IBM JES2 spool encryption (ADVANCED_FORMAT=ENABLED) may affect CA View/Deliver

book

Article ID: 198122

calendar_today

Updated On:

Products

CA Deliver CA View

Issue/Introduction

IBM added a new JES2 spool encryption feature to z/OS 2.4, which allows encryption of datasets in the JES2 spool.

This functionality is delivered via IBM PTFs, which need to be applied to the system.

This technical document describes how to handle JES2 spool encryption with the CA View/Deliver products.

 

Check Whether There is JES2 Spool Encryption Support Installed

To verify whether support for JES2 spool encryption has been installed, check whether these IBM PTFs for the following APARs were applied:

  • OA58757
  • OA58699
  • OA58718
  • OA57466

Note: The most current information is available on the IBM website.

 

Determine the Current Status of JES2 Spool Encryption

The current status of JES2 spool encryption on the running system can be checked by using the following JES2 command:

   $D SPOOLDEF

If JES2 spool encryption is active on the system, it is indicated in the command output as follows:

   ADVANCED_FORMAT=ENABLED

If JES2 spool encryption is installed but not active on the system, it is indicated as follows:

   ADVANCED_FORMAT=DISABLED

Note: If JES2 spool encryption is not installed on the system, the line with the ADVANCED_FORMAT value will not be produced in the command output.

 

Cause

JES2 Spool Encryption and Encryption Keys

With the JES2 spool encryption feature active, datasets in the JES2 spool can be encrypted using encryption keys. A specific dataset is encrypted using a single key and different datasets in the JES2 spool can be encrypted with different keys. Alternatively, a single key can be used to encrypt multiple datasets, or to encrypt all datasets in the JES2 spool. As not every dataset has to be encrypted, there may be both encrypted and unencrypted datasets in the JES2 spool.

- In order to decrypt and read an encrypted dataset, the user or task needs to have READ access to the encryption key that was used to encrypt the dataset.

- If this access is not provided, any attempt to allocate the dataset fails with a dynamic allocation 0478 error code (reason 0000).

Environment

CA View

CA Deliver

12.2

14.0

z/OS 2.4

JES2

ADVANCED_FORMAT=ENABLED

ENCRYPTION

 

Resolution

JES2 Spool Encryption and CA View/Deliver

The CA View archival tasks (SARSTC and SARFSS) and the CA Deliver task (RMOSTC) need to have READ access to all the encryption keys used to encrypt the datasets that should be collected. If READ access is not provided, the following problems will occur:

  1. The CA View and CA Deliver tasks will be unable to collect the encrypted JES spool datasets for which READ access to the key is not granted.

  2. When the CA View and CA Deliver tasks encounter an encrypted dataset for which they do not have access to the key, they will terminate and they will not process any further JES2 spool datasets (encrypted or unencrypted). This can have serious system-wide consequences. As the datasets will no longer be collected they will be kept on the JES2 spool. Without further intervention the spool will eventually fill up, at which point the jobs executing on the system will stop processing.

  3. The RMOSTC task affects every job processed by initiators that CA Deliver is monitoring. This applies to all systems in the same sysplex environment that have an RMOSTC task executing and using the same RMO database and checkpoint file. On the system where decryption fails due to the missing authorization, an error 0478 occurs. On the other systems, the message RMOCPP06 may be issued indicating the checkpoint lock cannot be obtained. This will halt the Deliver processing. Hence, no jobs will run in those initiators.

 

Identification and Resolution of CA View/Deliver Spool Datasets Access Problems Due to Inaccessibility of the Encryption Keys

The CA View and CA Deliver tasks can be checked to see if any problems were encountered while collecting the JES spool datasets, due to inaccessible encryption keys. Look for these error messages indicating a 0478 error code for dynamic allocation:
 
   SARJSA03 Subsystem allocation failed - error code 0478, info code 0000

   RMOPS203 Subsystem allocation failed error code - 0478, info code – 0000     


In the case of spool encryption key access-related problems, those messages are also accompanied by respective messages from the security subsystem indicating insufficient authority to read the required encryption keys.

 

When using CA Top Secret security, the following is an example of the error message produced:

   TSS7250W 136 J=SARSTC A=VIEW TYPE=CSFKEYS RESOURCE=CSFKEY2
   TSS7251W Access Denied to CSFKEYS <CSFKEY2>

 

When using IBM RACF security, the following are examples of the error messages produced:

   ICH408I USER(VIEW) GROUP(SYSSTC ) NAME(####################) CSFKEY2     +
     CL(CSFKEYS ) INSUFFICIENT ACCESS AUTHORITY ACCESS INTENT(READ ) ACCESS + 
     ALLOWED(NONE )

 

Grant CA View/Deliver Tasks READ Access to the Encryption Keys

Below, there are sample security commands to grant READ access to the spool encryption keys. To minimize the risk of encountering the situation and problems described earlier, it is strongly recommended that the CA View and CA Deliver tasks be granted access to ALL the spool encryption keys.

CA Top Secret

If you use CA Top Secret mainframe security, you can use the following command to grant the CA View and CA Deliver tasks READ access to the encryption keys:

  TSS PER(acid) CSFKEYS(csfkey1) SYMCPACFWRAP(YES)                +
    SYMCPACFRET(YES) CRITERIA(SMS(DSENCRYPTION))

where:

  • acid specifies the accessor ID for the CA View and CA Deliver task(s)
  • csfkey1 specifies the key label for the required encryption key

 

IBM RACF

If you use IBM RACF security, you can grant the CA View and CA Deliver tasks READ access to the encryption keys with the following command:

  PERMIT csfkey1 CLASS(CSFKEYS) ACCESS(READ) ID(name)

where:

  • csfkey1 specifies the key label for the required encryption key
  • name specifies the user ID(s) or group name(s) for the CA View and CA Deliver archival task(s)

 

Note: The document will be updated with ACF2 instructions after the JES2 spool encryption support for ACF2 becomes available.

 

If a situation such as the ones described above is encountered, use the security subsystem command described earlier in this article to grant the CA View and CA Deliver tasks READ access to the required encryption keys. The tasks can then be restarted to resume their normal operation. Once the tasks are running, you can release the held spool datasets to allow them to be collected by the tasks.

 

Additional Information

- In a multi-CA Deliver system environment, the CA Deliver Checkpoint file may become locked if the CA Deliver task abends.
- The Checkpoint file may also free itself, once the Deliver task is given read access to the Encryption keys and the task is restarted. 
- If the Checkpoint file does not free itself, instructions for safely unlocking the CA Deliver Checkpoint file can be found in the following knowledge article.

Article Id   : 28311
Article Title: Receiving message RMOCPP06 - UNABLE TO OBTAIN CHECKPOINT LOCK in CA Deliver.