Is there a way to test/verify 256-bit Encryption?
Release : 16.0
Component : CA Top Secret for z/OS
There isn’t a lot of testing that can be done for this, but here are some suggestions:
1) After coming up on the security file with AES 256 encryption, issue TSS MODIFY and verify that AES_ENCRYPTION(Active,256) shows in the ‘TSS9661I CA Top Secret FEATURES Status’ area of the output. For example:
TSS9661I CA Top Secret FEATURES Status
MAX_ACID_SIZE(…K)
ORG_ACID_SIZE(…K)
RDT2BYTE(…)
NEW_PASSWORD(…)
VSAM_DIGICERT(…)
AES_ENCRYPTION(Active,256)
LARGE_VSAM_RECORD(…)
EXPAND_COUNTER(…)
TSS9661I CA Top Secret PHRASE Status
2) Have some users signon and change their password, then signoff and back on to make sure the new password works. (This should work the same as when DES encryption was being used.)
3) Have a couple of administrators change a user’s password with TSS REPLACE(acid) PASSWORD(xxxx,,EXP), then have the user signon to confirm the password is expired and they can successfully change the password. (This should also work the same as when DES encryption was being used.)
4) If using passphrases, repeat steps 2 and 3 above for passphrases. (The administrative command to replace a phrase is: TSS REPLACE(acid) PHRASE(xxxxxxxxxx,,EXP) .)