/* CLIST */
/* Pervasive (Data Set) Encryption: Step 7 of 10 */
/*-------------------------------------------------------------------*/
/* Create SAF resources to protect new data sets. Existing data sets */
/* will need to be copied over to these new data sets after */
/* allocation. */
/* */
/* Requires z/OS 2.3 or later */
/*-------------------------------------------------------------------*/
/* Instructions: */
/* - Update EYSHA.ICSF.ENCRYPT.ME.* with your generic data set name */
/* (7 places) */
/* - Update the DATAKEY field with your encryption key label */
/* */
/* Note: An example key label naming scheme is */
/* DATASET.<dataset_resource>.ENCRKEY.<seqno> */
/* */
/* - Optionally replace DATAOWN with desired data owner user id */
/* - Optionally replace STORADM with desired storage admin user id */
/* - Replace change-me with a secure, unique password */
/* - Update the ACCTNUM and PROC */
/* */
/* - EXECUTE THIS CLIST FROM TSO */
/* (E.G. EX 'HLQ.MLD.LLQ(PROTDS)') */
/*-------------------------------------------------------------------*/
/*-------------------------------------------------------------------*/
/* Allow the creation of encrypted data sets using SAF policies only.*/
/*-------------------------------------------------------------------*/
RDEFINE FACILITY STGADMIN.SMS.ALLOW.DATASET.ENCRYPT UACC(NONE)
/*-------------------------------------------------------------------*/
/* Refresh the FACILITY class to ensure that all users, started */
/* tasks, and jobs are referencing the updated resource. */
/*-------------------------------------------------------------------*/
SETROPTS RACLIST(FACILITY)
SETROPTS RACLIST(FACILITY) REFRESH
/*-------------------------------------------------------------------*/
/* Verify resource creation. */
/*-------------------------------------------------------------------*/
RLIST FACILITY STGADMIN.SMS.ALLOW.DATASET.ENCRYPT
/*-------------------------------------------------------------------*/
/* Create a generic DATASET resource to protect a set of data sets. */
/*-------------------------------------------------------------------*/
ADDSD 'EYSHA.ICSF.ENCRYPT.ME.*' UACC(NONE)
/*-------------------------------------------------------------------*/
/* Specify the encryption key label in the DFP segment. */
/*-------------------------------------------------------------------*/
ALTDSD 'EYSHA.ICSF.ENCRYPT.ME.*' +
DFP(DATAKEY(DATASET.EYSHA.ICSF.ENCRYPT.ME.ENCRKEY.00000001))
/*-------------------------------------------------------------------*/
/* Verify that the key label is in the DFP segment. */
/*-------------------------------------------------------------------*/
LISTDSD DATASET('EYSHA.ICSF.ENCRYPT.ME.*') DFP NORACF
/*-------------------------------------------------------------------*/
/* Refresh the DATASET class to ensure that all users, started tasks,*/
/* and jobs are referencing the updated generic resource. */
/* */
/* Caution: This command purges all cached RACF generic resource */
/* information in all address spaces which will impact */
/* performance. */
/* */
/* Uncomment the line below to issue the command. */
/*-------------------------------------------------------------------*/
/* SETROPTS GENERIC(DATASET) REFRESH */
/*-------------------------------------------------------------------*/
/* Create a data owner to read and write data to the data set. */
/*-------------------------------------------------------------------*/
ADDUSER DATAOWN PASSWORD(change-me) TSO(ACCTNUM(123) PROC(TST77C1))
/*-------------------------------------------------------------------*/
/* Create a storage administrator to manage the data set */
/* (e.g. create, copy, and delete) but who has no need to read the */
/* contents. */
/*-------------------------------------------------------------------*/
ADDUSER STORADM PASSWORD(change-me) TSO(ACCTNUM(123) PROC(TST77C1))
/*-------------------------------------------------------------------*/
/* Permit the data owner and storage admin access to the data sets. */
/* */
/* Note: This does not grant them access to view the encrypted */
/* contents. In order to view encrypted contents, the users */
/* must have access to the encryption key protected by the */
/* CSFKEYS class. */
/* Note: Permitting ALTER authorization to the storage administrator */
/* gives them the ability to delete, rename, move, or scratch */
/* the data set. However, it also gives them the ability to */
/* delete the discrete DATASET profile protecting the data */
/* set. Use generic DATASET profiles to ensure storage admins */
/* are unable to alter the DATASET profile. */
/*-------------------------------------------------------------------*/
PERMIT 'EYSHA.ICSF.ENCRYPT.ME.*' ID(DATAOWN) ACCESS(UPDATE)
PERMIT 'EYSHA.ICSF.ENCRYPT.ME.*' ID(STORADM) ACCESS(ALTER)
/*-------------------------------------------------------------------*/
/* Verify the data owner and storage admin are in the access list. */
/*-------------------------------------------------------------------*/
LISTDSD DATASET('EYSHA.ICSF.ENCRYPT.ME.*') AUTHUSER
/*-------------------------------------------------------------------*/
/* Use the LISTDSD GENERIC comand for the DATASET commands to take */
/* effect for the current user. The data set name must be non-generic*/
/* and covered by the generic profile but does not need to exist. */
/*-------------------------------------------------------------------*/
LISTDSD DATASET('EYSHA.ICSF.ENCRYPT.ME.DATA') GENERIC