After IBM PTF OA60485 was applied, any user trying to do pervasive encryption of a PDSE, sequential dataset, or large dataset failed with error message:
IGD17156I xxxxxx.xxxxxxx.xxx , KEY LABEL IS IGNORED
Release : 16.0
Component : CA ACF2 for z/OS
Prior to OA60485, IBM made a RACROUTE AUTH call that a rule like this would be used.
SMS.ALLOW.PDSE.ENCRYPT UID(XXXVVB) SERVICE(READ) ALLOW
- UID(*) PREVENT
This caused problems with Top Secret, so IBM changed the call to a RACROUTE EXTRACT. The PTF added these three calls:
The entire name must be in the $KEY, and what users to be allowed are added as a rule line. No SERVICE should be on the rule line. If all users are to be allowed, then change the last line to ALLOW instead of PREVENT.
Rules for sequential datasets would look like this:
$USERDATA(ALLOW_XXXVVB_ONLY) <==== a $USERDATA card is required also. Contents are not important