When attempting to access an encrypted dataset, an RC 8 Reason Code BFB from ICSF is encountered.

The following SQL code may also be seen on an ALTER TABLE command to add a KEY LABEL for Db2:

SQLCODE = -20223, ERROR:  THE OPERATION FAILED.  ENCRYPTION FACILITY NOT AVAILABLE 00000008 00000BFB

Release : 16.0

Component : ACF2 for z/OS

There are 4 potential causes for this error relating to ACF2:

1. The CSFKEYS profile record used to point to the key in ICSF does not exist. This record needs to be created.

2. The CSFKEYS profile record does not specify SYMCRET and SYMCWRAP. These parameters are necessary for the key to be used for pervasive encryption. List the record and verify these parameters are specified. If they are not, issue a CHANGE command to add the parameters to the record.

Example:
SET P(CSFKEYS) DIV(ICSF)
LIST TEST.KEY
ICSF / TEST.KEY LAST CHANGED BY xxxxxxx ON 10/08/21-16:38              
                     ASYMUSE(HANDSHAK SECXPORT)                              
                     RESOURCE(TEST.ENCRYPT.KEY) SYMCRET SYMCWRAP
                     SYMXCERT() SYMXKEYS() SYMXPORT(BYANY)                   

3. CSFKEYS profile records were not made resident. Data set encryption processing issues RACROUTE EXTRACT requests against CSFKEYS profile records and requires the profiles to be resident. Verify R-PCSF is resident either through a SHOW RESIDENT command or LIST INFODIR. If it's not, then it will need to be added to the INFODIR:

SET CONTROL(GSO)
CHANGE INFODIR TYPES(R-PCSF) ADD
F ACF2,REFRESH(INFODIR)

4. The CSFKEYS profile records were not rebuilt after adding new records or after adding R-PCSF to the INFODIR. The following rebuild command needs to be issued anytime a change is made to these records. If the ACF2 INFOSTG database is shared between LPARs, this command will need to be issued on all LPARs:

F ACF2,REBUILD(CSF),CLASS(P)