IEC161I 069 error when accessing encrypted dataset in ACF2 environment

book

Article ID: 223223

calendar_today

Updated On:

Products

CA ACF2 - z/OS CA ACF2 - MISC CA ACF2 CA ACF2 - DB2 Option

Issue/Introduction

Pervasive encryption is being implemented for DB2 active logs and the following resource rule for the CSFKEYS class is specified:

$KEY(TEST.KEY) TYPE(CSK)                                    
 UID(USER1) SERVICE(READ) ALLOW                       
 UID(USER2) SERVICE(READ) ALLOW                       
 UID(USER3) SERVICE(READ) ALLOW                           
               
When trying to bring up the DB2 subsystem, the following error was observed:             

IEC161I 069(00000008,00003E84)-162        
          

 

 

                                 

 

 

Resolution

Resource rules to allow access for key labels in the CSFKEYS class must specify a resource rule parameter of "WHEN(CRITERIA(SMS(DSENCRYPTION)))"

In the example above, the rule should be written as follows:

$KEY(TEST.KEY) TYPE(CSK)                                    
 UID(USER1) ALLOW WHEN(CRITERIA(SMS(DSENCRYPTION)))                       
 UID(USER2) ALLOW WHEN(CRITERIA(SMS(DSENCRYPTION)))                      
 UID(USER3) ALLOW WHEN(CRITERIA(SMS(DSENCRYPTION)))    

The IEC161I 069(00000008,00003E84)-162 error points to a failed SAF request to use the key label which is caused by either CSFKEYS or XCSFKEY class.

Running an ACFRPTRV report against the SMF active at the time of the error will reveal the violation and appropriate changes to the rule can be made based on the violation.