This is a consolidated list of questions regarding using ENCRYPT=. 

Release: 14.0

Component: CA View

1 What does the nnn on the ENCRYPT= SARINIT parameter mean?

   The nnn is the number of days the encryption key will be used. The default is 365. The valid values are 1-366, where 366 is a year and a day.

2. When the Encryption key changes, what happens to the data that was encrypted under the old key?

    All the keys are kept in ICSF. So, if you set the nnn for 30,  after 30 days, we would create a new key based on AES  standards and store the new key in ICSF.
    ICSF would keep the old key available as it would be needed to de-crypt the reports that were archived using the old key. 

 
3. Is there overhead from turning on CA View encryption?

    The time the CPU uses to encrypt or decrypt data does increase the CPU time consumed by the job or started task.
    Our tests showed that encryption using the Crypto Assist Facility (CPACF) had the least amount of overhead.
    We experienced an increase of 1/10 of a CPU second for every million lines archived or browsed.
       

4. Why do you need write access to ICSF if you turn on CA View encryption?

    Write access is needed because CA Viiew needs to write the keys to ICSF whenever a new key is generated.

5. How do you find out which reports have been encrypted and which ones are not?

    To tell if a report is encrypted, you can run an SARDBASE IDXOUT of the database and view the output.
    The report records in the IDXOUT start with the report name in column 1. Turn HEX ON and
    towards the end of the report record you will see on of two values that indicates if the report is encrypted:

For ENCRYPT=ICSF, the string to search for is X’A80C01’
For ENCRYPT=ICSFSEC, the string to search for is X’A80C04’

6. Is CA View/Deliver compatible with KDFAES encryption?

    For CA View there have been no compatibility issues reported with KDFAES encryption.

7. How is encryption handled for Disaster recovery?

    CA View only creates ICSF keys with two names that start with CAOMCKDS and CAOMPROD. 
    If you need to copy the keys from a production site to a DR site, only copy the CAOMPROD keys.

8. What is the difference between CAOMCKDS and CAOMPROD keys?

    The CAOMPROD keys contain the 256-bit AES keys, which are used in the encryption and decryption services. 
    The CAOMCKDS is a key dataset that is specific to IPCS CKDS, it is not used for encryption or decryption.
    It is used to hold a special CKDS-specific marker and should not be copied to other CKDS data sets.

9. Does CA View/Deliver have any issues with DASD that uses IBM Pervasive Encryption?

   There should not be any issues with having the CA View/Deliver databases on DASD where IBM Pervasive Encryption is implemented.
   Files that use IBM supplied access methods, such as VSAM or BDAM, will have their data automatically encrypted.
   However, since CA View and CA Deliver use a proprietary access method, our data will not be automatically encrypted.
   If you want the CA View data to be encrypted you need to turn on CA View encryption.

10. If the VIEW database files are on SMS volumes or NON SMS managed volumes will IPCS encryption work either way?

    Encryption will work and is not based on whether the database data sets are SMS volumes or not. 

For more information on CA View's encryption functionality, please refer to the Data Encryption section in the manual......
Data Encryption

For questions on how to verify that the CA View database is encrypted, please refer to article ID: 133053.