Using CA Tape Encryption in Your z/OS Environment › Initial ICSF and Security System Updates

Initial ICSF and Security System Updates

You must update your security system to provide the following permissions for BES and ICSF resources:

• Control access to the PREFIX used for BES databases
• Update access to IRR.DIGTCERT.LISTRING is required if B2B tapes are to be created
• Read access to general resource classes CSFKEYS and CSFSERV

  Note: For more information about these classes, see the IBM ICSF Administrator's Guide, the IBM Security Server RACF Security Administrator's Guide, the CA ACF2 for z/OS Administrator Guide, and the CA Top Secret for z/OS User Guide.

• If you choose to save keys in the CKDS, update access to the ICSF CKDS is required

In addition, the following ICSF startup parameters should be defined if you choose to run ICSF or are required to run it:

• Configure ICSF with parameter SSM(YES) unless you are running in SecureKeysOnly mode.

  Note: For more information about ICSF and Special Secure Mode, see SecureKeysOnly and Special Secure Mode.

• CHECKAUTH(NO) is strongly recommended for improved performance

Note: Additional security system updates are required if you plan to perform B2B processing or if you plan to use the security system to manage encryption or to protect CA Tape Encryption commands, keys or utilities. For more information about the security system updates required for B2B processing, see the chapter “Using Digital Certificates.” For more information about using the security system to manage encryption and resource protection see the chapter “Using Your Security System for Tape Encryption and Resource Protection.”