About this document
Who should read this document
How to use this document
Where to find more information
Related publications
Other sources of information
IBM discussion area
Internet sources
Abstract for IBM Encryption Facility for z/OS: Using Encryption Facility for OpenPGP
Summary of changes
Changes made in IBM Encryption Facility for z/OS Version 1 Release 2 as updated June 2014
Changes made in IBM Encryption Facility for z/OS Version 1 Release 2
Changes made in IBM Encryption Facility for z/OS Version 1 Release 2
Changes made in IBM Encryption Facility for z/OS Version 1 Release 2
Overview of IBM Encryption Facility for OpenPGP
What is Encryption Facility for OpenPGP?
What is OpenPGP?
What does Encryption Facility for OpenPGP do?
Understanding OpenPGP
Understanding session keys and data encryption
Understanding public-key encryption
Understanding passphrase-based encryption
How Encryption Facility for OpenPGP works
Using z/OS data sets
Compressing data
Using ASCII Armor
Authenticating through digital signatures
Using security keys, certificates, and repositories
Using ICSF and RACF
Participating in OpenPGP key exchange
Java algorithm support for Encryption Facility for OpenPGP
Supported key sizes
Supported character sets
Hardware and software requirements
Hardware requirements
Software requirements
Getting started
How do I install Encryption Facility for OpenPGP?
ICSF considerations
RACF considerations
Batch, UNIX System Services, and Java considerations
Getting started basic steps
Using Encryption Facility for OpenPGP
Reading and writing to z/OS data sets
Types of data sets
Restrictions using data sets
Allocating data sets through the data definition (DD) statement
Language Environment (LE)
Other data set considerations
OpenPGP messages
Using Encryption Facility for OpenPGP commands and options
Authenticating digital signatures
Using the OpenPGP keyring
Encryption Facility for OpenPGP commands
Configuration file and home directory
OUTPUT_FILE
Format
Description
Arguments
KEY_RING_FILENAME
Format
Description
Arguments
USE_ASYNC_IO
Format
Description
Arguments
USE_ASYNC_COMPRESS
Format
Description
Arguments
USE_ASYNC_CIPHER
Format
Description
Arguments
JAVA_KEY_STORE_TYPE
Format
Description
Arguments
JAVA_KEY_STORE_NAME
Format
Description
Arguments
KEYSTORE_PASSWORD
Format
Description
Arguments
KEY_PASSWORD
Format
Description
Arguments
KEY_ALIAS
Format
Description
Arguments
KEY_SIZE
Format
Description
Arguments
SIGNERS_KEY_PASSWORD
Format
Description
Arguments
SIGNERS_KEY_ALIAS
Format
Description
Arguments
SYSTEM_CA_KEY_ALIAS
Format
Description
Arguments
SYSTEM_CA_KEY_PASSWORD
Format
Description
Arguments
LOG_FILE
Format
Description
Arguments
CREATE_TRACE
Format
Description
Arguments
ACTIVE_LOGGERS
Format
Description
Arguments
DEBUG_LEVEL
Format
Description
Arguments
LITERAL_TEXT_CHARSET
Format
Description
Arguments
JCE_PROVIDER_LIST
Format
Description
Arguments
RNG_JCE_PROVIDER
Format
Description
Arguments
USE_ASCII_ARMOR
Format
Description
Arguments
ARMOR_COMMENT
Format
Description
Arguments
RECIPIENT_USER_ID
Format
Description
Arguments
RECIPIENT_KEY_ID
Format
Description
Arguments
RECIPIENT_ALIAS
Format
Description
Arguments
COMPRESSION
Format
Description
Arguments
CONFIDENTIAL
Format
Description
Arguments
USE_EMBEDDED_FILENAME
Format
Description
Arguments
DEFAULT_OUTPUT_DIRECTORY
Format
Description
Arguments
CIPHER_NAME
Format
Description
Arguments
DIGEST_NAME
Format
Description
Arguments
COMPRESS_NAME
Format
Description
Arguments
S2K_CIPHER_NAME
Format
Description
Arguments
S2K_DIGEST_NAME
Format
Description
Arguments
S2K_MODE
Format
Description
Arguments
S2K_PASSPHRASE
Format
Description
Arguments
ANSWER_YES
Format
Description
Arguments
ANSWER_NO
Format
Description
Arguments
HIDDEN_PASSWORD
Format
Description
Arguments
RACF_KEYRING_USERID
Format
Description
Arguments
USE_MDC
Format
Description
Arguments
TRUST_VALUE
Format
Description
Arguments
TRUSTED_COMMENT
Format
Description
Arguments
HARDWARE_KEY_TYPE
Format
Description
Arguments
BATCH_EXPORT
Format
Description
Arguments
BATCH_GENERATE
Format
Description
Arguments
DN_COMMON_NAME
Format
Description
Arguments
DN_COUNTRY_CODE
Format
Description
Arguments
DN_LOCALITY
Format
Description
Arguments
DN_ORGANIZATION
Format
Description
Arguments
DN_ORGANIZATION_UNIT
Format
Description
Arguments
DN_STATE
Format
Description
Arguments
HIDDEN_KEY_ID
Format
Description
Arguments
OPENPGP_DAYS_VALID
Format
Description
Arguments
SUB_KEY_ALIAS
Format
Description
Arguments
USERID_COMMENT
Format
Description
Arguments
USERID_EMAIL
Format
Description
Arguments
USERID_NAME
Format
Description
Arguments
X509_DAYS_VALID
Format
Description
Arguments
Latest command options and the updated ibmef.config file
Encryption Facility for OpenPGP options and commands
Command options
-a — Use ASCII Armor for the message output
Format
Description
Arguments
-batch-export — Specify batch public key export
Format
Description
Arguments
-batch-generate — Specify batch key generation
Format
Description
Arguments
-cipher-name — Specify the algorithm for encryption
Format
Description
Arguments
-comment — Add a comment header to ASCII Armorized messages
Format
Description
Arguments
-compress-name — Specify the algorithm to use for compression
Format
Description
Arguments
-debug-level level — Specify a level for trace information to be sent to the log file
Format
Description
Arguments
-debug number— Specify a bit mask value for logging
Format
Description
Arguments
-debug-on — Activate debugging information
Format
Description
Arguments
-digest-name — Specify the algorithm for the message digest
Format
Description
Arguments
-dn-common-name — Specify the common name of a distinguished name
Format
Description
Arguments
-dn-country-code— Specify the country code of a distinguished name
Format
Description
Arguments
-dn-locality — Specify the locality of a distinguished name
Format
Description
Arguments
-dn-organization — Specify the organization of a distinguished name
Format
Description
Arguments
-dn-organization-unit — Specify the organization unit of a distinguished name
Format
Description
Arguments
-dn-state — Specify the state of a distinguished name
Format
Description
Arguments
-hidden-key-id — Specify speculative key ID support
Format
Description
Arguments
-jce-providers — Specify JCE class names
Format
Description
Arguments
-key-alias — Specify the alias of a new key
Format
Description
Arguments
-key-password — Specify the password for a new key
Format
Description
Arguments
-key-size — Specify the key size to generate
Format
Description
Arguments
-keystore — Specify the name of the Java keystore
Format
Description
Arguments
-keystore-password — Specify the keystore password
Format
Description
Arguments
-keystore-type — Specify the keystore type
Format
Description
Arguments
-log-file — Write trace information to a file
Format
Description
Arguments
-no — Specify no to prompts
Format
Description
Arguments
-no-save — Display data to STDOUT only
Format
Description
Arguments
-o — Specify an output location
Format
Description
Arguments
-openPGP-days-valid — Specify the number of days a newly generated OpenPGP certificate is to be valid
Format
Description
Arguments
-rA — Encrypt using the public key from the Java keystore
Format
Description
Arguments
-racf-keyring-userid — Specify a RACF user ID
Format
Description
Arguments
-rK — Encrypt for a specified key ID
Format
Description
Arguments
-rP — Encrypt for a specified user ID
Format
Description
Arguments
-s2k-cipher-name — Specify the algorithm to use for passphrase-based encryption (PBE)
Format
Description
Arguments
-s2k-digest-name — Specify the digest algorithm for passphrase-based encryption (PBE)
Format
Description
Arguments
-s2k-mode — Specify the mode for passphrase-based encryption (PBE)
Format
Description
Arguments
-s2k-passphrase — Specify the passphrase to use for passphrase-based encryption (PBE) and decryption
Format
Description
Arguments
-signers-key-alias — Specify an alias for the system key
Format
Description
Arguments
-signers-key-password — Specify a password for the system key
Format
Description
Arguments
-sub-key-alias — Specify the alias for a new subkey during key generation
Format
Description
Arguments
-system-CA-key-alias — Specify an alias for a new key pair certificate
Format
Description
Arguments
-system-CA-key-password — Specify a password for the certificate authority key
Format
Description
Arguments
-t — Treat input as text
Format
Description
Arguments
-trust-value — Specify a trust value
Format
Description
Arguments
-trusted-comment — Specify a trust comment
Format
Description
Arguments
-use-embedded-file — Write data to a file specified in the data packet
Format
Description
Arguments
-use-mdc — Specify the use of modification detection code
Format
Description
Arguments
-userID-comment — Specify a user ID comment for an OpenPGP certificate during key generation and key export
Format
Description
Arguments
-userID-email — Specify a user ID email address for an OpenPGP certificate during key generation and key export.
Format
Description
Arguments
-userID-name — Specify a user ID for an OpenPGP certificate during key generation and key export
Format
Description
Arguments
-x509-days-valid — Specify the number of days an X509 certificate is to be valid
Format
Description
Arguments
-yes — Specify yes to prompts
Format
Description
Arguments
-z — Compress data
Format
Description
Arguments
Encryption Facility for OpenPGP Commands
-b — Sign the contents of an OpenPGP message and create an output file with signature
Format
Description
Arguments
-c — Encrypt the contents of the OpenPGP message using PBE
Format
Description
Arguments
-compress — Compress data in OpenPGP message format
Format
Description
Arguments
-d — Decrypt or decompress an OpenPGP message
Format
Description
Arguments
-e — Encrypt the contents of the OpenPGP message
Format
Description
Arguments
-eA — Export an OpenPGP certificate by using an x.509 certificate alias from the OpenPGP keyring file
Format
Description
Arguments
-eK — Export an OpenPGP certificate by key ID from the OpenPGP keyring file
Format
Description
Arguments
-eP — Export an OpenPGP certificate by user ID from the OpenPGP keyring file
Format
Description
Arguments
-g — Generate a key pair as the system key for signatures
Format
Description
Arguments
-h — Prints the Help menu to STDOUT
Format
Description
Arguments
-i — Import an OpenPGP certificate into the OpenPGP keyring file
Format
Description
Arguments
-list-algo — Prints a list of algorithms to STDOUT
Format
Description
Arguments
-pA — List information about public keys in the keyring file or as specified by alias
Format
Description
Arguments
-pK — List information about the public keys in the keystore or those specified by key ID
Format
Description
Arguments
-pP — List information about public keys in the keyring file or those specified by user ID
Format
Description
Arguments
-prepare — Prepare the Java keystore to use existing keys in ICSF
Format
Description
Arguments
-rebuild-key-index — Rebuild the indexes for the keyring file
Format
Description
Arguments
-s — Sign the contents of an OpenPGP message using a key
Format
Description
Arguments
-v — Verify a signed OpenPGP message
Format
Description
Arguments
-xA — Delete key material associated with an alias
Format
Description
Arguments
-xK — Delete key material based on the key ID value
Format
Description
Arguments
-xP — Delete OpenPGP certificates associated with a user ID
Format
Description
Arguments
Encryption Facility for OpenPGP messages
CSD0000A
CSD0200I
CSD0400I
CSD0700A
CSD0780I
CSD0900I
CSD1000I
CSD1100I
CSD1200I
JCL, command examples, and reference
Sample JCL and code
Examples of commands for Encryption Facility for OpenPGP
Obtaining help
Listing algorithms
Deleting a certificate by user ID
Deleting a certificate by key ID
Encrypting a PDSE with PBE using the triple DES cryptographic algorithm
Encrypting a PDSE using multiple aliases
Decrypting a PDSE member
Exporting an alias from the Java keystore
Exporting a key ID from the Java keystore or OpenPGP keyring
Exporting a user ID from the OpenPGP keyring to an output file
Generating a key
Importing a certificate
Displaying aliases in the keystore
Displaying information about a user ID
Displaying certificates by key ID
Preparing an existing ICSF key to use the keystore
Rebuilding the key-ring index
Creating a signature using a signature key alias
Verifying a signature using a signature key alias
Exporting an X.509 alias
Exporting a key ID using ASCII Armor
Exporting a user ID using ASCII Armor
Creating a detached signature for a z/OS partitioned data set member
Common error messages