Using Your Security System › Security Profiles › How the Security System Determines Eligible Data Sets

How the Security System Determines Eligible Data Sets

The security system is queried to determine that a data set is eligible for encryption because the following conditions are satisfied:

• The data set is defined in the CA@BES resource class and prefixed by DSN.
• A valid encryption parameter is defined in the APPLDATA field or the data set selection profile.
  • For IBM Security Server RACF this is defined on the APPLDATA field of the RDEFINE command.
  • For CA Top Secret, this field is APPLDATA on the PERMIT command.
  • For CA ACF2 this field is $USERDATA on the key set.

The data in this field tells CA Tape Encryption which encryption key to use, and the field will be parsed for validity. If the specific dataset profile encryption key is missing or invalid, CA Tape Encryption attempts to extract the encryption key from the BES.DEFAULT profile. If the BES.DEFAULT profile does not contain a valid encryption parameter, DFSMS will be used to determine if the data set is eligible for encryption.

The field name and the length of the field where the data is stored depends on the security system you use. The data field includes the following information that CA Tape Encryption recognizes:

• The data field must include a CA Tape Encryption parameter, in the form of ('BES=(string_value)') or ('BESn=(string_value)').
• You can include additional text before or after the BES= or BESn= parameter.
• For CA Top Secret and IBM Security Server RACF the APPLDATA field can contain up to 120 alphanumeric and special characters. For CA ACF2, the $USERDATA field can contain up to 64 alphanumeric and special characters and should not be enclosed within apostrophes. If you enter lowercase characters, they are converted to uppercase. No commas or embedded blanks are allowed.

  Note: Except for the restrictions described here, the information in the data field is the same as the data class character string values specified in the DFSMS data class definition field when tape encryption processing is under the control of DFSMS.

  If CA Tape Encryption cannot verify that the data set is eligible for processing by using the external security manager data set selection profiles, it attempts to use the DFSMS data class description field to process the data set.