Converting The CA Top Secret Security File From Triple DES Encryption To AES Encryption With Least Business Impact


Article ID: 17632


Updated On:


CA Cleanup CA Datacom CA DATACOM - AD CA CIS CA Common Services for z/OS CA 90s Services CA Database Management Solutions for DB2 for z/OS CA Common Product Services Component CA Common Services CA Datacom/AD CA ecoMeter Server Component FOC CA Easytrieve Report Generator for Common Services CA Infocai Maintenance CA IPC Unicenter CA-JCLCheck Common Component CA Mainframe VM Product Manager CA Chorus Software Manager CA On Demand Portal CA Service Desk Manager - Unified Self Service CA PAM Client for Linux for zSeries CA Mainframe Connector for Linux on System z CA Graphical Management Interface CA Web Administrator for Top Secret CA CA- Xpertware CA Top Secret CA Top Secret - LDAP CA Top Secret - VSE



We are considering converting our Encryption method from DES3 to AES.

I've browsed over the procedures for this conversion From the Installation Guide:

Convert Triple-DES Encryption to AES Encryption

To convert a security file from Triple-DES encryption to AES encryption:

  • Run TSSMAINT to initialize a new security file and to specify the AESENCRYPT option.

  • Run TSSXTEND to copy the old security file to the new security file.

Note: AES encryption is a non-shared environment option.

I understand that I would also need to change the PWENC Control Option to AES (currently set at DES3).

I'm wondering what the Business Impact, if any, on the system would be for this type of effort?


To have the least impact:

  1. Format the security file ahead of time using VSAMDEF3, TSSMAIND and TSSMAINS. The new security file would have to be equal to or larger than your current security file. Run a TSSFAR SFSSTATS job to determine what to specify for your input parms for TSSMAIND which will help you calculate how much space you will need. Then you would run TSSMAINS to actually format the security file.

    If you need the dataset name and volume to be the same, then you cannot format the security file ahead of time since CA Top Secret will be active and using the security file with the same dataset name and volume.

  2. You would run TSSXTEND and use the backup security files as input. You never want to copy the primary security if it is actively being used by CA Top Secret. Before running the TSSXTEND, issue a TSS MODIFY BACKUP command to trigger an immediate backup, so you will have the latest snapshot of the security file at the time of the backup.

  3. When you are ready to bring up CA Top Secret with AES encryption, update your CA Top Secret started task to point to the new security file and update the CA Top Secret parameter file to activate AES encryption.

  4. Do a temporary shutdown of CA Top Secret and restart CA Top Secret.

These steps will cause the least business impact, since CA Top Secret is running while you prepare it for AES encryption.


Component: AWAGNT