Using Your Security System › The z/OS External Security Manager › How You Define Protection Profiles to Your External Security Manager
How You Define Protection Profiles to Your External Security Manager
You must define the CA Tape Encryption resources to your external security manager before you can use the security system to manage encryption. The following points outline the information you need to provide to the security system:
- For an IBM Security Server RACF system, you must define and activate the CA@BES resource class.
- For CA ACF2 and CA Top Secret users, the CA@BES resource class is automatically defined and activated when you have installed the required service. If you are running an older version of either system, contact the appropriate CA technical support group to obtain required maintenance to provide this support.
- Define the security scope processing parameters for global and local definitions, and define your required security level of PROTECT or PERMIT.
- Define the data set encryption profiles for the data sets you want to encrypt. This also specifies the type of encryption key to use for encrypting the data set.
- Specify command protection profiles to manage which CA Tape Encryption system commands are permitted for use by authorized users or protected from use by unauthorized users.
- Specify key protection profiles to manage which symmetric keys, digital certificates, and code books are permitted for use by authorized users or protected from use by unauthorized users. Key protection profiles protect both the encryption and decryption of a data set.
- Specify utility protection profiles to manage which CA Tape Encryption utilities are permitted for use by authorized users or the CA Vantage GMI product.
- Resource profiles defined to CA@BES or OPERCMDS are verified when they are used and not at definition time.
- Specify application management protection profiles to manage which users are allowed to use the Option for Application Management.
