Question: 

Why are the Advanced Encryption Standard (AES) keys stored in "clear" form in the ICSF CKDS dataset instead of being in the "protect" form? In other words what AES strength is the encryption module when specifying ENCRYPT=ICSF? 

Answer:

• We use 56-bit AES keys.  Clear AES keys are the only method that ICF supports. 
• CA View also uses a cypher chain with encryption and decryption, the use of the AES key itself is not sufficient to render readable data.

This is from the z/OS Crypto Application Programmers Guide: 

"The Symmetric Key Encipher and Symmetric Key Decipher callable services are used to encipher and decipher data in an address space or a data space using the cipher block chaining and electronic code book modes. The Advanced Encryption Standard (AES) and DES (Data Encryption Standard) are supported. AES encryption uses a 128-, 192- or 256-bit key. Only clear keys will be supported. The AES encryption is subject to the same availability restrictions as triple-DES encryption."

Additional Information:

As always, please contact CA Technologies support for CA View/Deliver if you have further questions.