IBM Crypto Education Community

IBM Crypto Education Community

IBM Crypto Education Community

Join the IBM Crypto Education community to explore and understand IBM cryptography technology. This community is operated and maintained by the IBM Crypto Development team.

 View Only

Pervasive (DS) Encryption Sample: Protect Data Sets w/ Secure Keys

By Eysha Shirrine Powers posted Wed March 25, 2020 05:29 PM

  

/* CLIST */

/* Pervasive (Data Set) Encryption: Step 7 of 10                     */
/*-------------------------------------------------------------------*/
/* Create SAF resources to protect new data sets. Existing data sets */
/* will need to be copied over to these new data sets after          */
/* allocation.                                                       */
/*                                                                   */
/* Requires z/OS 2.3 or later                                        */
/*-------------------------------------------------------------------*/
/* Instructions:                                                     */
/* - Update EYSHA.ICSF.ENCRYPT.ME.* with your generic data set name  */
/*   (7 places)                                                      */
/* - Update the DATAKEY field with your encryption key label         */
/*                                                                   */
/*      Note: An example key label naming scheme is                  */
/*              DATASET.<dataset_resource>.ENCRKEY.<seqno>           */
/*                                                                   */
/* - Optionally replace DATAOWN with desired data owner user id      */
/* - Optionally replace STORADM with desired storage admin user id   */
/* - Replace change-me with a secure, unique password                */
/* - Update the ACCTNUM and PROC                                     */
/*                                                                   */
/* - EXECUTE THIS CLIST FROM TSO                                     */
/*   (E.G. EX 'HLQ.MLD.LLQ(PROTDS)')                                 */
/*-------------------------------------------------------------------*/

/*-------------------------------------------------------------------*/
/* Allow the creation of encrypted data sets using SAF policies only.*/
/*-------------------------------------------------------------------*/
RDEFINE FACILITY STGADMIN.SMS.ALLOW.DATASET.ENCRYPT UACC(NONE)

/*-------------------------------------------------------------------*/
/* Refresh the FACILITY class to ensure that all users, started      */
/* tasks, and jobs are referencing the updated resource.             */
/*-------------------------------------------------------------------*/
SETROPTS RACLIST(FACILITY)
SETROPTS RACLIST(FACILITY) REFRESH

/*-------------------------------------------------------------------*/
/* Verify resource creation.                                         */
/*-------------------------------------------------------------------*/
RLIST FACILITY STGADMIN.SMS.ALLOW.DATASET.ENCRYPT

/*-------------------------------------------------------------------*/
/* Create a generic DATASET resource to protect a set of data sets.  */
/*-------------------------------------------------------------------*/
ADDSD 'EYSHA.ICSF.ENCRYPT.ME.*' UACC(NONE)

/*-------------------------------------------------------------------*/
/* Specify the encryption key label in the DFP segment.              */
/*-------------------------------------------------------------------*/
ALTDSD 'EYSHA.ICSF.ENCRYPT.ME.*'                                       +
  DFP(DATAKEY(DATASET.EYSHA.ICSF.ENCRYPT.ME.ENCRKEY.00000001))

/*-------------------------------------------------------------------*/
/* Verify that the key label is in the DFP segment.                  */
/*-------------------------------------------------------------------*/
LISTDSD DATASET('EYSHA.ICSF.ENCRYPT.ME.*') DFP NORACF

/*-------------------------------------------------------------------*/
/* Refresh the DATASET class to ensure that all users, started tasks,*/
/* and jobs are referencing the updated generic resource.            */
/*                                                                   */
/* Caution: This command purges all cached RACF generic resource     */
/*          information in all address spaces which will impact      */
/*          performance.                                             */
/*                                                                   */
/* Uncomment the line below to issue the command.                    */
/*-------------------------------------------------------------------*/
/* SETROPTS GENERIC(DATASET) REFRESH                                 */

/*-------------------------------------------------------------------*/
/* Create a data owner to read and write data to the data set.       */
/*-------------------------------------------------------------------*/
ADDUSER DATAOWN PASSWORD(change-me) TSO(ACCTNUM(123) PROC(TST77C1))

/*-------------------------------------------------------------------*/
/* Create a storage administrator to manage the data set             */
/* (e.g. create, copy, and delete) but who has no need to read the   */
/* contents.                                                         */
/*-------------------------------------------------------------------*/
ADDUSER STORADM PASSWORD(change-me) TSO(ACCTNUM(123) PROC(TST77C1))

/*-------------------------------------------------------------------*/
/* Permit the data owner and storage admin access to the data sets.  */
/*                                                                   */
/* Note: This does not grant them access to view the encrypted       */
/*       contents. In order to view encrypted contents, the users    */
/*       must have access to the encryption key protected by the     */
/*       CSFKEYS class.                                              */
/* Note: Permitting ALTER authorization to the storage administrator */
/*       gives them the ability to delete, rename, move, or scratch  */
/*       the data set. However, it also gives them the ability to    */
/*       delete the discrete DATASET profile protecting the data     */
/*       set. Use generic DATASET profiles to ensure storage admins  */
/*       are unable to alter the DATASET profile.                    */
/*-------------------------------------------------------------------*/
PERMIT 'EYSHA.ICSF.ENCRYPT.ME.*' ID(DATAOWN) ACCESS(UPDATE)
PERMIT 'EYSHA.ICSF.ENCRYPT.ME.*' ID(STORADM) ACCESS(ALTER)

/*-------------------------------------------------------------------*/
/* Verify the data owner and storage admin are in the access list.   */
/*-------------------------------------------------------------------*/
LISTDSD DATASET('EYSHA.ICSF.ENCRYPT.ME.*') AUTHUSER

/*-------------------------------------------------------------------*/
/* Use the LISTDSD GENERIC comand for the DATASET commands to take   */
/* effect for the current user. The data set name must be non-generic*/
/* and covered by the generic profile but does not need to exist.    */
/*-------------------------------------------------------------------*/
LISTDSD DATASET('EYSHA.ICSF.ENCRYPT.ME.DATA') GENERIC

0 comments
22 views

Permalink

https://community.ibm.com/community/user/blogs/eysha-shirrine-powers2/2020/03/25/pervasive-ds-encryption-sample-protect-data-sets-w-secure-keys