|
|
|
If the SAF Interface has been enabled from the BES.SECURITY processing parameter, CA Tape Encryption will interrogate the CA@BES resource class to determine whether a data set should be encrypted based upon CA ACF2 profiles. If a matching data set profile is found, the accompanying $USERDATA field is edited to determine whether it is valid. If all of the edits are performed successfully, the data set is selected for encryption. If a matching data set selection profile is not found, CA Tape Encryption will check CA@BES to see if a default data set selection profile, BES.DEFAULT, has been defined. If so, the data set is encrypted using the default encryption parameter.
Data set selection profiles are defined to the CA@BES resource class and are prefixed with the constant: “DSN.” (the letters DSN followed by a period '.'). Following the prefix constant, you can be as specific or generic about the actual data set name. However, when defining generic profiles, you should pad the $KEY name with trailing asterisks to a maximum of 40 characters. This will ensure a matching generic profile will be located during the data set selection process.
The maximum length of the data set definition profile is 40 characters; the prefix constant of “DSN.” plus an additional 36-character data set name.
If you use extended rule sets, you must define the CA@BES data set resources by using the NEXTKEY field, specify UID(-) PREVENT and include the encryption key name on the $USERDATA field on the following “NEXTKEY” key set.
Note: The encryption data set selection process does not perform security resource validation checks. This is automatically performed by z/OS during the data set open process. Therefore, the rule set associated with data set selection profile should use “UID(-) ALLOW” to differentiate between standard and extended CA ACF2 rule definitions.
| Copyright © 2011 CA. All rights reserved. | Tell Technical Publications how we can improve this information |