Defining Security Protection Profiles in CA Top Secret › Activate and Control the CA Tape Encryption SAF Interface for CA Top Secret

Activate and Control the CA Tape Encryption SAF Interface for CA Top Secret

The SAF Interface is enabled or disabled at the global level for all BESn subsystems. You control the SAF Interface through the definition of the CA@BES resource profile BES.SECURITY. The actual control information to activate or inactivate the SAF Interface is stored on the APPLDATA field of the PERMIT command. The following steps outline the order of the CA Top Secret commands used to control the SAF Interface:

1. ADDTO CA@BES the SAF Interface control profile: BES.SECURITY.
2. PERMIT BES.SECURITY to the started task ACID of the BES subsystems with an access level of at least READ.
3. Include an APPLDATA parameter that specifies the control options of either ACTIVE or INACTIVE on the PERMIT.BES.SECURITY command.
4. Define the BES.TSS.ACID.

   For information about defining the BES.TSS.ACID, see The CA Tape Encryption Processing ACID.

5. Issue an additional PERMIT command to the ACID on the BES.TSS.ACID including the same APPLDATA that was defined on the BES.SECURITY PERMIT command.

When ACTIVE is specified the CA Tape Encryption SAF Interface will control CA Tape Encryption resources (key and utility protection) defined to CA@BES and OPERCMDS (command protection) and enable security data set selection.

Note: The absence of this parameter will set the SAF Interface to “INACTIVE” and for all BES subsystems.

Consider the following points when defining the BES.SECURITY control profile:

• BES.SECURITY is a global parameter and will control the SAF Interface for all BES subsystems.
• BES.SECURITY must have an APPLDATA statement defined in the PERMIT statement. The PERMIT statement must grant READ access to the Started Task ACID assigned to the BES subsystem.
• The two valid APPLDATA entries that can be specified are: ACTIVE or INACTIVE.
• During initialization, the presence of an invalid or unsupported APPLDATA parameter will prevent the SAF Interface from being initialized.
• During RELOAD=SECURITY processing, the presence of an invalid or unsupported APPLDATA parameter will quiesce the SAF Interface.
• During INITIALIZATION or RELOAD=SECURITY processing, if the BES.SECURITY profile cannot be extracted or if the APPLDATA contains an invalid control parameter, CA Tape Encryption will default to a global PERMIT resource protection level (no resources are protected) and security data set selection will be disabled.

Note: In the sample statements presented, + indicates a CA Top Secret continuation character.