IBM Print Transforms from AFP for Infoprint Server for z/OS
Previous topic | Next topic | Contents | Index | Contact z/OS | Library | PDF


Encrypting PDF documents

IBM Print Transforms from AFP for Infoprint Server for z/OS
G325-2634-02

Encrypting PDF documents

The AFP to PDF transform can encrypt PDF documents. Encrypting PDF documents provides enhanced security for sensitive documents.

In addition, the transform can associate user and owner passwords with encrypted PDF documents to prevent unauthorized access, and it can restrict copying, updating, and printing of encrypted PDF documents. For example, a nurse could use the transform to encrypt a patient's test results and send them to the doctor in a PDF document that only the doctor can open and print.

Encryption methods

You can use either or both of these methods to encrypt PDF documents:

Encrypting with passwords
When you use this method:
  • You can associate a user password with the PDF document. The user password lets someone open an encrypted PDF document. A user password is optional. However, it prevents unauthorized users from opening PDF documents.
    Tip:
    In Adobe Reader, the user password is called an open password.
  • You can associate an owner password with the PDF document. The owner password lets someone open an encrypted PDF document and bypass restrictions. An owner password is optional. However, it is required to restrict actions in PDF documents.
    Tip:
    In Adobe Reader, the owner password is called a permissions password.
  • You can restrict actions in the PDF document, or you can allow all actions. Adobe Reader prevents users from doing restricted actions unless the user knows the owner password.
  • You can select the level of encryption:
    • A high level of encryption (a 128-bit encryption key) provides enhanced security.
    • A low level of encryption lets you send encrypted PDF documents to countries that do not use a high level of encryption or to users with Adobe Reader 3.0 - 4.x.
Encrypting without passwords
When you use this method:
  • Anyone can open the PDF document because no user password is associated with it.
  • The transform generates an owner password that it uses to restrict actions in the PDF document. Because this owner password is secret, no one can use it to bypass restrictions.
  • The transform uses a low level of encryption (a 40-bit encryption key). You cannot select the level of encryption.
Tip:
You might want to encrypt PDF documents without passwords so that the administrator does not need to maintain a password database.

Specifying user and owner passwords

For security reasons, job submitters cannot specify user and owner passwords during job submission, and administrators cannot specify passwords in printer definitions. Instead, job submitters and administrators specify user and owner identifiers.

The administrator can decide what identifiers to use. For example, identifiers can be z/OS® user IDs, email addresses, or a combination of different types of identifiers. Identifiers can contain any combination of 1-256 letters, numbers, blanks, and special characters.

The administrator must write a Password exit that returns a password to the transform for each user and owner identifier. The Password exit can obtain these passwords from a password database. The password database can be in any format that your Password exit can use. For information, see Writing a Password exit.

Job submitters can specify user and owner identifiers in job attributes pdf-user-identifier and pdf-owner-identifier. For example, you can specify this afpxpdf command: 

afpxpdf -j "pdf-user-identifier=SMITH pdf-owner-identifier=LEE" 
        -o myfile.pdf myfile.afp

As an alternative, the administrator can specify user and owner identifiers in printer definitions. For an example, see Example -- ISPF Processing panel for the AFP to PDF transform.

Restricting actions

When you encrypt PDF documents with or without passwords, you can restrict copying, updating, and printing in the PDF documents. Adobe Reader does not permit users to do the restricted actions when they open the PDF document. However, users who open the PDF document with the owner password bypass restrictions.

In Adobe Reader, actions that are restricted are not available. For example, if you restrict printing, the Adobe Reader "Print" menu action is not available. To fully understand what menu actions Adobe Reader makes not available when you restrict an action, open the PDF document that the transform creates and check what actions Adobe Reader has made not available. PDF viewers other than Adobe Reader might interpret restricted actions in different ways.

You can restrict slightly different sets of actions when you encrypt documents with and without passwords. In addition, the way you specify restricted actions differs.

Encrypting with passwords

When you encrypt PDF documents with passwords, job submitters can specify the restricted actions in the pdf-protect job attribute. For example, you can specify this afpxpdf command:

afpxpdf -j "pdf-user-identifier=SMITH pdf-owner-identifier=LEE
        pdf-protect={copy print update}" -o myfile.pdf myfile.afp

For information about the pdf-protect job attribute, see Job attributes for encrypting PDF documents.

As an alternative, the administrator can specify restricted actions in printer definitions. For an example, see Example -- ISPF Processing panel for the AFP to PDF transform.

The transform clears these bits in the encryption dictionary's P entry for each restricted action, depending on whether you select a high (128-bit) or low (40-bit) level of encryption:

Restricted action:
Bits:
copy
5 and 10 (high encryption)
5 (low encryption)
print
3 and 12 (high encryption)
3 (low encryption)
update
4, 6, 9, and 11 (high encryption)
4 and 6 (low encryption)

For more information about bits in the encryption dictionary, see the Adobe PDF Reference, which is available on the Adobe website (www.adobe.com).

Encrypting without passwords

When you encrypt PDF documents without passwords, the administrator must specify restricted actions in the AOP_PROTECT environment variable in the transform configuration file. For example, the administrator could create a transform class called "nomodify" that restricts users from modifying the PDF documents. To do this, the administrator would specify this environment variable for the transform class:

AOP_PROTECT -> "modify"

For information about the AOP_PROTECT environment variable, see Environment variables for the AFP to PDF transform.

When you encrypt PDF documents without passwords, job submitters cannot specify restricted actions. However, job submitters can submit transform jobs to the transform class that has the restrictions they want. For example, you can specify this afpxpdf command: 

afpxpdf -c nomodify -o myfile.pdf myfile.afp

As an alternative, the administrator can specify a transform class that restricts actions in printer definitions.

The transform clears these bits in the encryption dictionary's P entry for each restricted action:

Restricted action:
Bit:
modify
4
print
3
select
5

For more information about bits in the encryption dictionary, see the Adobe PDF Reference, which is available on the Adobe website (www.adobe.com).

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014