Using Your Security System › The z/OS External Security Manager

Previous Topic: Using Your Security System

Next Topic: How You Define Protection Profiles to Your External Security Manager

The z/OS External Security Manager

CA Tape Encryption lets you use your external security manager from the SAF Interface component of CA Tape Encryption to provide greater control of the encryption process on z/OS. The implementation, resource definition, and control of the SAF Interface is performed dynamically and does not require a system outage to implement.

By defining CA Tape Encryption resources to one of the supported external security managers (CA ACF2, CA Top Secret, or IBM Security Server RACF), you can allow the z/OS security system exclusive control in determining whether a data set is eligible for encryption and how to encrypt the data. Another key feature of the SAF Interface is to provide the security administrator the ability to protect CA Tape Encryption system commands, encryption key definitions and utilities, and which users have permission to use these resources.

As the security administrator, you can create security profiles for this purpose using the supplied TBESAF99 utility, and import them into CA ACF2, CA Top Secret, and IBM Security Server RACF, or you can enter the profiles and rules directly into your security system. With these profiles you control data sets to be encrypted, who can manage and use encryption keys and code book information, and which CA Tape Encryption commands and utilities users can access. You can define these profiles directly in the control statement format of your security system or you can use the TBESAF99 utility to generate these control statements.

Note: TBESAF99 is a general purpose utility that generates security profile models for command, key, and utility protection. After executing TBESAF99 and generating model statements you need to perform additional edits on the control statements to permit users to resources or add data set selection profiles before updating your security system.

For sites that do not want to use DFSMS for data set selection or do not have an active DFSMS system, this security feature provides an alternative method for automatically selecting data sets to encrypt.

For detailed information about defining control statements for use with your security system and CA Tape Encryption, see the chapters “Defining Security Protection Profiles in IBM Security Server RACF,” “Defining Security Protection Profiles in CA Top Secret,” and “Defining Security Protection Profiles in CA ACF2.”