One of the “big things” IBM announced with the z14 processor was Dataset Encryption (or maybe more accurately Automatic Dataset encryption). While announced with the z14, the capability is also supported on the z13. .. This new function allows for sequential (BSAM and QSAM) datasets, as well as VSAM, to be completely encrypted without any application programmer action. This is part of IBM’s campaign for “pervasive encryption” on the mainframe platform.
This capability requires a number of different technologies to be integrated: ICSF, SMS, the access methods, and unsurprisingly, Security.
What are the setup requirements for CA ACF for z/OS?
The following JCL is an example of the required steps for setting up Pervasive Encryption.
//*================================================================
//* This job does setup for z/OS 2.3 dataset encryption
//*================================================================
//*
//* Step 1: Create a 256-bit AES data key
//*
//* Notes:
//*(1) RUN THIS STEP ONLY ONCE! If you encrypt any data
//* using the data key created by this step it will
//* not be useable if you create a replacement data key
//* by running this step again.
//*(2) CSF must be up in order to run this job.
//*(3) The default KEYGEN Rexx program sets up the data key
//* with key-label "TEST.KEY001". If you need to set up
//* a different key-label make a clone of KEYGEN on your
//* test system and modify the key-label.
//*(4) KEYGEN is available from IBM.
//KEYGEN EXEC PGM=IKJEFT01
//SYSEXEC DD DSN=REXX.library,DISP=SHR
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
%KEYGEN
//*
//* Step 2: ACF2 administration - create ICSF profile
//*
//* Notes
//*(1) The RESOURCE(TEST.KEY001) value must match the
//* key-label used in the previous step.
//*(2) RO93554 is required to extract CSFKEYS CSFSCPR field
//*
//PROFILE EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//*
//SYSTSIN DD *
ACF
SET PROF(CSFKEYS) DIV(ICSF)
INSERT TEST.KEY001 RESOURCE(TEST.KEY001) SYMCRET SYMCWRAP
SET C(GSO)
CHANGE INFODIR TYPES(R-PCSF) ADD
//*
//* Step 3: ACF2 administration - allow access to CSFKEYS key-label
//*
//* Notes
//* (1) CRITERIA support fixes are required (RO96906 RO97896 RO98008)
//* (2) This step assumes CSFKEYS is mapped to SAF
//* (3) TEST rule is set up to give USER01 access to the
//* TEST.KEY001 key-label
//*
//KEYLABEL EXEC PGM=ACFBATCH
//SYSPRINT DD SYSOUT=*
//SYSIN DD *
COMP * STORE
$KEY(TEST) TYPE(SAF)
KEY001 UID(USER01) ALLOW WHEN(CRITERIA(SMS(DSENCRYPTION)))
END
//*
//* Step 4: ACF2 administration - allow access CSNBKRR2 service
//*
//* Notes (1) This step assumes CSFSERV is mapped to SAF
//*
//CSFKRR2 EXEC PGM=ACFBATCH
//SYSPRINT DD SYSOUT=*
//SYSIN DD *
COMP * STORE
$KEY(CSFKRR2) TYPE(SAF)
UID(USER01) ALLOW
END
//*
//* Step 4A: Optional The key label can be specified in the DATAKEY field
//* on the DFP segment of the DATASET profile record.
//*
SET PROFILE(DATASET) DIVISION(PROFILE)
COMP * STORE
$KEY(TEST)
DATASET.- DFP(TEST)
END
SET PROFILE(DATASET) DIV(DFP)
INSERT TEST DATAKEY(TEST.KEY001)
F ACF2,REBUILD(DSN),CLASS(P)
//*
//* Step 5: ACF2 administration - refresh/rebuild structures
//*
//REBUILD EXEC PGM=ACFBATCH
//SYSPRINT DD SYSOUT=*
//SYSIN DD *
F ACF2,REFRESH(INFODIR)
F ACF2,REBUILD(CSFKEYS),CLASS(P)
F ACF2,OMVS(CSFKEYS)
F ACF2,REBUILD(SAF)
//*
//* Step 6: Allocate a dataset specifying the key-label (DSKEYLBL)
//* that matches the key-label used in prior steps.
//*
//* Notes (1) Output dataset MUST be SMS managed, sequential
//* and type "extended" (DSNTYPE=EXTREQ, for example)
//*
//ALLOCATE EXEC PGM=IEFBR14
//DD1 DD DSN=USER01.SMS.ENCRYPT.DATA,
// DISP=(NEW,CATLG,DELETE),
// DSKEYLBL='TEST.KEY001', <<<=== REQUIRED
// DSNTYPE=EXTREQ, <<<=== REQUIRED
// UNIT=SYSDA,SPACE=(TRK,(1,1)),
// DCB=(LRECL=80,BLKSIZE=6160,DSORG=PS,RECFM=FB)
//* DATACLAS=XXXXXXXX,
//* MGMTCLAS=XXXXXXXX,
//* STORCLAS=XXXXXXXX,
//*
//* Step 7: Write test data to the encrypted dataset
//*
//WRITE EXEC PGM=IEBGENER
//SYSPRINT DD DUMMY
//SYSIN DD DUMMY
//SYSUT2 DD DISP=SHR,DSN=USER01.SMS.ENCRYPT.DATA
//SYSUT1 DD *
AAAAAAAAAAAAAAAAA
BBBBBBBBBBBBBBBBB
CCCCCCCCCCCCCCCCC
/*
//*
//* Step 8: Do a LISTCAT to verify the encryption info
//*
//* Notes (1) Check LISTCAT output for:
//* ENCRYPTIONDATA
//* DATA SET ENCRYPTION ---- (YES)
//* DATA SET KEY LABEL ----- TEST.KEY001
//*
//LISTCAT EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
LISTC ENT('USER01.SMS.ENCRYPT.DATA') ALL
/*
//