Start of change

Identifying users of SPOOL encryption

Determine which users and groups need to be able to create and access encrypted SPOOL data sets. The SAF profiles and user IDs that are checked depend on the JES2 function that is used. In many cases, the user ID that is used to access an encrypted data set is not the same as the user ID that created the encrypted data set. In these situations, both user IDs must have access to the cryptographic key by using profiles in the CSFKEYS class.

The tables in this topic identify the SAF profiles and access authorities that must be in place to use JES2 SPOOL encryption during various phases of processing.

In the following examples, assume that the following JCL is submitted:
Figure 1. Sample JCL with two instream and SYSOUT data sets.
//EJ4      JOB MSGLEVEL=(1,1) 
//STEP1    EXEC PGM=IEBDG 
//SYSPRINT DD SYSOUT=* 
//ENCOUT   DD SYSOUT=*,DSKEYLBL=MY.KEY,DCB=(RECFM=FB,LRECL=80)
//ENCIN    DD *,DSKEYLBL=MY.KEY 
Here is some encrypted data. 
Here is some more encrypted data. 
//SYSIN    DD * 
  DSD    OUTPUT=(ENCOUT),INPUT=(ENCIN) 
  FD     NAME=FIELD1,LENGTH=80,STARTLOC=1,FORMAT=AL,ACTION=SL 
  CREATE QUANTITY=1,INPUT=ENCIN
  CREATE QUANTITY=80,NAME=FIELD1,FILL=X'FF' 
  CREATE QUANTITY=1,INPUT=ENCIN
  END

In the tables below, a JESJOBS profile that matches the profile name that is listed in the JESJOBS column is used to extract a key label to be used for encryption. Assume that a JESJOBS profile is in place to associate a key label called DEFAULT with all SPOOL data sets.

The FACILITY column shows which profile the user ID must have access to in order to use the DSKEYLBL keyword. For the allocation to succeed, the user ID listed must have READ authority or higher to a CSFKEYS profile for the key label that is used. If ICSF is set up to check for access to ICSF services, the user ID must also have READ access to the CSNEKRR2 service from a profile in the CSFSERV class.

Assume that the ID associated with JES2 address space is JESID.

Input processing

The following tables cover usage of JESJOBS and FACILITY profiles during input processing:

Table 1. EJ4 submitted on node RCH by user USER1 using TSO submit.
Data set User ID JESJOBS FACILITY CSFKEYS
SYSPRINT N/A N/A N/A N/A
ENCOUT N/A N/A N/A N/A
ENCIN USER1 ENCRYPT.RCH.USER1.EJ4.ENCIN JES.ENCRYPT.SUBMITTER MY.KEY
SYSIN USER1 ENCRYPT.RCH.USER1.EJ4.SYSIN N/A DEFAULT
Table 2. EJ4 submitted on node RCH through a card reader or RJE remote, or reloaded from an offload device.
Data set User ID JESJOBS FACILITY CSFKEYS
SYSPRINT N/A N/A N/A N/A
ENCOUT N/A N/A N/A N/A
ENCIN JESID ENCRYPT.RCH.JESID.EJ4.ENCIN JES.ENCRYPT.SUBMITTER MY.KEY
SYSIN JESID ENCRYPT.RCH.JESID.EJ4.SYSIN N/A DEFAULT
Table 3. USER1 is logged in to a console on node RCH and submits EJ4 using the $SUBMIT command.
Data set User ID JESJOBS FACILITY CSFKEYS
SYSPRINT N/A N/A N/A N/A
ENCOUT N/A N/A N/A N/A
ENCIN JESID ENCRYPT.RCH.JESID.EJ4.ENCIN JES.ENCRYPT.SUBMITTER MY.KEY
SYSIN JESID ENCRYPT.RCH.JESID.EJ4.SYSIN N/A DEFAULT
Table 4. USER1 transmits EJ4 to node POK from node RCH using a /*XMIT card. The following profiles are used on node POK where EJ4 is received.
Data set User ID JESJOBS FACILITY CSFKEYS
SYSPRINT N/A N/A N/A N/A
ENCOUT N/A N/A N/A N/A
ENCIN JESID ENCRYPT.POK.JESID.EJ4.ENCIN JES.ENCRYPT.SUBMITTER MY.KEY
SYSIN JESID ENCRYPT.POK.JESID.EJ4.SYSIN N/A DEFAULT
Table 5. USER1 submits a job on RCH destined for node POK. The following checks are performed on node RCH before transmitting the job to node POK.
Data set User ID JESJOBS FACILITY CSFKEYS
SYSPRINT N/A N/A N/A N/A
ENCOUT N/A N/A N/A N/A
ENCIN JESID N/A N/A MY.KEY
SYSIN JESID N/A N/A DEFAULT
Table 6. USER1 transmits EJ4 to node CAT through node POK (store and forward) from node RCH. Assume that an ENCRYPT.*.*.*.JESJCLIN profile exists to associate the key label TRANSIT with jobs and output that are being store and forwarded.
Data set User ID JESJOBS FACILITY CSFKEYS
JESJCLIN JESID ENCRYPT.POK.JESID.EJ4.JESJCLIN N/A TRANSIT

Execution

The following tables cover usage of JESJOBS and FACILITY profiles during job execution:

Table 7. EJ4 executes on node RCH under USER1’s authority. The job reads from both instream data sets, and writes to both SYSOUT data sets.
Data set User ID JESJOBS FACILITY CSFKEYS
SYSPRINT USER1 ENCRYPT.POK.USER1.EJ4.SYSPRINT N/A DEFAULT
ENCOUT USER1 ENCRYPT.POK.USER1.EJ4.ENCOUT JES.ENCRYPT.OWNER MY.KEY
ENCIN USER1 N/A N/A MY.KEY
SYSIN USER1 N/A N/A DEFAULT
Table 8. EJ4 executes on node RCH under USER1’s authority. It also performs a dynamic allocation of a data set called DYNOUT and supplies a key label called MY.KEY with the DALDKYL text unit.
Data set User ID JESJOBS FACILITY CSFKEYS
DYNOUT USER1 ENCRYPT.POK.USER1.EJ4.DYNOUT JES.ENCRYPT.OWNER MY.KEY
SYSPRINT USER1 ENCRYPT.POK.USER1.EJ4.SYSPRINT N/A DEFAULT
ENCOUT USER1 ENCRYPT.POK.USER1.EJ4.ENCOUT JES.ENCRYPT.OWNER MY.KEY
ENCIN USER1 N/A N/A MY.KEY
SYSIN USER1 N/A N/A DEFAULT
Table 9. EJ4 was submitted on node RCH by USER1, USER=USER2 was specified on the JOB card, and USER1 has surrogate authority to submit jobs on the behalf of USER2.
Data set User ID JESJOBS FACILITY CSFKEYS
SYSPRINT USER2 ENCRYPT.POK.USER2.EJ4.SYSPRINT N/A DEFAULT
ENCOUT USER2 ENCRYPT.POK.USER2.EJ4.ENCOUT JES.ENCRYPT.OWNER MY.KEY
ENCIN USER2 N/A N/A MY.KEY
SYSIN USER2 N/A N/A DEFAULT

SYSOUT processing

The following tables cover usage of JESJOBS and FACILITY profiles during OUTPUT and PRINT processing. Unless SYSOUT is routed to a different node, key labels are assigned to all data sets, therefore, only CSFKEYS checks are performed.

Table 10. USER2 examines the output created by EJ4 by typing S next to EJ4 on the ST panel in SDSF.
Data set User ID JESJOBS FACILITY CSFKEYS
SYSPRINT USER2 N/A N/A DEFAULT
ENCOUT USER2 N/A N/A MY.KEY
ENCIN USER2 N/A N/A MY.KEY
SYSIN USER2 N/A N/A DEFAULT
Table 11. An application running under the authority of USER3 reads all SPOOL data associated with EJ4 using the SPOOL browse interface.
Data set User ID JESJOBS FACILITY CSFKEYS
SYSPRINT USER3 N/A N/A DEFAULT
ENCOUT USER3 N/A N/A MY.KEY
ENCIN USER3 N/A N/A MY.KEY
SYSIN USER3 N/A N/A DEFAULT
Table 12. The output created by EJ4 is printed on a JES printer.
Data set User ID JESJOBS FACILITY CSFKEYS
SYSPRINT JESID N/A N/A DEFAULT
ENCOUT JESID N/A N/A MY.KEY
ENCIN N/A N/A N/A N/A
SYSIN N/A N/A N/A N/A
Table 13. The output created by EJ4 is printed by an FSS printer.
Data set User ID JESJOBS FACILITY CSFKEYS
SYSPRINT FSSID N/A N/A DEFAULT
ENCOUT FSSID N/A N/A MY.KEY
ENCIN N/A N/A N/A N/A
SYSIN N/A N/A N/A N/A
Table 14. EJ4 executes on node RCH and the output is routed to node POK. The following checks are performed before transmitting the SYSOUT to node POK.
Data set User ID JESJOBS FACILITY CSFKEYS
SYSPRINT JESID N/A N/A DEFAULT
ENCOUT JESID N/A N/A MY.KEY
ENCIN N/A N/A N/A N/A
SYSIN N/A N/A N/A N/A
Table 15. EJ4 executes on node RCH and the output is routed to node CAT through node POK (store and forward). Assume that an ENCRYPT.*.*.*.JESJCLIN profile exists to associate the key label TRANSIT with jobs and output that are being store and forwarded.
Data set User ID JESJOBS FACILITY CSFKEYS
JESJCLIN JESID ENCRYPT.POK.JESID.EJ4.JESJCLIN N/A TRANSIT
Table 16. EJ4 executes on node RCH and the output is routed to node CAT. The following checks are performed when the SYSOUT is received on node CAT. Note that JES output data sets are eligible for encryption when received over NJE, and that SYSIN data sets are not sent over NJE.
Data set User ID JESJOBS FACILITY CSFKEYS
JESMSGLG JESID ENCRYPT.POK.JESID.CAT.JESMSGLG N/A DEFAULT
JESJCL JESID ENCRYPT.POK.JESID.CAT.JESJCL N/A DEFAULT
JESYSMSG JESID ENCRYPT.POK.JESID.CAT.JESYSMSG N/A DEFAULT
EVENTLOG JESID JESID.CAT.EVENTLOG N/A DEFAULT
SYSPRINT JESID ENCRYPT.POK.JESID.CAT.SYSPRINT N/A DEFAULT
ENCOUT JESID ENCRYPT.POK.JESID.CAT.ENCOUT N/A DEFAULT
End of change