View - Encryption, New year - CSFSERV security violations
search cancel

View - Encryption, New year - CSFSERV security violations

book

Article ID: 235897

calendar_today

Updated On:

Products

View

Issue/Introduction

We're looking for more detailed clarifications, regarding encryption, on the need for the CSFSERV service call to CSFKRW.   

The documentation links didn't specify what services would be required at the time we install the View maintenance.   

We currently have this type of access defined to CREATE and READ keys for our Spool product. 

With this new need for CSFKRW (Record Key Write) function, we need to understand and document this for our Company Cyber Auditor.

XA CSFSERV = CSFKRC OWNER(TSDEPT )
ACCESS = READ
XA CSFSERV = CSFKRR OWNER(TSDEPT )
ACCESS = ALL

Environment

Release : 14.0

Component : View

Resolution

The following passage was added to the View encryption documentation:

The writing of a key is performed with the CSNBKRW ICSF service which requires authorization for CSFKRW for class CSFSERV.

------------------------------------------------------------------------------------------------------------------------------------------------------------------

When a new year begins, new keys are automatically created for the year when the first report is archived to the database. 

That could be archival by the View started task, View FSS collection, or direct-to-View archival from Deliver. 

You can also run SARINIT to create keys at the beginning of the year.

The writing of key is performed with the CSNBKRW ICSF service which requires authorization for CSFKRW for class CSFKEYS. 

Only READ access is needed. 

Spool and View use the same keys, so if Spool had authority to write the new keys and created them during collection, then View would be okay after that.

If there is a SARPAM30 message indicating that the job does not have authority, then run SARINIT under a job and user that has authority to create keys. 

Note: You would only need to run SARINIT to list parameters, so only NAME=... would be needed. 

After the SARINIT job runs, reply 'R' to the SARPAM30 message, and the job will recognize that the new keys are created and continue processing.