Keys Used for Data Encryption

Document ID : KB000093264
Last Modified Date : 27/04/2018
Show Technical Document Details
Question:
I am looking to encrypt a data file on a z/OS 2.2 system and we are learning about how to do this. We had an IBM guy in to talk about the pervasive encryption of the z14 and z/OS 2.3 but was told that we could do some encryption at the z/OS 2.2 level. In the discussions, he was talking that RACF can control some of the encryption and key management accesses but he did not know what Top Secret can do. Do you have any information on how Top Secret is involved in the encryption of data on the mainframe?
Answer:
TSS has keywords of the following that work with z/OS 2.2: 

- DSKEY, which specifies the key label that encrypts/decrypts the data in the z/OS Integrated Cryptographic Service Facility (ICSF) cryptographic key data set (CKDS). 

- CRITERIA, which defines additional criteria that determine whether the user has access to a resource. This keyword may be specified on a RACROUTE REQUEST=FASTAUTH macro instruction. When the criteria expression on the RACROUTE matches the criteria on the PERMIT, resource access is granted. 

DSKEY on a dataset permit in TSS is the equivalent of the DFP segment in RACF.