Sample procedure for setting up z/OS DFSMS data set encryption

When you use z/OS DFSMS data set encryption to encrypt Db2 data, Integrated Cryptographic Service Facility (ICSF) and Resource Access Control Facility (RACF®) or an equivalent security product must be configured to set up the encryption key and the key label.

The following sample procedure shows you how to set up ICSF and RACF for encryption using z/OS DFSMS data set encryption:

1. Use ICSF to define the encryption key.

   The secure AES key can be defined in the ICSF Cryptographic Key Data set (CKDS) or Public Key Data Set (PKDS).

2. Define the required authorities on RACF or an equivalent security product. RACF is used in this example.

   To allow the system to create encrypted data sets when the key label is specified by Db2, the Db2 address space ID or the utility user must have at least READ authority to the following resource in the FACILITY class: STGADMIN.SMS.ALLOW.DATASET.ENCRYPT

   The system checks RACF for authority to this resource when the data set is first allocated and only when it is defined as extended format linear, extended format sequential, or basic or large format sequential. For basic and large format sequential data sets, z/OS DFSMS APAR OA56622 must be applied.

   Exception: When the key label is specified in the DFP segment in the RACF data set profile. The system does not require the user to have authority to this resource.

   When UACC(NONE) is specified for resource STGADMIN.SMS.FAIL.INVALID.DSNTYPE.ENC in the FACILITY class, and an encryption key label is specified for a data set that is not extended format linear, extended format sequential, basic format sequential, or large format sequential, the key label is ignored, and the data set is successfully created as a non-encrypted data set.

   SETR CLASSACT(CSFKEYS CSFSERV CRYPTOZ) REFRESH
   SETR GENERIC(CSFKEYS CSFSERV CRYPTOZ) REFRESH
   SETR RACLIST(CSFKEYS CSFSERV CRYPTOZ)
   RDEFINE CSFKEYS * UACC(NONE) ICSF(SYMCPACFWRAP(YES) SYMCPACFRET(YES))

   Allocation fails if you have at least READ authority to STGADMIN.SMS.FAIL.INVALID.DSNTYPE.ENC.

   Allow the DB2SYS.KEY02 and STG01KLABEL key labels to used by the SYSDSP DB2 address space ID when the key labels are accessed by any application. Allow the DB2USR.KEY01 key label to be used by the UTILUSR Db2 utility user only when the key label is accessed by z/OS DFSMS. The following example shows how to define these permissions:

   PERMIT DB2SYS.KEY02 CLASS(CSFKEYS) ID(SYSDSP) ACCESS(READ)
   PERMIT STG01KLABEL CLASS(CSFKEYS) ID(SYSDSP) ACCESS(READ)
   PERMIT DB2USR.KEY01 CLASS(CSFKEYS) ID(UTILUSR) ACCESS(READ)
                   WHEN(CRITERIA(SMS(DSENCRYPTION)))
   SETR RACLIST(CSFKEYS CSFSERV CRYPTOZ) REFRESH

   If ICSF prefixed profiles feature is enabled for the CSFKEYS resource class, additional RACF setup is needed. The resource, CSF.PREFIX.CSFKEYS.ENABLE, has to be defined in the XFACILIT class. The following example shows the RACF setup:

   SETR CLASSACT(RACFVARS) RACLIST(RACFVARS)        
   RDEFINE RACFVARS &TESTSYS ADDMEM(TEST1)        
   SETR RACLIST(RACFVARS) REFRESH 

   Where TEST1 is the system name.

   RDEFINE CSFKEYS &TESTSYS.DB2SYS.KEY01 UACC(NONE)
        ICSF(SYMCPACFWRAP(YES) SYMCPACFRET(YES))                                                        
   PERMIT &TESTSYS.DB2SYS.KEY01 ID(SYSDSP) ACC(READ) CLASS(CSFKEYS)                                                                    
   SETR RACLIST(CSFKEYS) REFRESH

   For details, see Setting up profiles in the CSFKEYS general resource class . In addition, for protected keys, see Enabling use of encrypted keys in Symmetric Key Encipher and Symmetric Key Decipher callable services

3. Define a key label on the data sets using one of the following methods.
   • Define a key label on a Db2 object. For example, create a storage group with key label STG01KLABEL.

     CREATE STOGROUP DSNCG100
                 VOLUMES (ABC001,DEF003) VCAT DSNCAT
                 KEY LABEL STG01KLABEL;

     After the key label for storage group DSNCG100 is defined, any table space or index space that is allocated using storage group DSNCG100 will use key label STG01KLABEL for encryption.

   • Define a key label at the RACF data set profile level. For example, you can alter the RACF data set profile to define a key label. The RACF data set profile key label takes precedence over any key label specified.

     The following examples shows how you can alter the data set profile for the DB2 catalog (DSNDB06) database to add key label, DB2SYS.KEY02:

     ALTDSD 'DSNCC10.DSNDBC.DSNDB06.*' DFP(DATAKEY(DB2SYS.KEY02))

4. Encrypt the data sets by using JCL.

   The following example shows the JCL you might use to encrypt data sets that are used by the REORG utility:

   SYSUT1   DD DSN=DB2SMS.N035UN02.REORGW.SYSUT1,
            DATACLAS=DB2SMS10,DSKEYLBL=DB2SG.KEY01,
            DISP=(MOD,DELETE,CATLG),UNIT=SYSDA,
            SPACE=(8000,(200,20),,,ROUND)