IBM Support

How SMS STGADMIN Facility class profiles are used for encrypted extended format data sets, PDSE, basic and large format data set (PS)?

Question & Answer


Question

How do the STGADMIN facility class profiles and granular keywords get checked when requesting encryption?

Cause

At the system level, encryption is automatically enabled for Extended format (VSAM and non-VSAM) and non-extended format ZFS when a key label is assigned.

For basic, large format and PDSE data sets, these RACF profiles must be defined for encryption to be enabled:                                                                                        STGADMIN.SMS.ALLOW.DATASET.SEQ.ENCRYPT                                                                                                                                                                                                        STGADMIN.SMS.ALLOW.PDSE.ENCRYPT                 

When these RACF profiles STGADMIN.SMS.ALLOW.DATASET.SEQ.ENCRYPT (basic and large format) or STGADMIN.SMS.ALLOW.PDSE.ENCRYPT (for PDSE) exist, that indicates encryption is enabled for data set types.  The authority (UACC or access list) is NOT verified.  SMS is simply verifying the existence of these profile names.

For all data set types, SMS checks these RACF profiles to decide if encryption is allowed or not when a key label is specified:                                                             STGADMIN.SMS.ALLOW.DATASET.ENCRYPT                                                                                                                                                                                                                 STGADMIN.SMS.FAIL.INVALID.DSNTYPE.ENC

In addition, the following parameters can be specified in the DFP Segment of RACF DATASET profile to determine encryption eligibility at data set level:

ENCRYPTTYPES:  Specifies the data set types, basic and large format sequential and PDSE that are eligible for data set encryption, or are excluded from                                     data set encryption, for data sets covered by this profile. Each data set type has three possible prefixes:

   ALL: All the supported data set types (PDSE, and SEQ) covered by this profile are eligible for data set encryption.                                                                                                   INxxx : Include the type for encryption.                                                                                                                                                                                                                                            EXxxx : Exclude the type from encryption.                                                                                                                                                                                                                                        NOxxx : Removes the IN and EX settings for that type. This is the default behavior.                                                                                                                                                                             Where xxx = SEQ or PDSE. For example, ENCRYPTTYPES(INSEQ).      

NOENCRYPTTYPES:  Removes all settings. SMS determines whether new data sets covered by this profile is eligible for encryption.

Answer

When the data set is Extended Format (VSAM and Non-VSAM) and Non-Extended Format ZFS: 

  1. When a data set key label is specified on the RACF DFP Segment, then SMS attempts to create an encrypted data set and message IGD17150I is issued                      if successful.
  2. When a data set key label is specified from other sources: JCL, Dynamic Allocation, IDCAMS DEFINE, or Data Class  and if STGADMIN.SMS.ALLOW.DATASET.ENCRYPT or a generic profile (such as STGADMIN.SMS.**) is defined that would cover STGADMIN.SMS.ALLOW.DATASET.ENCRYPT  *AND* the UACC is READ or the user has at least READ access to this resource, then SMS attempts to create an encrypted data set and message IGD17150I is issued if successful.
  3. Otherwise, the data set define fails. Message IGD17155I is issued.

When the data set is PDSE, basic or large format:

SMS checks whether these data set types are eligible for encryption at data set level before checking the same thing at system level.

If INSEQ (basic and large format) or INPDSE (PDSE) is specified in the RACF DFP segment, these data set types of this data set profile are eligible for encryption:

                a.   When a data set key label is also specified on the RACF DFP Segment, SMS attempts to create an encrypted data set and message IGD17150I is issued                                                    if successful.
                b.   When a data set key label is specified from other sources: JCL, Dynamic Allocation, IDCAMS DEFINE, or Data Class then if
                      STGADMIN.SMS.ALLOW.DATASET.ENCRYPT or a generic profile (such as STGADMIN.SMS.**) is defined that would cover
                      STGADMIN.SMS.ALLOW.DATASET.ENCRYPT  *AND* the UACC is READ or the user has at least READ access to this resource,
                      then SMS attempts to create an encrypted data set and message IGD17150I is issued if successful.
              c.    Otherwise, the data set define fails. IGD17155I is issued.

If EXSEQ (basic and large format) or EXPDSE (PDSE) is specified in the RACF DFP segment, these data set types of this data set profile are not eligible for encryption:

  a. SMS attempts to create an non-encrypted data set and message IGD17156I is issued if successful.

If NOSEQ (basic and large format) or NOPDSE (PDSE) or NOENCRYPTTYPES or either are omitted from the DFP segment, SMS checks at system level to determine whether these data set types are eligible for encryption:

     1. If STGADMIN.SMS.ALLOW.DATASET.SEQ.ENCRYPT(for basic and large format) OR  STGADMIN.SMS.ALLOW.PDSE.ENCRYPT(for PDSE) exists,
          these data set types are eligible for encryption.
                 a. If a data set key label is also specified on the RACF DFP Segment, SMS attempts to create an encrypted data set and message IGD17150I is issued if                                                      successful
       b.  If a data set key label is specified from other sources: JCL, Dynamic Allocation, IDCAMS DEFINE, or Data Class, and
           STGADMIN.SMS.ALLOW.DATASET.ENCRYPT or  a generic profile (such as STGADMIN.SMS.**) is defined that would cover
           STGADMIN.SMS.ALLOW.DATASET.ENCRYPT  *AND* the UACC is READ or the user has at least READ access, then SMS attempts
           to create an encrypted data set and message IGD17150I is issued if successful.
      c.  Otherwise, the data set define fails. Message IGD17155I is issued.
2.  If STGADMIN.SMS.ALLOW.DATASET.SEQ.ENCRYPT (for Basic and Large) OR  STGADMIN.SMS.ALLOW.PDSE.ENCRYPT(for PDSE) do NOT exist,
       these data set types are NOT eligible for encryption:
     a.  If a key label is specified from RACF DPF Segment, JCL, Data Class, IDCAMS DEFINE or Dynamic Allocation, then if the user has READ
          access to STGADMIN.SMS.FAIL.INVALID.DSNTYPE.ENC or generic profile (such as STGADMIN.SMS.**) is defined that would cover
          STGADMIN.SMS.FAIL.INVALID.DSNTYPE.ENC then the data set define fails.  IGD17151I and IGD17157I are issued.
     b. Otherwise, the data set is defined as unencrypted. IGD17156I is issued.
 

Message Descriptions:

IGD17150I

IGD17151I

IGD17155I

IGD17156I

IGD17157I

 

[{"Type":"MASTER","Line of Business":{"code":"LOB56","label":"Z HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG90","label":"z\/OS"},"ARM Category":[{"code":"a8m0z0000000AL0AAM","label":"DFSMS-\u003ESMS - Storage Management Subsystem"}],"ARM Case Number":"","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"3.1.0;3.2.0"}]

Document Information

Modified date:
03 October 2025

UID

ibm17246726

Page Feedback