Defining Security Protection Profiles in CA Top SecretSelect Data Sets for Encryption with CA Top SecretEncryption Parameter Definition Format for CA Top Secret › Bypass Encryption using DONOTENCRYPT

Previous Topic: Encryption Parameter Definition Format for CA Top Secret

Next Topic: Command Protection Profiles for CA Top Secret

Bypass Encryption using DONOTENCRYPT

There are certain system data sets that should not be encrypted, such as the CA Tape Encryption data base or the z/OS operating system backups. To circumvent automatic selection using BES.DEFAULT or to ensure a data set is not encrypted (using CA Top Secret or DFSMS), you should define a CA@BES data set selection profile using the encryption parameter DONOTENCRYPT.

Use the following format to bypass encryption for a specific data set profile:

APPLDATA=('BESn=(DONOTENCRYPT)')

Example: Define a data set profile for encryption using CA Top Secret

This example uses the CA Top Secret command, PERMIT, to specify that only the specific data set, SYS2.BACKUP.FILE will be eligible for encryption on BES2 and will use the encryption key 3DES192_KEY. When permitting a data set, you must permit the ACIDNAME specified when you defined the BES.TSS.ACID.acidname CA@BES control parameter and the ACID of the user submitting the job. In this example, we assume the defined acidnames are TSSACID and SYSTEMS respectively.

TSS PERMIT(BESACID) CA@BES('SYS2.BACKUP.FILE')   +
    ACCESS(READ)   APPLDATA('BES2=(3DES192_KEY)')
TSS PERMIT(SYSTEMS) CA@BES('SYS2.BACKUP.FILE')   +
    ACCESS(READ)   APPLDATA('BES2=(3DES192_KEY)')

Example: Add an encryption key to a data set previously defined to CA Top Secret

This example uses the CA Top Secret command, PERMIT, and the APPLDATA statement to specify that all data sets that begin with BACKUP.B2B running on BES3 are eligible for encryption using code book BKUPBOOK with an encryption strength of AES256.

TSS ADDTO( SYSDEPT ) CA@BES(BACKUP.B2B) UNDERCUT
TSS PERMIT(SYSTEMS) CA@BES(BACKUP.B2B) +
    ACCESS(READ) APPLDATA('BES3=(BOOK(BKUPBOOK).AES256)')

The maximum length of the data set selection profile on the permit statement is 49 characters; the prefix constant of “DSN.” plus an addition 44 characters that can include the fully-qualified data set name.

Note: The encryption data set selection process does not perform security resource validation checks. This is automatically performed by z/OS during the data set open process.