the LU definition statement for any logical units that will be session ends.
ENCRTYPE keyword can be coded on both the APPL and LU. To enable TDES24 encryption, ENCRTYPE=TDES24 must be coded; otherwise the ENCRTYPE will default to DES.
Note: A corequisite of NCP Version 7 Release 8 is required for XCF/Crypto with triple-DES operation.
Cryptographic keys in the cryptographic key data set.

For more information about coding the ENCR operand, see Cryptography facility. For more information about coding cryptographic keys, see Cryptographic keys.