/* CLIST */
/* Pervasive (Data Set) Encryption: Step 8 of 10 */
/*-------------------------------------------------------------------*/
/* Create SAF resources to protect keys in the ICSF key data sets. */
/* Users with access to the key label can access encrypted data. */
/* */
/* Supported on z/OS 2.3 and later */
/*-------------------------------------------------------------------*/
/* */
/* Instructions: */
/* - Update DATASET.EYSHA.ICSF.ENCRYPT.ME.* with your key label */
/* (5 places) */
/* */
/* Note: An example key label naming scheme is */
/* DATASET.<dataset_resource>.ENCRKEY.<seqno> */
/* */
/* - Replace DATAOWN with your data owner user id from Step 7 */
/* */
/* - EXECUTE THIS CLIST FROM TSO */
/* (E.G. EX 'HLQ.MLD.LLQ(PROTKEYS)') */
/*-------------------------------------------------------------------*/
/*-------------------------------------------------------------------*/
/* Create a CSFKEYS resource to protect a set of key labels. */
/*-------------------------------------------------------------------*/
RDEFINE CSFKEYS DATASET.EYSHA.ICSF.ENCRYPT.ME.* UACC(NONE)
/*-------------------------------------------------------------------*/
/* The resource must specify the ICSF segment keywords to be able to */
/* use the key label for protected key. */
/*-------------------------------------------------------------------*/
RALTER CSFKEYS DATASET.EYSHA.ICSF.ENCRYPT.ME.* +
ICSF(SYMCPACFWRAP(YES) SYMCPACFRET(YES))
/*-------------------------------------------------------------------*/
/* Verify that the ICSF segment contains the protected key fields. */
/*-------------------------------------------------------------------*/
RLIST CSFKEYS DATASET.EYSHA.ICSF.ENCRYPT.ME.* ICSF NORACF
/*-------------------------------------------------------------------*/
/* Permit the data owner to use the key when accessed through DFSMS */
/*-------------------------------------------------------------------*/
PERMIT DATASET.EYSHA.ICSF.ENCRYPT.ME.* CLASS(CSFKEYS) ID(DATAOWN) +
ACCESS(READ) WHEN(CRITERIA(SMS(DSENCRYPTION)))
/*-------------------------------------------------------------------*/
/* Refresh the CSFKEYS class to ensure that all users, started */
/* tasks, and jobs are referencing the updated resource. */
/*-------------------------------------------------------------------*/
SETROPTS RACLIST(CSFKEYS)
SETROPTS RACLIST(CSFKEYS) REFRESH
/*-------------------------------------------------------------------*/
/* Verify the data owner user id is in the conditional access list */
/*-------------------------------------------------------------------*/
RLIST CSFKEYS DATASET.EYSHA.ICSF.ENCRYPT.ME.* AUTHUSER