Question:
What actions need to taken in order to implement ACF2 External Security with CA Tape Encryption r12.6?

Answer:
As per the 'CA Tape Encryption Administration Guide'...

Chapter 5 'Using Your Security System for Tape Encryption and Resource Protection':
This indicates that the OPERCMDS and CA@BES Resource Classes are used.

OPERCMDS is a standard IBM class and is used for MVS commands, etc.
CA@BES is specific to the CA Tape Encryption product.

As delivered, RACROUTE Requests for these resources will be be processed by ACF2 per the GSO SAFDEF records OPERCMDS and GENAUTH but you should check for any local GSO SAFDEF records which may affect override these records, via:
=============
ACF
SET C(GSO)
LIST LIKE(SAFDEF-)
=============
...this will list only the locally-defined SAFDEF records on your system.

You should define GSO CLASMAP records to map the OPERCMDS and CA@BES classes to the desired 3-character TYPE code used in the corresponding resource rules, eg.:
========================================
SET C(GSO)
INSERT CLASMAP.OPR RESOURCE(OPERCMDS) RSRCTYPE(OPR)
INSERT CLASMAP.BES RESOURCE(CA@BES) RSRCTYPE(BES)
F ACF2,REFRESH(CLASMAP)
========================================

The SHOW CLASMAP command will display all active records, including internal records.

Additional Information:
Chapter 8 'Defining Security Protection Profiles in CA ACF2'.
This provides detailed information on defining the ACF2 Rules and Directories.
See also Appendix A 'SAF Interface Parameter Reference List'.

Chapter 10 'Using Digital Certificates'.
This chapter describes how CA Tape Encryption can use digital certificates to encrypt data on tapes sent to business partners.
This is not needed for in-house tape encryption.

-