Test And Verify Conversion From DES To AES 256 Encryption With Top Secret

book

Article ID: 142911

calendar_today

Updated On:

Products

CA Top Secret

Issue/Introduction

Hi, we are preparing to implement 256-Bit AES Encryption on our test system.
I am looking for some information on how to test/verify/checkout.

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-mainframe-software/security/ca-top-secret-for-z-os/16-0/using/managing-passwords-and-password-phrases/implement-256-bit-aes-encryption-for-passwords-password-phrases.html





Environment

Release : 16.0

Component : CA Top Secret for z/OS

Resolution

There isn’t a lot of testing that can be done for this, but here are some suggestions:

1) After coming up on the security file with AES 256 encryption, issue TSS MODIFY and verify that AES_ENCRYPTION(Active,256) shows in the ‘TSS9661I CA Top Secret FEATURES Status’ area of the output. For example:

TSS9661I CA Top Secret FEATURES Status
MAX_ACID_SIZE(…K)
ORG_ACID_SIZE(…K)
RDT2BYTE(…)
NEW_PASSWORD(…)
VSAM_DIGICERT(…)
AES_ENCRYPTION(Active,256)
LARGE_VSAM_RECORD(…)
EXPAND_COUNTER(…)
TSS9661I CA Top Secret PHRASE Status

2) Have some users signon and change their password, then signoff and back on to make sure the new password works. (This should work the same as when DES encryption was being used.)

3) Have a couple of administrators change a user’s password with TSS REPLACE(acid) PASSWORD(xxxx,,EXP), then have the user signon to confirm the password is expired and they can successfully change the password. (This should also work the same as when DES encryption was being used.)

4) If you are using passphrases, repeat steps 2 and 3 above for passphrases. (The administrative command to replace a phrase is: TSS REPLACE(acid) PHRASE(xxxxxxxxxx,,EXP) .)