News
Abstract
RACF now includes support for granular data set encryption in z/OS 2.5 and 3.1 (APAR OA66305). zSecure 2.5 and 3.1 are now also enhanced to support the following new ENCRYPTTYPES parameters: [ENCRYPTTYPES([ALL | [INTAPE | EXTAPE | NOTAPE] [INPDSE | EXPDSE | NOPDSE] [INSEQ | EXSEQ | NOSEQ]) | NOENCRYPTTYPES]
Content
The documentation updates listed below were made in support of this enhancement.
Note: These updates will be included in the available zSecure 3.1 documentation at a later time.
- zSecure Admin and Audit User Reference Manual - Section "Application segments" (under RA.D DATASET - Data set profiles)
A new row was added to the table Overview and detail fields included for the DFP segment:Overview field Detail field Explanation Enc types policy DFP EncTypes The encryption policies for new TAPE, PDSE, and Sequential data sets. - zSecure CARLa SELECT/LIST Fields - Section: "RACF field descriptions"
The following RACF field was added:ENCTYPES, ENCRYPTTYPES
This field in the DFP segment determines the data set encryption policy for eligible data sets that the DATASET profile covers. It indicates whether a data set type is to be included or excluded from encryption when covered by the profile. The supported data set types are TAPE, PDSE, and sequential basic and large format (SEQ).The ENCTYPES value for selection can be ALL or up to three data set types that are preceded by the desired encryption behavior:- ALL (with or without quotes): All the supported data set types that this profile covers are eligible for data set encryption (TAPE, PDSE, and SEQ).
- "encryptTAPE encryptPDSE encryptSEQ" (within quotes), where encrypt is either IN, EX, or NO:
- IN – Include the data set type for encryption.
- EX – Exclude the data set type from encryption.
- NO – When determining encryption eligibility, ENCTYPES is not considered for this data set type. This is the default behavior.
"INTAPE INPDSE INSEQ" is the same as ALL. The data set types must be specified in this order but any data set types can be skipped. -
zSecure Command Verifier User Guide - "Policy profiles for DFP segment management"
C4R.DATASET.ENCRYPTTYPES.profile was added:Overview field Value Profile ENCRYPTTYPES N/A C4R.DATASET.DFP.ENCRYPTTYPES.profile This policy profile describes the authorization to set the ENCRYPTTYPES for the data set profile. The specified value is the encryption type on the RACF ADDSD and ALTDSD commands. It specifies the data set types that are eligible for data set encryption, or are excluded from data set encryption. Command Verifier supports the following access levels to the policy profile:
No profile found - This control is not implemented.
NONE - The terminal user is not authorized to specify or remove the ENCRYPTTYPES. The command is rejected.
READ - Same as NONE
UPDATE - The terminal user is authorized to specify or remove the ENCRYPTTYPES.
CONTROL - Same as UPDATE. - zSecure Messages Guide - "CKR messages" (CARLa engine) and "C4R messages" (zSecure Command Verifier)
Messages CKR3379 and C4R778E were added:
CKR3379 ENCTYPES value must be ALL or up to three data set types separated by blanks - value at sourceC4R778E Not allowed to set ENCRYPTTYPES for DATASET profile dsnameExplanation: The value that you specified for ENCTYPES does not match the field type that the program expects. The following lists the possible options for selection:- ALL (with or without quotes): All the supported data set types that this profile covers are eligible for data set encryption (TAPE, PDSE, and SEQ).
- "encryptTAPE encryptPDSE encryptSEQ" (within quotes), where encrypt is either IN (include), EX (exclude), or NO (ENCTYPES is not considered). "INTAPE INPDSE INSEQ" is the same as ALL. The data set types must be specified in this order but any data set types can be skipped.
User response: Select and apply an appropriate value for the field.
Severity: 12
Explanation: You are not authorized to set or reset the ENCRYPTTYPES value in the DFP segment of the dsname data set profile. The profile is not changed.
Related Information
[{"Type":"MASTER","Line of Business":{"code":"LOB70","label":"Z TPS"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSPQTM","label":"IBM Security zSecure Admin"},"ARM Category":[{"code":"a8m0z000000GoZlAAK","label":"zSecure Admin-\u003EDocumentation"}],"ARM Case Number":"","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"2.5.0;3.1.1"},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSRQ8D","label":"IBM Security zSecure Audit for RACF"},"ARM Category":[{"code":"a8m0z000000GoYsAAK","label":"zSecure Audit-\u003EDocumentation"}],"Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"2.5.0;3.1.0"},{"Type":"MASTER","Line of Business":{"code":"LOB70","label":"Z TPS"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSRM9V","label":"IBM Security zSecure Command Verifier"},"ARM Category":[{"code":"a8m0z000000bm8NAAQ","label":"zSecure Command Verifier-\u003EDocumentation"}],"Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"2.5.0;3.1.0"},{"Type":"MASTER","Line of Business":{"code":"LOB70","label":"Z TPS"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSCHPT","label":"IBM Security zSecure Adapters for SIEM"},"ARM Category":[{"code":"a8m0z000000GoWNAA0","label":"zSecure Data Preparation for SIEM-\u003EDocumentation"}],"Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"2.5.0;3.1.0"},{"Type":"MASTER","Line of Business":{"code":"LOB70","label":"Z TPS"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSPLQS","label":"IBM Security zSecure Alert"},"ARM Category":[{"code":"a8m0z000000GoZHAA0","label":"zSecure Alert-\u003EDocumentation"}],"Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"2.5.0;3.1.0"}]
Was this topic helpful?
Document Information
Modified date:
06 March 2025
UID
ibm17182342