Setting Stored Data Encryption

All data which is stored temporarily in Connector for ACF2 is encrypted using a Stored Data Encryption key (which differs from the Transmitted Data Encryption key). For example, sensitive security information that is written by the Interceptors to the Connector queue file is encrypted using the Stored Data Encryption key.

As part of the Connector for ACF2 installation procedure, an encryption key for stored data is created. However, the Stored Data Encryption key can be changed periodically to strengthen security.

Note
Before changing the encryption key, or before enabling or disabling Stored Data Encryption, verify that the Connector queue file does not contain data. This is because the Notification Server cannot process data in the Connector queue file which was encrypted by a previous key.

The Stored Data Encryption key is used internally by Connector for ACF2; there is no need to synchronize this key with SailPoint or any other Connector for ACF2 installation.

The following procedures are described below:

  • Generating a new Stored Data Encryption key.

  • Disabling (or enabling) the encryption of stored data.

Generate a New Stored Data Encryption Key

To generate a new Stored Data Encryption key:

  1. Verify that the Connector queue dataset does not contain data using the procedure Printing the Connector Queue

  2. Stop the Connector Online Interceptor by specifying the following operator command:

    P CTSAONI

  3. Stop the Connector for ACF2 Gateway and servers by specifying the following operator command:

    P CTSGATE

  4. Edit member CTSKGEN in the JCL library.

  5. Submit the job and a new key is generated.

    All job steps must end with a condition code of 0.

  6. Start the Connector for ACF2 Gateway (which automatically starts the Connector for ACF2 servers) by specifying the following operator command:

    S CTSGATE

  7. Start the Connector Online Interceptor by specifying the following operator command:

    S CTSAONI

Disable or Enable Stored Data Encryption

To disable (or enable) the encryption of stored data:

  1. Verify that the Connector queue dataset does not contain data. (using procedure Printing the Connector Queue).

  2. Stop the Connector Online Interceptor by specifying the following operator command:

    P CTSAONI

  3. Stop the Connector for ACF2 Gateway and servers by specifying the following operator command:

    P CTSGATE

  4. Edit member CTSPRSV in the Connector PARM library.

  5. Set the ENCR_INT_ACT parameter to one of the following settings:

    • N to disable Stored Data Encryption.

    • Y to enable Stored Data Encryption.

  6. Save the member.

  7. Start the Connector for ACF2 Gateway (which automatically starts the Connector for ACF2 servers) by specifying the following operator command:

    S CTSGATE

  8. Start the Connector Online Interceptor by specifying the following operator command:

    S CTSAONI