The following JCL is an example of the required steps for setting up Pervasive Encryption.
//*================================================================
//* This job does setup for z/OS 2.3 dataset encryption
//*================================================================
//*
//* Step 1: Create a 256-bit AES data key
//*
//* Notes:
//*(1) RUN THIS STEP ONLY ONCE! If you encrypt any data
//* using the data key created by this step it will
//* not be useable if you create a replacement data key
//* by running this step again.
//*(2) CSF must be up in order to run this job.
//*(3) The default KEYGEN Rexx program sets up the data key
//* with key-label "TEST.KEY001". If you need to set up
//* a different key-label make a clone of KEYGEN on your
//* test system and modify the key-label.
//*(4) KEYGEN is available from IBM.
//KEYGEN EXEC PGM=IKJEFT01
//SYSEXEC DD DSN=REXX.library,DISP=SHR
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
%KEYGEN
//*
//* Step 2: ACF2 administration - create ICSF profile
//*
//* Notes
//*(1) The RESOURCE(TEST.KEY001) value must match the
//* key-label used in the previous step.
//*(2) RO93554 is required to extract CSFKEYS CSFSCPR field
//*
//PROFILE EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//*
//SYSTSIN DD *
ACF
SET PROF(CSFKEYS) DIV(ICSF)
INSERT TEST.KEY001 RESOURCE(TEST.KEY001) SYMCRET SYMCWRAP
SET C(GSO)
CHANGE INFODIR TYPES(R-PCSF) ADD
//*
//* Step 3: ACF2 administration - allow access to CSFKEYS key-label
//*
//* Notes
//* (1) CRITERIA support fixes are required (RO96906 RO97896 RO98008)
//* (2) This step assumes CSFKEYS is mapped to SAF
//* (3) TEST rule is set up to give USER01 access to the
//* TEST.KEY001 key-label
//*
//KEYLABEL EXEC PGM=ACFBATCH
//SYSPRINT DD SYSOUT=*
//SYSIN DD *
COMP * STORE
$KEY(TEST) TYPE(SAF)
KEY001 UID(USER01) ALLOW WHEN(CRITERIA(SMS(DSENCRYPTION)))
END
//*
//* Step 4: ACF2 administration - allow access CSNBKRR2 service
//*
//* Notes (1) This step assumes CSFSERV is mapped to SAF
//*
//CSNBKRR2 EXEC PGM=ACFBATCH
//SYSPRINT DD SYSOUT=*
//SYSIN DD *
COMP * STORE
$KEY(CSNBKRR2) TYPE(SAF)
UID(USER01) ALLOW
END
//*
//* Step 5: ACF2 administration - refresh/rebuild structures
//*
//REBUILD EXEC PGM=ACFBATCH
//SYSPRINT DD SYSOUT=*
//SYSIN DD *
F ACF2,REFRESH(INFODIR)
F ACF2,REBUILD(CSFKEYS),CLASS(P)
F ACF2,OMVS(CSFKEYS)
F ACF2,REBUILD(SAF)
//*
//* Step 6: Allocate a dataset specifying the key-label (DSKEYLBL)
//* that matches the key-label used in prior steps.
//*
//* Notes (1) Output dataset MUST be SMS managed, sequential
//* and type "extended" (DSNTYPE=EXTREQ, for example)
//*
//ALLOCATE EXEC PGM=IEFBR14
//DD1 DD DSN=USER01.SMS.ENCRYPT.DATA,
// DISP=(NEW,CATLG,DELETE),
// DSKEYLBL='TEST.KEY001', <<<=== REQUIRED
// DSNTYPE=EXTREQ, <<<=== REQUIRED
// UNIT=SYSDA,SPACE=(TRK,(1,1)),
// DCB=(LRECL=80,BLKSIZE=6160,DSORG=PS,RECFM=FB)
//* DATACLAS=XXXXXXXX,
//* MGMTCLAS=XXXXXXXX,
//* STORCLAS=XXXXXXXX,
//*
//* Step 7: Write test data to the encrypted dataset
//*
//WRITE EXEC PGM=IEBGENER
//SYSPRINT DD DUMMY
//SYSIN DD DUMMY
//SYSUT2 DD DISP=SHR,DSN=USER01.SMS.ENCRYPT.DATA
//SYSUT1 DD *
AAAAAAAAAAAAAAAAA
BBBBBBBBBBBBBBBBB
CCCCCCCCCCCCCCCCC
/*
//*
//* Step 8: Do a LISTCAT to verify the encryption info
//*
//* Notes (1) Check LISTCAT output for:
//* ENCRYPTIONDATA
//* DATA SET ENCRYPTION ---- (YES)
//* DATA SET KEY LABEL ----- TEST.KEY001
//*
//LISTCAT EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
LISTC ENT('USER01.SMS.ENCRYPT.DATA') ALL
/*
//