Dataset Encryption z14 processors setup with CA ACF2 for z/OS

Document ID : KB000010800
Last Modified Date : 27/09/2018
Show Technical Document Details
Introduction:

One of the “big things” IBM announced with the z14 processor was Dataset Encryption (or maybe more accurately Automatic Dataset encryption). While announced with the z14, the capability is also supported on the z13. .. This new function allows for sequential (BSAM and QSAM) datasets, as well as VSAM, to be completely encrypted without any application programmer action. This is part of IBM’s campaign for “pervasive encryption” on the mainframe platform. 

This capability requires a number of different technologies to be integrated: ICSF, SMS, the access methods, and unsurprisingly, Security.

What are the setup requirements  for CA ACF for z/OS? 

Instructions:

The following JCL is an example of the required steps for setting up Pervasive Encryption.

//*================================================================ 
//* This job does setup for z/OS 2.3 dataset encryption 
//*================================================================ 
//* 
//* Step 1: Create a 256-bit AES data key 
//* 
//* Notes: 
//*(1) RUN THIS STEP ONLY ONCE! If you encrypt any data 
//* using the data key created by this step it will 
//* not be useable if you create a replacement data key 
//* by running this step again. 
//*(2) CSF must be up in order to run this job. 
//*(3) The default KEYGEN Rexx program sets up the data key 
//* with key-label "TEST.KEY001". If you need to set up 
//* a different key-label make a clone of KEYGEN on your 
//* test system and modify the key-label. 
//*(4) KEYGEN is available from IBM. 
//KEYGEN EXEC PGM=IKJEFT01 
//SYSEXEC DD DSN=REXX.library,DISP=SHR 
//SYSTSPRT DD SYSOUT=* 
//SYSTSIN DD * 
%KEYGEN 
//* 
//* Step 2: ACF2 administration - create ICSF profile 
//* 
//* Notes 
//*(1) The RESOURCE(TEST.KEY001) value must match the 
//* key-label used in the previous step. 
//*(2) RO93554 is required to extract CSFKEYS CSFSCPR field 
//* 
//PROFILE EXEC PGM=IKJEFT01 
//SYSTSPRT DD SYSOUT=* 
//* 
//SYSTSIN DD * 
ACF 
SET PROF(CSFKEYS) DIV(ICSF) 
INSERT TEST.KEY001 RESOURCE(TEST.KEY001) SYMCRET SYMCWRAP 
SET C(GSO) 
CHANGE INFODIR TYPES(R-PCSF) ADD 
//* 
//* Step 3: ACF2 administration - allow access to CSFKEYS key-label 
//* 
//* Notes 
//* (1) CRITERIA support fixes are required (RO96906 RO97896 RO98008) 
//* (2) This step assumes CSFKEYS is mapped to SAF 
//* (3) TEST rule is set up to give USER01 access to the 
//* TEST.KEY001 key-label 
//* 
//KEYLABEL EXEC PGM=ACFBATCH 
//SYSPRINT DD SYSOUT=* 
//SYSIN DD * 
COMP * STORE 
$KEY(TEST) TYPE(SAF) 
KEY001 UID(USER01) ALLOW WHEN(CRITERIA(SMS(DSENCRYPTION))) 

END 
//* 
//* Step 4: ACF2 administration - allow access CSNBKRR2 service 
//* 
//* Notes (1) This step assumes CSFSERV 
is mapped to SAF 
//* 
//CSNBKRR2 EXEC PGM=ACFBATCH 
//SYSPRINT DD SYSOUT=* 
//SYSIN DD * 
COMP * STORE 
$KEY(CSNBKRR2) TYPE(SAF) 
UID(USER01) ALLOW 

END 
//* 
//* Step 5: ACF2 administration - refresh/rebuild structures 
//* 
//REBUILD EXEC PGM=ACFBATCH 
//SYSPRINT DD SYSOUT=* 
//SYSIN DD * 
F ACF2,REFRESH(INFODIR) 
F ACF2,REBUILD(CSFKEYS),CLASS(P) 
F ACF2,OMVS(CSFKEYS) 
F ACF2,REBUILD(SAF) 
//* 
//* Step 6: Allocate a dataset specifying the key-label (DSKEYLBL) 
//* that matches the key-label used in prior steps. 
//* 
//* Notes (1) Output dataset MUST be SMS managed, sequential 
//* and type "extended" (DSNTYPE=EXTREQ, for example) 
//* 
//ALLOCATE EXEC PGM=IEFBR14 
//DD1 DD DSN=USER01.SMS.ENCRYPT.DATA, 
// DISP=(NEW,CATLG,DELETE), 
// DSKEYLBL='TEST.KEY001', <<<=== REQUIRED 
// DSNTYPE=EXTREQ, <<<=== REQUIRED 
// UNIT=SYSDA,SPACE=(TRK,(1,1)), 
// DCB=(LRECL=80,BLKSIZE=6160,DSORG=PS,RECFM=FB) 
//* DATACLAS=XXXXXXXX, 
//* MGMTCLAS=XXXXXXXX, 
//* STORCLAS=XXXXXXXX, 
//* 
//* Step 7: Write test data to the encrypted dataset 
//* 
//WRITE EXEC PGM=IEBGENER 
//SYSPRINT DD DUMMY 
//SYSIN DD DUMMY 
//SYSUT2 DD DISP=SHR,DSN=USER01.SMS.ENCRYPT.DATA 
//SYSUT1 DD * 
AAAAAAAAAAAAAAAAA 
BBBBBBBBBBBBBBBBB 
CCCCCCCCCCCCCCCCC 
/* 
//* 
//* Step 8: Do a LISTCAT to verify the encryption info 
//* 
//* Notes (1) Check LISTCAT output for: 
//* ENCRYPTIONDATA 
//* DATA SET ENCRYPTION ---- (YES) 
//* DATA SET KEY LABEL ----- TEST.KEY001 
//* 
//LISTCAT EXEC PGM=IKJEFT01 
//SYSTSPRT DD SYSOUT=* 
//SYSTSIN DD * 
LISTC ENT('USER01.SMS.ENCRYPT.DATA') ALL 
/* 
//