IBM Crypto Education Community

IBM Crypto Education Community

IBM Crypto Education Community

Join the IBM Crypto Education community to explore and understand IBM cryptography technology. This community is operated and maintained by the IBM Crypto Development team.

 View Only

Pervasive (DS) Encryption Sample: Authorize Key Users

By Eysha Shirrine Powers posted Wed March 25, 2020 05:29 PM

  

/* CLIST */

/* Pervasive (Data Set) Encryption: Step 8 of 10                     */
/*-------------------------------------------------------------------*/
/* Create SAF resources to protect keys in the ICSF key data sets.   */
/* Users with access to the key label can access encrypted data.     */
/*                                                                   */
/* Supported on z/OS 2.3 and later                                   */
/*-------------------------------------------------------------------*/
/*                                                                   */
/* Instructions:                                                     */
/* - Update DATASET.EYSHA.ICSF.ENCRYPT.ME.* with your key label      */
/*   (5 places)                                                      */
/*                                                                   */
/*      Note: An example key label naming scheme is                  */
/*              DATASET.<dataset_resource>.ENCRKEY.<seqno>           */
/*                                                                   */
/* - Replace DATAOWN with your data owner user id from Step 7        */
/*                                                                   */
/* - EXECUTE THIS CLIST FROM TSO                                     */
/*   (E.G. EX 'HLQ.MLD.LLQ(PROTKEYS)')                               */
/*-------------------------------------------------------------------*/

/*-------------------------------------------------------------------*/
/* Create a CSFKEYS resource to protect a set of key labels.         */
/*-------------------------------------------------------------------*/
RDEFINE CSFKEYS DATASET.EYSHA.ICSF.ENCRYPT.ME.* UACC(NONE)

/*-------------------------------------------------------------------*/
/* The resource must specify the ICSF segment keywords to be able to */
/* use the key label for protected key.                              */
/*-------------------------------------------------------------------*/
RALTER CSFKEYS DATASET.EYSHA.ICSF.ENCRYPT.ME.*                         +
  ICSF(SYMCPACFWRAP(YES) SYMCPACFRET(YES))

/*-------------------------------------------------------------------*/
/* Verify that the ICSF segment contains the protected key fields.   */
/*-------------------------------------------------------------------*/
RLIST CSFKEYS DATASET.EYSHA.ICSF.ENCRYPT.ME.* ICSF NORACF

/*-------------------------------------------------------------------*/
/* Permit the data owner to use the key when accessed through DFSMS  */
/*-------------------------------------------------------------------*/
PERMIT DATASET.EYSHA.ICSF.ENCRYPT.ME.* CLASS(CSFKEYS) ID(DATAOWN)      +
  ACCESS(READ) WHEN(CRITERIA(SMS(DSENCRYPTION)))

/*-------------------------------------------------------------------*/
/* Refresh the CSFKEYS class to ensure that all users, started       */
/* tasks, and jobs are referencing the updated resource.             */
/*-------------------------------------------------------------------*/
SETROPTS RACLIST(CSFKEYS)
SETROPTS RACLIST(CSFKEYS) REFRESH

/*-------------------------------------------------------------------*/
/* Verify the data owner user id is in the conditional access list   */
/*-------------------------------------------------------------------*/
RLIST CSFKEYS DATASET.EYSHA.ICSF.ENCRYPT.ME.* AUTHUSER

0 comments
21 views

Permalink

https://community.ibm.com/community/user/blogs/eysha-shirrine-powers2/2020/03/25/pervasive-ds-encryption-sample-authorize-key-users