Question: 

We are currently looking into generating a secure SVC. We have generated 2 versions. Version 1 specifies AUTHREQ=YES with Protect key 8. Version 2 specifies AUTHREQ=YES with Protect key 10.

My question is this, would both these generate secure versions of the SVC or would the fact that protect key 8 is specified cause the SVC to be generated differently? 

Answer: 

The SVC option AUTHREQ=YES prevents all access to certain SVC functions for all callers, also for callers with the CVKEY. As these functions are needed at startup the startup routines have to be linked authorized.
MVS CSA storage is GETMAINed from subpool 231 with CA IDMS's primary protect key, the ESE, EREs, and pakets will be both fetch and store protected from ordinary batch jobs when CA IDMS runs with a protect key other than 8 or 9. 
In addition a CVKEY different from 8 or 9 will prevent batch or CICS users to call SVC functions that are reserved for the CV, like SINON CV, SINOF CV, or ABEND SYSTEM. 

Conclusion: 

- The SVC with AUTHREQ=YES and CVKEY=8 prevents the call of certain functions for all callers, but allows CV only functions for batch and CICS. The requested storage in the MVS CSA is not protected for batch and CICS programs (running with KEY 8) and paket3 movements can be used. 

- The SVC with AUTHREQ=YES and CVKEY=10 prevents the call of certain functions for all callers, and prevents batch and CICS from using CV only functions. The requested storage in the MVS CSA is fetch- and store-protected and the paket movement is switched to pak2 (SVC calls). Any access to this storage with a key other than 10 results in an S0C4. 


 

Additional Information:

You can find some more information in the knowledge docs TEC487771 and TEC476851 

http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec487771.aspx 

http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec476851.aspx