JES SPOOL Encryption dataset creation and IBM panel ICSF panel REFRESH
search cancel

JES SPOOL Encryption dataset creation and IBM panel ICSF panel REFRESH

book

Article ID: 275893

calendar_today

Updated On:

Products

Top Secret

Issue/Introduction

This document describes the steps necessary to configure JES2 SPOOL ENCRYPTION on a PLEX with TOP SECRET.

z/OS provides a way to encrypt JES spool files to protect to secure output viewing.

Summary of Configuration Steps 

1.    Create an AES 256-bit CKDS key in ICSF via IBM CSFKGUP batch utility.
2.    Perform the refresh in IBM ICSF panels. 
3.    Assign ownership of the CSFKEY and JESJOBS in Top Secret
4.    Permit the CSFKEY and JESJOBS to the user in Top Secret.
5.    Verify JES SPOOLDEF ADVANCED_FORMAT setting is enabled.

Resolution

Step 1 – Create an AES 256-BIT CKDS key in ICSF.

In this example, JES2KEY1 is the key label. 

Sample JCL:

//CSFKGUP$ JOB (001100000),'CSFKEY GENERATOR',CLASS=A,MSGCLASS=D,       
//     MSGLEVEL=(1,1),NOTIFY=&SYSUID                                    
//*.+....1....+....2....+....3....+....4....+....5....+....6....+....7..
//STEP10  EXEC PGM=CSFKGUP                                              
//CSFCKDS  DD DISP=OLD,DSN=CRYPTO.SYSA.CSF.DATASET       
//CSFDIAG  DD SYSOUT=*,LRECL=133                                        
//CSFKEYS  DD SYSOUT=*,LRECL=1044                                       
//CSFSTMNT DD SYSOUT=*,LRECL=80                                         
//CSFIN    DD *,LRECL=80                                                
ADD TYPE(DATA) ALGORITHM(AES) LABEL(JES2KEY1) LENGTH(32)                
/*        

CRYPTO.SYSA.CSF.DATASET is the CKDS found in ICSF Panel.


Option 4: 4  ADMINCNTL        -  Administrative Control Functions 


Look for the Active CKDS: CRYPTO.SYSA.CSF.DATASET

In the JCL, the key label is the new key label being created with Length(32) which will create a 256 bit length key. 

Step 2 – Perform the refresh in ICSF. 


In the ICSF panel select option(2):
2  KDS MANAGEMENT   -  Master key set or change, KDS Processing

Next select option(1): 
1  CKDS MANAGEMENT -  Perform Cryptographic Key Data Set (CKDS)
                      functions including master key management

Next select option(1) again:
1  CKDS OPERATIONS   -  Initialize a CKDS, activate a different CKDS,     
                        (Refresh), or update the header of a CKDS and make
                        it active                                         

Now select option(2) and add the CKDS data set from above.  
2  REFRESH  - Activate an updated CKDS
Enter the name of the CKDS below. 
                                  
  CKDS ===>’ CRYPTO.SYSA.CSF.DATASET’

A message that the CKDS was loaded will be received.

 
Ex: CSFM653I CKDS LOADED 3418 RECORDS WITH AVERAGE SIZE 252

Step 3 - Assign ownership of the CSFKEY and JESJOBS.
TSS ADD(deptacid) CSFKEYS(JES2KEY1) 
TSS ADD(deptacid) JESJOBS(ENCRYPT)

Step 4 – Permit the CSFKEY and JESJOBS to the user.                                             
TSS PER(useracid) JESJOBS(ENCRYPT.node_name.user.job.data_set_name) KEYLABEL(JES2KEY1).

Note: Please be very careful with this command to make sure the correct spool file is entered.  
TSS PER(useracid)  CSFKEYS(JES2KEY1) SYMCPACFWRAP(YES) SYMCPACFRET(YES) 

Step 5 - Verify SPOOLDEF ADVANCED_FORMAT is enabled.
Issue command $D SPOOLDEF to validate that ADVANCED_FORMAT=ENABLED.

If not enabled, issue command $T SPOOLDEF,ADVANCED_FORMAT=ENABLED. 

Powered by Wolken Software