[z/OS]

Configuring the data set encryption key for the queue manager

How you configure a data set encryption key for a queue manager.

About this task

This task is a prerequisite for Configuring data set encryption for the log data sets.

Procedure

  1. Set up an AES-256 bit encryption DATA key with a label, for example, CSQ1DSKY, using the z/OS® key generator utility program (KGUP).
  2. Define the RACF CSFKEYS profile for the CSQ1DSKY encryption key, by issuing the following command: 
    RDEFINE CSFKEYS CSQ1DSKY UACC(NONE)
  3. Configure the ICSF segment of the profile to allow the key to be used as a protected key, by issuing the following command: 
    RALTER CSFKEYS CSQ1DSKY ICSF(SYMCPACFWRAP(YES) SYMCPACFRET(YES))
  4. Allow the queue manager to use the encryption key by giving QMCSQ1 READ access to the profile, by issuing the following command: 
    PERMIT CSQ1DSKY CLASS(CSFKEYS) ID(QMCSQ1) ACCESS(READ)
    Give the same access to any administrative user that needs to read or write the encrypted data set.
  5. Refresh the CSFKEYS class by issuing the following command. 
    SETROPTS RACLIST(CSFKEYS) REFRESH

What to do next

Configure data set encryption for the data sets as described in Configuring data set encryption for the log data sets