TSSFAR utility: SECFILE-encryption key specification not to be in clear text
Article ID: 117165
Updated On:
Products
Top Secret
Top Secret - LDAP
Issue/Introduction
We execute utility TSSFAR once in a quarter to pre-emptively verify the physical health of the SECFILE.
TSSFAR needs to have SECFILE-encryption-KEY specified in //INPUT file.
In our company's policy - The encryption-KEY has to be kept as disclosed as possible.
Is there a possibility to run the TSSFAR utility without key (using the current and SMPE-accepted encyption key in TSS-Code) or without the encryption key in clear text.
TSSFAR needs to have SECFILE-encryption-KEY specified in //INPUT file.
In our company's policy - The encryption-KEY has to be kept as disclosed as possible.
Is there a possibility to run the TSSFAR utility without key (using the current and SMPE-accepted encyption key in TSS-Code) or without the encryption key in clear text.
Environment
z/OS
Resolution
you may code your JCL as it follows, e.g.:
// JOB (ACCT#),
// NOTIFY=ACID01,USER=ACID02
//TSSFAR EXEC PGM=TSSFAR
//SYSPRINT DD SYSOUT=*
//SECFILE DD DISP=SHR,DSN=TSS.SECFILE
//INPUT DD *
// DD DISP=SHR,DSN=Your.dataset(TSSKEY)
HEADER
SFSTATS
/*
//
With member TSSKEY containing:
KEY=xxxxxxxxxxxxxxxx <== your encryption key
ACID01 doesn't have access to Your.dataset(TSSKEY), but a permit acid acid for ACID02
ACID02 have read access to Your.dataset(TSSKEY) and the admin authority to run TSSFAR.
// JOB (ACCT#),
// NOTIFY=ACID01,USER=ACID02
//TSSFAR EXEC PGM=TSSFAR
//SYSPRINT DD SYSOUT=*
//SECFILE DD DISP=SHR,DSN=TSS.SECFILE
//INPUT DD *
// DD DISP=SHR,DSN=Your.dataset(TSSKEY)
HEADER
SFSTATS
/*
//
With member TSSKEY containing:
KEY=xxxxxxxxxxxxxxxx <== your encryption key
ACID01 doesn't have access to Your.dataset(TSSKEY), but a permit acid acid for ACID02
ACID02 have read access to Your.dataset(TSSKEY) and the admin authority to run TSSFAR.
Feedback
Yes
No
Powered by
