Cryptographic Parameters
- IBM® Programmed Cryptographic
Facility (PCF) (5740-XY5)
Change your configuration to use the cryptographic parameters with PCF.
- z/OS® Integrated Cryptographic Service Facility (ICSF)
(5647-A01)
Change your ICSF configuration to use the cryptographic parameters with ICSF. For a description of the necessary changes, see z/OS Cryptographic Services ICSF System Programmer's Guide.
This section lists and describes the REPRO cryptographic parameters.
- ENCIPHER
- specifies that the source data set is to be enciphered as it is
copied to the target data set.
Abbreviation: ENCPHR
- EXTERNALKEYNAME(keyname) |INTERNALKEYNAME(keyname) |PRIVATEKEY
- specifies whether you, PCF, or ICSF manages keys privately.
- EXTERNALKEYNAME(keyname)
- specifies that PCF or ICSF manages keys.
This parameter also supplies the 1-to-8 character key name of the
external file key that is used to encipher the data encrypting key.
The key is known only by the deciphering system. The key name and
its corresponding enciphered data encrypting key are listed in SYSPRINT
only if NOSTOREDATAKEY is specified.
Abbreviation: EKN
- INTERNALKEYNAME(keyname)
- specifies
that PCF or ICSF manages keys. This parameter also supplies the 1-to-8
character key name of the internal file key that is used to encipher
the data encrypting key. The key is retained by the key-creating system.
The key name and its corresponding enciphered data encrypting key
will only be listed in SYSPRINT if NOSTOREDATAKEY is specified.
Abbreviation: IKN
- PRIVATEKEY
- specifies
that the key is to be managed by you.
Abbreviation: PRIKEY
- CIPHERUNIT(number |1)
- specifies that multiple logical source records
are to be enciphered as a unit. Number specifies
the number of records that are to be enciphered together. By specifying
that multiple records are to be enciphered together, you can improve
your security (chaining is done across logical record boundaries)
and also improve your performance. However, there is a corresponding
increase in virtual storage requirements. The remaining records in
the data set, after the last complete group of multiple records, are
enciphered as a group. (If number is 5 and
there are 22 records in that data set, the last 2 records are enciphered
as a unit.)
The value for number can range from 1 to 255.
Abbreviation: CPHRUN
- DATAKEYFILE(ddname)|DATAKEYVALUE(value)
- specifies that you are supplying a plaintext (not enciphered)
data encrypting key. If one of these parameters is not specified,
REPRO will generate the data encrypting key. These parameters are
valid only when EXTERNALKEYNAME or PRIVATEKEY is specified. If INTERNALKEYNAME
and DATAKEYVALUE or DATAKEYFILE are specified, REPRO will generate
the data encrypting key and DATAKEYVALUE or DATAKEYFILE are ignored
by REPRO. The plaintext data encrypting key will not be listed in SYSPRINT unless PRIVATEKEY is specified and REPRO provides the key.
- DATAKEYFILE(ddname)
- identifies
a data set that contains the plaintext data encrypting key. For ddname,
substitute the name of the JCL statement that identifies the data
encrypting key data set.
Abbreviation: DKFILE
- DATAKEYVALUE(value)
- specifies
the 8-byte value to be used as the plaintext data encrypting key to
encipher the data.
Value can contain 1-to-8 EBCDIC characters or 1-to-16 hexadecimal characters coded X'n'. Value must be enclosed in single quotation marks if it contains commas, semicolons, blanks, parentheses, or slashes. A single quotation mark must be coded as two single quotation marks. With either EBCDIC or hexadecimal representation, value is padded on the right with blanks (X'40') if it is fewer than 8 characters.
Abbreviation: DKV
- SHIPKEYNAMES(keyname[ keyname...])
- supplies
the 1-to-8 character key name of one or more external file keys to
be used to encipher the data encrypting key. Each key name and its
corresponding enciphered data encrypting key is listed in SYSPRINT,
but is not stored in the target data set header. The primary use for
this parameter is to establish multiple enciphered data encrypting
keys to be transmitted to other locations for use in deciphering the
target enciphered data set. This parameter is valid only when INTERNALKEYNAME
or EXTERNALKEYNAME is specified.
Abbreviation: SHIPKN
- STOREDATAKEY|NOSTOREDATAKEY
- specifies whether the enciphered data encrypting key is to be
stored in the target data set header. The key used to encipher the
data encrypting key is identified by INTERNALKEYNAME or EXTERNALKEYNAME.
This parameter is valid only when INTERNALKEYNAME or EXTERNALKEYNAME
is specified. If the enciphered data encrypting key is stored in the
data set header, it does not have to be supplied by the user when
the data is deciphered.
Restriction: A data encrypting key enciphered under the keys identified by SHIPKEYNAMES cannot be stored in the header. Therefore, you might want to avoid using STOREDATAKEY and SHIPKEYNAMES together because this could result in storing header information unusable at some locations.
- STOREDATAKEY
- specifies
that the enciphered data encrypting key is to be stored in the target
data set header.
Abbreviation: STRDK
- NOSTOREDATAKEY
- specifies
that the enciphered data encrypting key is not to be stored in the
target data set header. The keyname and its corresponding enciphered
data encrypting key is listed in SYSPRINT.
Abbreviation: NSTRDK
- STOREKEYNAME(keyname)
- specifies
whether to store a keyname for the key used to encipher the data encrypting
key in the target data set header. The specified keyname must be the
name the key is known by on the system where the REPRO DECIPHER is
to be performed. This keyname must be the same one specified in INTERNALKEYNAME
if REPRO DECIPHER is to be run on the same system. If REPRO DECIPHER
is run on a different system, the specified keyname can be different
from the one specified in INTERNALKEYNAME or EXTERNALKEYNAME.
This parameter is valid only when INTERNALKEYNAME or EXTERNALKEYNAME is specified. If the keyname is stored in the data set header, it does not have to be supplied by the user when the data is deciphered.
Restriction: Keyname values identified by the SHIPKEYNAMES parameter cannot be stored in the header. Therefore, you might want to avoid using STOREKEYNAME and SHIPKEYNAMES together because this could result in storing header information unusable at some locations.
Abbreviation: STRKN
- USERDATA(value)
- specifies
1-to-32 characters of user data to be placed in the target data set
header. For example, this information can be used to identify the
security classification of the data.
Value can contain 1-to-32 EBCDIC characters. If value contains a special character, enclose the value in single quotation marks (for example, USERDATA('*CONFIDENTIAL*')). If the value contains a single quotation mark, code the embedded quotation mark as two single quotation marks (for example, USERDATA('COMPANY''S')).
You can code value in hexadecimal form, where two hexadecimal characters represent one EBCDIC character. For example, USERDATA(X'C3D6D4D7C1D5E8') is the same as USERDATA(COMPANY). The string can contain up to 64 hexadecimal characters when expressed in this form, resulting in up to 32 bytes of information.
Abbreviation: UDATA
- DECIPHER
- specifies
that the source data set is to be deciphered as it is copied to the
target data set. The information from the source data set header is
used to verify the plaintext deciphered data encrypting key supplied,
or deciphered from the information supplied, as the correct plaintext
data encrypting key for the decipher operation.
Abbreviation: DECPHR
- DATAKEYFILE(ddname) | DATAKEYVALUE(value) | SYSTEMKEY
- specifies whether you, PCF, or ICSF manages keys privately.
- DATAKEYFILE(ddname)
- specifies
that the key is to be managed by you, and identifies a data set that
contains the private data encrypting key that was used to encipher
the data. For ddname, substitute the name
of the JCL statement that identifies the data set containing the private
data encrypting key.
Abbreviation: DKFILE
- DATAKEYVALUE(value)
- specifies
that the key is to be managed by you, and supplies the 1- to 8-byte
value that was used as the plaintext private data encrypting key to
encipher the data.
Value can contain 1-to-8 EBCDIC characters, and must be enclosed in single quotation marks if it contains commas, semicolons, blanks, parentheses, or slashes. A single quotation mark contained within value must be coded as two single quotation marks. You can code value in hexadecimal form, (X'n'), value can contain 1-to-16 hexadecimal characters, resulting in 1 to 8 bytes of information. With either EBCDIC or hexadecimal representation, value is padded on the right with blanks (X'40') if it is less than 8 characters.
Abbreviation: DKV
- SYSTEMKEY
- specifies
that PCF or ICSF manages keys.
Abbreviation: SYSKEY
- SYSTEMDATAKEY(value)
- specifies
the 1- to 8-byte value representing the enciphered system data encrypting
key used to encipher the data. This parameter is valid only if SYSTEMKEY
is specified. If SYSTEMDATAKEY is not specified, REPRO obtains the
enciphered system data encrypting key from the source data set header.
In this case, STOREDATAKEY must have been specified when the data
set was enciphered.
value can contain 1-to-8 EBCDIC characters and must be enclosed in single quotation marks if it contains commas, semicolons, blanks, parentheses, or slashes. A single quotation mark must be coded as two single quotation marks. You can code value in hexadecimal form, (X'n'). value can contain 1-to-16 hexadecimal characters, resulting in 1-to-8 bytes of information. With either EBCDIC or hexadecimal representation, value is padded on the right with blanks (X'40') if it is fewer than 8 characters.
Abbreviation: SYSDK
- SYSTEMKEYNAME(keyname)
- specifies
the 1-to-8 character key name of the internal key that was used to
encipher the data encrypting key. This parameter is only valid if
SYSTEMKEY is specified. If SYSTEMKEYNAME is not specified, REPRO obtains
the key name of the internal key from the source data set header. In
this case, STOREKEYNAME must have been specified when the data set
was enciphered.
Abbreviation: SYSKN