search cancel

With CA Tape Encryption installed, running a batch job which references an output tape dataset, it can happen to get error: BES1T0013E Non-B2B encryption for foreign tape and the job abnormally ends.


Article ID: 7593


Updated On:


CA 1 Tape Management CA 1 Tape Management - Copycat Utility CA 1 Tape Management - Add-On Options



CA Tape Encryption is a software-based encryption appliance that provides a convenient and secure method for automating the encryption and decryption of confidential data on tape volumes in the z/OS operating environment.

The product is designed to generate two types of encrypted tapes:


 In-House Tapes


In-house tapes are internal tapes for use inside an organization. This category includes tapes for disaster recovery sites. Encrypt this type of tape using a symmetric key. The encryption key must be available when the tape is created and when the tape is read. The ICSF CKDS or BES database containing the symmetric keys used to encrypt the data must be available to the system doing the decryption. When performing decryption at a disaster recovery site or off-site location, you must first recover the CKDS if that is your key repository, and the BES database.



Business-to-Business Tapes


Business-to-Business (B2B) tapes are sent outside the organization, for example to another company or business partner. Encrypt the data on a B2B tape using a randomly generated symmetric key. Then have the symmetric key itself encrypted using the public key portion of the public key/private key pair of the business partner (the recipient of the tape).

For non-z/OS business partners, the randomly generated symmetric key is based on an electronic code book to maintain the integrity of the key rather than using public key/private key encryption techniques. Use the CA Tape Encryption Multiplatform Decryption Utility (MDU) Java client on supported non-z/OS platforms to decrypt files encrypted using this code book method.

For more information about the MDU, see Multiplatform Decryption Utility User Guide or the utility's online help.


With CA Tape Encryption installed, running a batch job which references an output tape dataset using LABEL=(1,SL,EXPDT=98000), it can happen to get the error:


BES1T0013E Non-B2B encryption for foreign tape


and the job abnormally ends.


How to bypass this error?



CA Tape Encryption



As reported in the CA Tape Encryption Message Reference Guide:




NON-B2B Encryption for foreign tape



CA Tape Encryption received a request to encrypt a foreign tape (that is, a tape that is not defined in your tape catalog) using symmetric key (in-house) processing. The encryption request was rejected because the information needed to decrypt the data at a foreign site was not available. In-house tape processing requires that the BES database and optionally, the CKDS, be available at the receiving site. Foreign tapes should be encrypted using B2B processing. This allows the data encryption key on the tape to be transferred in encrypted format.


Note: Foreign tapes are not tracked by the tape management system. Symmetric key processing requires that the tape management system be available to track information about the key. B2B processing does not require a tape management system because the key is sent on the tape.



Change your DFSMS ACS rules (or the DATACLAS JCL parameter that has requested a specific data class) or your [email protected] data set selection security profiles so that this new tape data set is assigned to a data class associated with B2B processing. Data classes that begin with BES=(RSA or BESn=(RSA are used to assign B2B processing. Note that additional requirements are needed to create B2B tapes. For information about B2B processing, see the Administration Guide.




To bypass the error:


BES1T0013E Non-B2B encryption for foreign tape


it is possible to implement the suggestions provided in the Action section of the error message explanation reported in the Message Guide, related to the DFSMS ACS rules or the [email protected] security resource class.


Anyway, there is also an easier way to bypass the problem in case the security definitions are not yet done, in fact it is possible to reference the output tape with:




or to leave off the EXPDT= keyword, or to change it to RETPD=nnn 
(where nnn is the number of days to keep the tape).


If, after the suggested activity, the job still fails with the same error, please open a Case with CA Support.