Convert UA92778 RACF Commands To Top Secret For Pervasive Encryption
search cancel

Convert UA92778 RACF Commands To Top Secret For Pervasive Encryption

book

Article ID: 120360

calendar_today

Updated On: 10-13-2020

Products

Top Secret Top Secret - LDAP

Issue/Introduction

Convert UA92778 RACF commands to Top Secret for Pervasive Encryption Setup.

Environment

Release:
Component: TSSMVS

Resolution

Here are the Top Secret equivalents: 

UA92778 ++ HOLD(UA92778) SYS FMID(HDZ2210) REASON(ACTION) DATE(17216) - GO 
COMMENT 
(**************************************************************** 
* FUNCTION AFFECTED: DFSMS (OA50569) * 
* DFSMSdfp * 
**************************************************************** 
* DESCRIPTION : Installation notes * 
* * 
**************************************************************** 
* TIMING : Pre-APPLY * 
**************************************************************** 
SPECIAL CONDITIONS - 

The steps below are intended to assure that encrypted data sets 
are not created until the installation is ready to encrypt and 
decrypt. Until the decryption functions are available on all 
sharing systems (including backup systems, and disaster 
recovery systems), access to encrypted data can be lost at any 
time. 

ACTION - 
To control the creation of encrypted data sets and prevent 
loss of access to data on any system that does not have the 
support, the following actions need to be taken before the 
software is installed. 

- Restrict access to the SAF FACILITY class resource 
STGADMIN.SMS.ALLOW.DATASET.ENCRYPT 
until all systems in your installation have installed the 
PTFs for OA50569 and the minimum hardware. To do this, you 
can define the STGADMIN.SMS.ALLOW.DATASET.ENCRYPT profile 
in the FACILITY class, and set the universal access to NONE. 
For example: 

RDEFINE FACILITY STGADMIN.SMS.ALLOW.DATASET.ENCRYPT UACC(NONE) 

TSS ADD(owningacid) IBMFAC(STGADMIN) 

- If the SAF FIELD class is active, check for any profile 
that would allow any user without SPECIAL attribute access 
to the DATASET.DFP.DATAKEY. If there are none, no additional 
action is needed. If there is any profile that would allow 
access to DATASET.DFP.DATAKEY, create a DATASET.DFP.DATAKEY 
profile in the FIELD class with a UACC of NONE. 
For example: 

RDEFINE FIELD DATASET.DFP.DATAKEY UACC(NONE) 

TSS ADD(owningacid) FIELD(DATASET) 

- Do not create DATASET profiles with the KEYLABEL field in 
the DFP segment until all systems in your installation have 
met all software and hardware minimum requirements. 
Reference the ENH hold instructions.).