Pervasive encryption is being implemented for DB2 active logs and the following resource rule for the CSFKEYS class is specified:

$KEY(TEST.KEY) TYPE(CSK)                                    
 UID(USER1) SERVICE(READ) ALLOW                       
 UID(USER2) SERVICE(READ) ALLOW                       
 UID(USER3) SERVICE(READ) ALLOW                           
               
When trying to bring up the DB2 subsystem, the following error was observed:             

IEC161I 069(00000008,00003E84)-162        
          

Resource rules to allow access for key labels in the CSFKEYS class must specify a resource rule parameter of "WHEN(CRITERIA(SMS(DSENCRYPTION)))"

In the example above, the rule should be written as follows:

$KEY(TEST.KEY) TYPE(CSK)                                    
 UID(USER1) ALLOW WHEN(CRITERIA(SMS(DSENCRYPTION)))                       
 UID(USER2) ALLOW WHEN(CRITERIA(SMS(DSENCRYPTION)))                      
 UID(USER3) ALLOW WHEN(CRITERIA(SMS(DSENCRYPTION)))    

The IEC161I 069(00000008,00003E84)-162 error points to a failed SAF request to use the key label which is caused by either CSFKEYS or XCSFKEY class.

Running an ACFRPTRV report against the SMF active at the time of the error will reveal the violation and appropriate changes to the rule can be made based on the violation.